Aggregates CVE and security vulnerability intelligence across all optinmonster-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting and vendor risk path handling and related problems; some flaws may lead to vendor impact session compromise and vendor impact file overwrite.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-4045 | The Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘campaign_id’ parameter in versions up to, and including, 2.16.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page | [email protected] | 6.4 | 0.32% | 2024-05-25 | 2026-06-17 |
| CVE-2023-0772 | The Popup Builder by OptinMonster WordPress plugin before 2.12.2 does not ensure that the campaign to be loaded via some shortcodes is actually a campaign, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, like draft, private or even password protected ones. | [email protected] | 6.5 | 0.78% | 2023-03-13 | 2026-06-17 |
| CVE-2021-39341 | The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. This affects versions up to, and including, 2.6.4. | [email protected] | 8.2 | 23.27% | 2021-11-01 | 2026-06-17 |
| CVE-2021-39325 | The OptinMonster WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient input validation in the load_previews function found in the ~/OMAPI/Output.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.6.0. | [email protected] | 6.1 | 0.88% | 2021-09-20 | 2026-06-17 |
| CVE-2016-10996 | The optinmonster plugin before 1.1.4.6 for WordPress has incorrect access control for shortcodes because of a nonce leak. | [email protected] | 5.3 | 1.09% | 2019-09-20 | 2026-06-16 |