Atomic Edge analysis of CVE-2025-13079:
The Popup Builder WordPress plugin prior to version 4.4.3 contains an improper authorization vulnerability in its unsubscribe functionality. This vulnerability allows unauthenticated attackers to unsubscribe arbitrary subscribers from mailing lists via brute-force attacks on predictable unsubscribe tokens. The CVSS 5.3 score reflects medium severity due to the impact on data integrity and availability of mailing list services.

Atomic Edge research identifies the root cause in the `AdminHelper::validateUnsubscribeToken()` function within `/popup-builder/com/helpers/AdminHelper.php`. The vulnerable code generates unsubscribe tokens using a deterministic MD5 hash of the subscriber ID and email address (`md5($params[‘subscriberId’].$params[’email’])`). This predictable token generation occurs in the `Actions::sendNewsletter()` method at line 841, where the plugin constructs unsubscribe links. The token validation logic in `AdminHelper::validateUnsubscribeToken()` compares the received token directly against this predictable MD5 hash without implementing cryptographically secure random tokens or rate limiting.

The exploitation method involves an attacker obtaining or guessing a victim’s email address and the associated popup ID. Attackers can then brute-force the unsubscribe token by generating MD5 hashes of possible subscriber ID and email combinations. The attack targets the unsubscribe endpoint at the site’s home URL with parameters `sgpbUnsubscribe`, `email`, and `popup`. No authentication is required to access this functionality. Attackers send crafted GET requests to `/?sgpbUnsubscribe={token}&email={victim_email}&popup={popup_id}` where the token is the predictable MD5 hash.

The patch implements multiple security improvements. It replaces the predictable MD5 token generation with cryptographically secure random tokens using `wp_generate_password(32, false)` in the new `AdminHelper::generateUnsubscribeToken()` method. The patch adds a new database column `unsubscribe_token` to store these secure tokens via the `AdminHelper::addUnsubscribeTokenColumn()` migration function. Token validation now uses `hash_equals()` for timing-attack resistant comparison in `AdminHelper::validateUnsubscribeToken()`. The patch also introduces a new workflow where old MD5 tokens redirect to a secure link request form, handled by the new `Actions::requestNewUnsubscribeLink()` method and corresponding admin-post action `sgpb_request_new_unsubscribe_link`.

Successful exploitation allows attackers to arbitrarily remove subscribers from mailing lists without authorization. This impacts data integrity by modifying subscription states and affects the availability of email marketing services for affected organizations. While the vulnerability does not enable privilege escalation or remote code execution, it facilitates unauthorized data modification that can disrupt business communications and marketing operations.