{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3475", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-03T13:12:45.335Z", "datePublished": "2026-03-19T07:34:56.084Z", "dateUpdated": "2026-04-08T17:10:30.120Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:30.120Z"}, "affected": [{"vendor": "instantpopupbuilder", "product": "Instant Popup Builder \u2013 Powerful Popup Maker for Opt-ins, Email Newsletters & Lead Generation", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Instant Popup Builder plugin for WordPress is vulnerable to Unauthenticated Arbitrary Shortcode Execution in all versions up to and including 1.1.7. This is due to the handle_email_verification_page() function constructing a shortcode string from user-supplied GET parameters (token, email) and passing it to do_shortcode() without properly sanitizing square bracket characters, combined with missing authorization checks on the init hook. While sanitize_text_field() and esc_attr() are applied, neither function strips or escapes square bracket characters ([ and ]). WordPress's shortcode regex uses [^\\]\\/]* to match content inside shortcode tags, meaning a ] character in the token value prematurely closes the shortcode tag. This makes it possible for unauthenticated attackers to inject and execute arbitrary registered shortcodes by crafting a malicious token parameter containing ] followed by arbitrary shortcode syntax."}], "title": "Instant Popup Builder <= 1.1.7 - Unauthenticated Arbitrary Shortcode Execution via 'token' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/979962e3-9052-4dc9-94d0-3ec8de3d5460?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/instant-popup-builder/trunk/public/class-instant-popup-subscription-public.php#L1772"}, {"url": "https://plugins.trac.wordpress.org/browser/instant-popup-builder/tags/1.1.6/public/class-instant-popup-subscription-public.php#L1772"}, {"url": "https://plugins.trac.wordpress.org/browser/instant-popup-builder/trunk/public/class-instant-popup-subscription-public.php#L1761"}, {"url": "https://plugins.trac.wordpress.org/browser/instant-popup-builder/tags/1.1.6/public/class-instant-popup-subscription-public.php#L1761"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3477334%40instant-popup-builder&new=3477334%40instant-popup-builder&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "timeline": [{"time": "2026-03-03T17:15:24.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-18T19:02:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T13:44:02.852369Z", "id": "CVE-2026-3475", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:44:23.180Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3475", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T13:44:02.852369Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:44:18.600Z"}}], "cna": {"title": "Instant Popup Builder <= 1.1.7 - Unauthenticated Arbitrary Shortcode Execution via 'token' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "instantpopupbuilder", "product": "Instant Popup Builder \u2013 Powerful Popup Maker for Opt-ins, Email Newsletters & Lead Generation", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-03T17:15:24.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-18T19:02:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/979962e3-9052-4dc9-94d0-3ec8de3d5460?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/instant-popup-builder/trunk/public/class-instant-popup-subscription-public.php#L1772"}, {"url": "https://plugins.trac.wordpress.org/browser/instant-popup-builder/tags/1.1.6/public/class-instant-popup-subscription-public.php#L1772"}, {"url": "https://plugins.trac.wordpress.org/browser/instant-popup-builder/trunk/public/class-instant-popup-subscription-public.php#L1761"}, {"url": "https://plugins.trac.wordpress.org/browser/instant-popup-builder/tags/1.1.6/public/class-instant-popup-subscription-public.php#L1761"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3477334%40instant-popup-builder&new=3477334%40instant-popup-builder&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Instant Popup Builder plugin for WordPress is vulnerable to Unauthenticated Arbitrary Shortcode Execution in all versions up to and including 1.1.7. This is due to the handle_email_verification_page() function constructing a shortcode string from user-supplied GET parameters (token, email) and passing it to do_shortcode() without properly sanitizing square bracket characters, combined with missing authorization checks on the init hook. While sanitize_text_field() and esc_attr() are applied, neither function strips or escapes square bracket characters ([ and ]). WordPress's shortcode regex uses [^\\]\\/]* to match content inside shortcode tags, meaning a ] character in the token value prematurely closes the shortcode tag. This makes it possible for unauthenticated attackers to inject and execute arbitrary registered shortcodes by crafting a malicious token parameter containing ] followed by arbitrary shortcode syntax."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:30.120Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3475", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:10:30.120Z", "dateReserved": "2026-03-03T13:12:45.335Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-19T07:34:56.084Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Instant Popup Builder plugin for WordPress is vulnerable to Unauthenticated Arbitrary Shortcode Execution in all versions up to and including 1.1.7. This is due to the handle_email_verification_page() function constructing a shortcode string from user-supplied GET parameters (token, email) and passing it to do_shortcode() without properly sanitizing square bracket characters, combined with missing authorization checks on the init hook. While sanitize_text_field() and esc_attr() are applied, neither function strips or escapes square bracket characters ([ and ]). WordPress's shortcode regex uses [^\\]\\/]* to match content inside shortcode tags, meaning a ] character in the token value prematurely closes the shortcode tag. This makes it possible for unauthenticated attackers to inject and execute arbitrary registered shortcodes by crafting a malicious token parameter containing ] followed by arbitrary shortcode syntax."}, {"lang": "es", "value": "El plugin Instant Popup Builder para WordPress es vulnerable a la Ejecuci\u00f3n Arbitraria de Shortcode No Autenticada en todas las versiones hasta la 1.1.7 inclusive. Esto se debe a que la funci\u00f3n handle_email_verification_page() construye una cadena de shortcode a partir de par\u00e1metros GET proporcionados por el usuario (token, email) y la pasa a do_shortcode() sin sanear correctamente los caracteres de corchete, combinado con la falta de comprobaciones de autorizaci\u00f3n en el hook init. Aunque se aplican sanitize_text_field() y esc_attr(), ninguna de las funciones elimina o escapa los caracteres de corchete ([ y ]). La expresi\u00f3n regular de shortcode de WordPress utiliza [^\\]\\/]* para hacer coincidir el contenido dentro de las etiquetas de shortcode, lo que significa que un car\u00e1cter ] en el valor del token cierra prematuramente la etiqueta de shortcode. Esto hace posible que atacantes no autenticados inyecten y ejecuten shortcodes registrados arbitrarios al crear un par\u00e1metro de token malicioso que contenga ] seguido de sintaxis de shortcode arbitraria."}], "id": "CVE-2026-3475", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-19T08:16:19.327", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/instant-popup-builder/tags/1.1.6/public/class-instant-popup-subscription-public.php#L1761"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/instant-popup-builder/tags/1.1.6/public/class-instant-popup-subscription-public.php#L1772"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/instant-popup-builder/trunk/public/class-instant-popup-subscription-public.php#L1761"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/instant-popup-builder/trunk/public/class-instant-popup-subscription-public.php#L1772"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3477334%40instant-popup-builder&new=3477334%40instant-popup-builder&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/979962e3-9052-4dc9-94d0-3ec8de3d5460?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Instant Popup Builder \u2013 Powerful Popup Maker for Opt-ins, Email Newsletters & Lead Generation", "source": "cna", "vendor": "instantpopupbuilder"}, "product": "instant_popup_builder_\u2013_powerful_popup_maker_for_opt-ins,_email_newsletters_&_lead_generation", "vendor": "instantpopupbuilder"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T10:20:52.274249+00:00", "value": {"mitigation_remediation": ["Update the Instant Popup Builder plugin to the latest available version to remove the vulnerable code.", "If an update cannot be applied immediately, deactivate or delete the plugin to prevent the vulnerable routine from running.", "In case downtime is unacceptable and an immediate update is not possible, apply a custom patch that sanitizes or strips square bracket characters from the token and email parameters before calling do_shortcode() to prevent arbitrary shortcode injection."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated Arbitrary Shortcode Execution"}, "threat_synthesis": {"affected_systems": "All WordPress sites that have the Instant Popup Builder plugin installed with a version equal to or older than 1.1.7 are vulnerable. The affected vendor product is \"Instant Popup Builder \u2013 Powerful Popup Maker for Opt\u2011ins, Email Newsletters & Lead Generation\". Any instance of this plugin that has not been upgraded beyond the stated version is potentially exploitable.", "description_and_impact": "The Instant Popup Builder plugin for WordPress is affected by a flaw that allows any unauthenticated user to inject and execute arbitrary registered shortcodes. The vulnerability arises in the handle_email_verification_page() function, which concatenates user\u2011supplied GET parameters (token and email) into a shortcode string and passes it to WordPress\u2019s do_shortcode() function without proper sanitization of square bracket characters. The sanitization functions used do not strip or escape brackets, and an authorization check is missing for the init hook. The result is that a malicious token containing a closing bracket can prematurely terminate a legitimate shortcode tag, allowing the attacker to insert and run arbitrary shortcode syntax. This weakness is classified as CWE\u2011862. The impact is that an attacker can execute any shortcode that is registered on the target site, potentially leading to data disclosure, unauthorized code execution, or other malicious actions depending on the shortcodes available.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only an unauthenticated HTTP GET request to the email\u2011verification page with a crafted token parameter; no additional privileges are required. Because the attacker can execute any shortcode present on the site, the potential impact ranges from content manipulation to code execution, depending on the site\u2019s configuration and installed plugins. The risk is therefore significant enough to warrant prompt action, especially in environments where the plugin is actively used."}}}}, "created": "2026-03-20T08:57:13.662626+00:00", "updated": "2026-03-20T14:15:38.163765+00:00", "vendors": ["instantpopupbuilder", "instantpopupbuilder$PRODUCT$instant_popup_builder_\u2013_powerful_popup_maker_for_opt-ins,_email_newsletters_&_lead_generation", "wordpress", "wordpress$PRODUCT$wordpress"]}