The WP Promoter plugin for WordPress versions up to and including 1.3 contains a missing capability check on the reset_stats routine. The function is wired to both wp_ajax_wpp-reset_stats and the unauthenticated wp_ajax_nopriv_wpp-reset_stats actions and performs no authentication, authorization, or nonce verification. Consequently, any unauthenticated visitor can invoke this handler and the plugin will delete its wpp_bar and wpp_popup options, wiping the displayed bar and popup statistics. The impact is a loss of data integrity for site analytics and the potential to conceal traffic behavior or hide attack footprints.

The affected product is the WP Promoter plugin developed by Rahulbhangale. Versions 1.3 and earlier are vulnerable. No additional sub‑versions or builds are specified, so any installation of WP Promoter 1.3 or below is at risk.

The CVSS score for this issue is 5.3, indicating a moderate severity. No EPSS value is available, and the vulnerability is not listed in CISA’s KEV catalog. Because the AJAX action is accessible to unauthenticated users and lacks any nonce or capability checks, an attacker can trivially reset statistics with a simple HTTP POST request to the admin‑ajax endpoint. The exploitation does not require privileged access or pre‑authentication, so the risk to the site’s data integrity is real and the vulnerability could be abused if an attacker wishes to hide their activity or produce misleading analytics.