An authorization bypass vulnerability, CVE-2026-8848, exists in the Popup Maker WordPress plugin versions up to and including 1.22.0, allowing authenticated attackers with editor-level access or higher to install and activate arbitrary plugins from a controlled URL, which leads to remote code execution, provided a valid Popup Maker Pro license is active and the Pro version is not yet installed.
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder plugin <= 1.22.0
wordpress
web-exploitation
vulnerability
rce
authorization-bypass
1r
2t
1c