CVE-2026-3475

Name of the Vulnerable Software and Affected Versions WordPress Instant Popup Builder versions up to and including 1.1.7

Description The Instant Popup Builder plugin for WordPress is susceptible to Unauthenticated Arbitrary Shortcode Execution. This occurs because the handle email verification page() function creates a shortcode string from user-provided token and email GET parameters and passes it to do shortcode() without sufficient sanitization of square bracket characters, and lacks authorization checks. The sanitize text field() and esc attr() functions do not remove or escape square bracket characters. A malicious token value containing a ']' character can prematurely close a shortcode tag, allowing unauthenticated attackers to inject and execute arbitrary registered shortcodes.

Recommendations Update WordPress Instant Popup Builder to a version later than 1.1.7.