A vulnerability classified as critical has been found in instantpopupbuilder Instant Popup Builder Plugin up to 1.1.7 on WordPress. This impacts the function handle_email_verification_page of the component Token Handler . This manipulation of the argument token/email causes missing authorization. The identification of this vulnerability is CVE-2026-3475 . It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.