CVE-2025-13079

Popup Builder - Create highly converting, mobile friendly marketing popups. <= 4.4.2 - Improper Authorization to Unauthenticated Subscriber Removal via Predictable Tokens

Description

The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.2. This is due to the plugin generating predictable unsubscribe tokens using deterministic data. This makes it possible for unauthenticated attackers to unsubscribe arbitrary subscribers from mailing lists via brute-forcing the unsubscribe token, granted they know the victim's email address

INFO

Published Date :

2026-02-19T03:25:14.826Z

Last Modified :

2026-04-08T16:57:08.174Z

Source :

Wordfence

AFFECTED PRODUCTS

The following products are affected by CVE-2025-13079 vulnerability.

Vendors	Products
Popupbuilder	Popup Builder – Create Highly Converting, Mobile Friendly Marketing Popups.
Wordpress	Wordpress

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-13079.

URL	Resource
https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.2/com/classes/Actions.php#L842
https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.2/com/helpers/AdminHelper.php#L896
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444540%40popup-builder&new=3444540%40popup-builder&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/62b29721-0580-4e1d-824d-9b8355890248?source=cve

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact