Unauthenticated Arbitrary Shortcode Execution in Instant Popup Builder for WordPress
CVE-2026-3475
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 19 March 2026
What is CVE-2026-3475?
The Instant Popup Builder plugin for WordPress contains a vulnerability that allows unauthenticated users to exploit the plugin by executing arbitrary shortcodes. This issue arises due to improper sanitization of user-supplied GET parameters, specifically in the handle_email_verification_page() function. The function constructs a shortcode string without adequately handling square bracket characters, which leads to the premature closure of shortcode tags. Attackers can craft a malicious token parameter that includes special characters, enabling the injection and execution of arbitrary shortcode syntax. Administrators are advised to review and upgrade to the latest version to mitigate this risk.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
Instant Popup Builder β Powerful Popup Maker for Opt-ins, Email Newsletters & Lead Generation * <= 1.1.7