Description
The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin exposing a publicly accessible REST API endpoint (optn/v1/integration-action) with a permission_callback of __return_true that passes user-supplied URLs directly to wp_remote_get() and wp_remote_post() in the Webhook::add_subscriber() method without any URL validation or restriction. The plugin does not use wp_safe_remote_get/post which provide built-in SSRF protection. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services.
Published: 2026-03-21
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

The plugin exposes a public REST API endpoint that accepts a user‑supplied URL and forwards it directly to WordPress network functions without any validation or restriction. This lack of protection allows an unauthenticated attacker to provoke the server to send HTTP requests to arbitrary addresses, including private internal services, potentially leaking sensitive data or enabling further compromise.

Affected Systems

The flaw affects all releases of the WowOptin: Next‑Gen Popup Maker plugin for WordPress up to and including version 1.4.29. WordPress sites that have not upgraded beyond 1.4.29, especially those using the plugin for pop‑ups and lead generation, are therefore vulnerable.

Risk and Exploitability

The CVSS score of 7.2 reflects a high‑severity vulnerability. Exploitation requires only a crafted HTTP request to the public endpoint and does not require authentication. The exploitation path is therefore simple, while the potential damage includes reading or modifying internal resources. Although the EPSS score and KEV listing are unavailable, the low technical barrier and the server‑side request nature imply a moderate to high risk if left unpatched.

Generated by OpenCVE AI on March 21, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WowOptin to the latest release that removes the SSRF flaw.
  • Verify that the /optn/v1/integration‑action REST endpoint is no longer publicly accessible and that proper permission checks are in place.
  • If an upgrade is not feasible, disable or uninstall the plugin, or block the vulnerable endpoint using a web application firewall or host‑level rules.

Generated by OpenCVE AI on March 21, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpxpo
Wpxpo wowoptin: Next-gen Popup Maker – Create Stunning Popups And Optins For Lead Generation
Vendors & Products Wordpress
Wordpress wordpress
Wpxpo
Wpxpo wowoptin: Next-gen Popup Maker – Create Stunning Popups And Optins For Lead Generation

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin exposing a publicly accessible REST API endpoint (optn/v1/integration-action) with a permission_callback of __return_true that passes user-supplied URLs directly to wp_remote_get() and wp_remote_post() in the Webhook::add_subscriber() method without any URL validation or restriction. The plugin does not use wp_safe_remote_get/post which provide built-in SSRF protection. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services.
Title WowOptin: Next-Gen Popup Maker <= 1.4.29 - Unauthenticated Server-Side Request Forgery via 'link' Parameter in REST API
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpxpo Wowoptin: Next-gen Popup Maker – Create Stunning Popups And Optins For Lead Generation
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:16:18.488Z

Reserved: 2026-03-16T20:15:15.092Z

Link: CVE-2026-4302

cve-icon Vulnrichment

Updated: 2026-03-23T16:37:29.755Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T02:16:18.260

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-4302

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:45Z

Weaknesses