CVE-2026-3475: WordPress Instant Popup Builder RCE Flaw

CVE-2026-3475 Overview

CVE-2026-3475 affects the Instant Popup Builder plugin for WordPress in all versions up to and including 1.1.7. The flaw allows unauthenticated attackers to inject and execute arbitrary registered shortcodes through the handle_email_verification_page() function. The function constructs a shortcode string from user-supplied token and email GET parameters, then passes it to do_shortcode() without escaping square brackets. Combined with a missing authorization check on the init hook, attackers can break out of the intended shortcode context and execute any registered shortcode on the target site. The issue is classified as Missing Authorization [CWE-862].

Critical Impact
Unauthenticated attackers can execute arbitrary registered shortcodes on vulnerable WordPress sites, potentially exposing data or abusing plugin functionality reachable via shortcodes.

Affected Products

Instant Popup Builder plugin for WordPress, versions up to and including 1.1.7
WordPress sites with the plugin active on publicly reachable endpoints
Sites with additional shortcode-enabled plugins whose shortcodes can be invoked through the injection

Discovery Timeline

2026-03-19 - CVE-2026-3475 published to the National Vulnerability Database (NVD)
2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-3475

Vulnerability Analysis

The vulnerability resides in the handle_email_verification_page() function inside class-instant-popup-subscription-public.php. The function builds a shortcode string by concatenating attacker-controlled token and email GET parameters, then invokes do_shortcode() on the result. WordPress applies sanitize_text_field() and esc_attr() to the inputs, but neither function strips or escapes the [ and ] characters used as shortcode delimiters.

WordPress's internal shortcode regex matches tag content with [^\]\/]*, meaning the first ] character inside the token value prematurely closes the wrapper shortcode tag. Any text following the injected ] is then parsed as new shortcode syntax by do_shortcode(). Because the handler is wired to the init hook with no capability or nonce check, the attack requires no authentication or user interaction.

Root Cause

The root cause is twofold: missing authorization on the init callback and incomplete input sanitization for content destined for shortcode evaluation. sanitize_text_field() is designed for plain text storage, not for safely embedding values inside shortcode markup. The plugin should have stripped or encoded [ and ] before constructing the shortcode string, or avoided building shortcodes from request data entirely.

Attack Vector

An unauthenticated attacker sends an HTTP GET request to the email verification endpoint with a crafted token parameter. The parameter contains a ] character followed by a malicious shortcode payload referencing any shortcode registered on the site. When the handler builds the final shortcode string and calls do_shortcode(), WordPress parses the injected shortcode and executes its callback. Impact depends on which shortcodes are registered; effects range from information disclosure to abuse of administrative shortcode functionality exposed by other plugins.

No verified proof-of-concept code is published. Technical details are available in the Wordfence Vulnerability Analysis and the WordPress Plugin Change Log.

Detection Methods for CVE-2026-3475

Indicators of Compromise

HTTP GET requests to the WordPress site containing token= parameter values that include URL-encoded %5D (]) characters followed by [ shortcode openers.
Web server access logs showing requests to the email verification page handler registered by the Instant Popup Builder plugin.
Unexpected output of shortcode-rendered content in responses to anonymous requests targeting the verification endpoint.

Detection Strategies

Inspect access logs for query strings matching patterns such as token=*%5D*%5B or raw ] followed by [ characters in request parameters.
Audit installed plugins for Instant Popup Builder at version 1.1.7 or lower using the WordPress admin Plugins screen or wp plugin list via WP-CLI.
Review request bodies and responses for shortcode tags appearing in places where the verification flow should only emit confirmation text.

Monitoring Recommendations

Enable a Web Application Firewall (WAF) with rules covering shortcode injection patterns in WordPress query parameters.
Forward WordPress and web server logs to a centralized logging or SIEM platform and alert on anomalous parameter content targeting plugin endpoints.
Monitor for plugin version drift and ensure unattended plugin updates are enabled where operationally acceptable.

How to Mitigate CVE-2026-3475

Immediate Actions Required

Update Instant Popup Builder to a version newer than 1.1.7 once the vendor publishes a fixed release referenced in the WordPress Plugin Change Log.
If a patched version is not yet available, deactivate and remove the plugin until a fix is published.
Review server logs for prior exploitation attempts using the indicators listed above.

Patch Information

The vulnerable code path is documented in the plugin source at the trunk class file and at line 1772. Site administrators should track the plugin's Trac changeset for the security release that adds an authorization check on the init hook and strips square brackets from user-supplied token and email values before shortcode construction.

Workarounds

Block requests to the email verification endpoint at the WAF or reverse proxy layer when the token parameter contains ] or %5D.
Restrict access to the affected endpoint to authenticated users via server-level access controls until the plugin is patched.
Disable the plugin if email verification popups are not in active use on the site.

bash

# Example WAF rule (ModSecurity) blocking shortcode injection in token parameter
SecRule ARGS:token "@rx (\]|%5D).*(\[|%5B)" \
    "id:1026034750,phase:2,deny,status:403,\
    msg:'CVE-2026-3475 Instant Popup Builder shortcode injection attempt'"