Description
The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page (wpo_admin_page.php) lacking nonce generation (wp_nonce_field) and verification (wp_verify_nonce/check_admin_referer). This makes it possible for unauthenticated attackers to update all plugin settings including the 'wpo_image_url' parameter via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Published: 2026-04-22
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via Cross‑Site Request Forgery
Action: Apply Patch
AI Analysis

Impact

The WP Responsive Popup + Optin plugin does not protect its admin settings form with WordPress nonce checks, allowing an attacker to forge a request that changes the plugin’s configuration. The forged request can set the wpo_image_url parameter to an arbitrary value, which is then stored and output directly in the WordPress admin interface. This flaw is a classic example of CWE‑352, a Cross‑Site Request Forgery weakness that enables stored cross‑site scripting. A malicious actor could inject JavaScript that executes whenever any administrator reviews the plugin’s settings page, potentially compromising administrator sessions or injecting further malicious content.

Affected Systems

Sites running any version of WP Responsive Popup + Optin up to and including 1.4 are affected. Administrators who have active accounts on such installations are at risk; upgrades or removal of the plugin beyond version 1.4 eliminate the vulnerability.

Risk and Exploitability

The CVSS score of 6.1 classifies this flaw as moderate severity, yet the lack of an EPSS score means exploitation probability remains unknown, and it is not listed in the CISA KEV catalog. To exploit, an attacker must convince an administrator to visit a crafted link or submit a form that triggers the forged request— a realistic social‑engineering vector. Once the malicious URL is stored, the injected script runs each time the admin page loads, allowing cookie theft, phishing, or further site compromise.

Generated by OpenCVE AI on April 22, 2026 at 10:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade or replace the WP Responsive Popup + Optin plugin with a version newer than 1.4 if available; if not, disable or uninstall the plugin until a patch is released
  • If the plugin must remain active, tightly restrict the wpo_image_url input by implementing server‑side validation to accept only safe URLs or by sanitizing it before rendering
  • Implement or enable multi‑factor authentication for administrator accounts and monitor all admin traffic for unexpected POST requests to wpo_admin_page.php

Generated by OpenCVE AI on April 22, 2026 at 10:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Sphex1987
Sphex1987 wp Responsive Popup + Optin
Wordpress
Wordpress wordpress
Vendors & Products Sphex1987
Sphex1987 wp Responsive Popup + Optin
Wordpress
Wordpress wordpress

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page (wpo_admin_page.php) lacking nonce generation (wp_nonce_field) and verification (wp_verify_nonce/check_admin_referer). This makes it possible for unauthenticated attackers to update all plugin settings including the 'wpo_image_url' parameter via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Title WP Responsive Popup + Optin <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'wpo_image_url' Parameter
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Sphex1987 Wp Responsive Popup + Optin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T13:05:41.928Z

Reserved: 2026-03-13T14:14:27.086Z

Link: CVE-2026-4131

cve-icon Vulnrichment

Updated: 2026-04-22T13:05:34.089Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T09:16:24.080

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-4131

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:25Z

Weaknesses