The Instant Popup Builder plugin for WordPress, used for creating opt-in popups and lead generation forms, suffers from a missing authorization vulnerability (CWE-862) identified as CVE-2026-3475. The vulnerability exists in all versions up to 1.1.7 due to the handle_email_verification_page() function constructing a shortcode string from user-supplied GET parameters 'token' and 'email' and passing it directly to WordPress's do_shortcode() function without proper sanitization of square bracket characters '[' and ']'. Although sanitize_text_field() and esc_attr() are applied, these functions do not remove or escape square brackets, which are critical in shortcode syntax. WordPress's shortcode parser uses a regex that treats the ']' character as a shortcode tag terminator. An attacker can exploit this by injecting a ']' character followed by arbitrary shortcode syntax into the 'token' parameter, causing premature shortcode closure and enabling execution of arbitrary registered shortcodes. Additionally, the plugin lacks authorization checks on the init hook, allowing unauthenticated users to trigger this behavior. The vulnerability impacts the integrity of the system by enabling unauthorized shortcode execution, potentially leading to unauthorized content injection, privilege escalation, or other malicious actions depending on the shortcodes registered on the site. The CVSS v3.1 score is 5.3 (medium), reflecting network attack vector, low complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, integrity impact, and no availability impact. No patches or known exploits are currently reported, but the vulnerability poses a risk to any WordPress site using this plugin for lead generation and popup management.

This vulnerability allows unauthenticated attackers to execute arbitrary shortcodes on affected WordPress sites, potentially leading to unauthorized actions such as content injection, privilege escalation, or manipulation of site behavior depending on the shortcodes registered. While it does not directly compromise confidentiality or availability, the integrity impact can be significant, especially if malicious shortcodes enable further exploitation or data manipulation. Organizations relying on Instant Popup Builder for marketing or lead generation may face defacement, unauthorized content delivery, or indirect compromise of user trust. The ease of exploitation without authentication and user interaction increases risk, particularly for high-traffic or high-profile websites. Attackers could leverage this flaw to bypass intended access controls or insert malicious payloads, which could be used as a foothold for further attacks. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks once the vulnerability becomes widely known.

To mitigate this vulnerability, organizations should immediately update the Instant Popup Builder plugin to a patched version once available. In the absence of an official patch, administrators can implement the following specific measures: 1) Disable or restrict access to the email verification page or any endpoints invoking handle_email_verification_page() to authenticated users only, using WordPress hooks or access control plugins. 2) Implement custom input validation or sanitization to strip or escape square bracket characters ('[' and ']') from user-supplied GET parameters before they reach do_shortcode(). 3) Use a Web Application Firewall (WAF) with rules to detect and block requests containing suspicious shortcode injection patterns, especially those with ']' followed by shortcode syntax in the 'token' parameter. 4) Audit all registered shortcodes to ensure none provide excessive privileges or dangerous functionality that could be exploited if invoked maliciously. 5) Monitor logs for unusual requests to the affected endpoints and signs of shortcode injection attempts. 6) Consider temporarily disabling the Instant Popup Builder plugin if immediate patching or mitigations are not feasible, especially on high-risk or public-facing sites. These targeted mitigations go beyond generic advice by focusing on the specific injection vector and plugin behavior.