Plugin Author
Damian
(@timersys)
Hi @jebeze the issue was fixed on the last update.
Thread Starter
Jebeze
(@jebeze)
@timersys
Chiming in with additional context that may help.
You mentioned this was fixed in 2.2.0.4 but PatchStack still says the issue exists in 2.2.0.5. What I think (based on limited knowledge is going on) is that PatchStack is not actually checking the latest versions. Here is what may be going on…
1) The vulnerability they list is for version 2.2.0.3
2) They are still listing this as vulnerable because they are not aware of fix being in place.
3) While they are updating the version number to reflect the plugin’s current version, they are not actually checking those later version… This is the important part.
According to this Reddit post/rant PatchStack gets their info not directly from your plugin but rather from copying what it says in WPScan’s records which in turn gets their info form Wordfence’s records.
Both of those two sources only mention the Jan 11 2026 issue with version 2.2.0.3 and while they mention it as still vulnerable they don’t mention anything about 2.2.0.4 or 2.2.0.5 having an issue.
It appears this headache is due to PatchStack randomly updating to the version number to the current version number despite the vulnerability only being related to version 2.2.0.3. This is also made clear by their URL for the issue listing having “2-2-0-3” in the URL…
https://patchstack.com/database/wordpress/plugin/wp-popups-lite/vulnerability/wordpress-wp-popups-plugin-2-2-0-3-broken-access-control-vulnerability
If Wordfence is the source of truth like that Reddit rant suggests you may want to install the plugin at https://www.wordfence.com/products/wordfence-free/ on a site with your plugin and run a scan to help them update their records. To be clear, I don’t know how Wordfence or PatchStack truly work but as far as I can tell this is what needs to be done and will hopefully help your hard working team be finally free of these false alarms.
Thread Starter
Jebeze
(@jebeze)
Thanks again, @timersys. That all makes sense, and thanks for taking the time to follow the thread of communication to the source. I just want to flag for you that WPEngine has unfortunately decided that Patchstack is where they pull information on plugin security vulnerabilities. WPEngine then uses the information to alert everyone on their platform that this plugin has a security vulnerability both via the WPEngine website dashboard and on the installed plugins admin page for each website. So, most WP Users will likely continue to believe there is a security issue with this plugin.
Plugin Author
Damian
(@timersys)
We are already in touch with patchstack so they can update the records. Sorry for the delay
Thread Starter
Jebeze
(@jebeze)
Awesome. I can confirm that I am no longer seeing the security warning on WPEngine as well. Thanks for working to resolve this issue. Much appreciated.
