{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1720", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-30T19:54:30.840Z", "datePublished": "2026-03-05T13:24:00.942Z", "dateUpdated": "2026-04-08T17:31:43.712Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:43.712Z"}, "affected": [{"vendor": "wpxpo", "product": "WowOptin: Next-Gen Popup Maker \u2013 Create Stunning Popups and Optins for Lead Generation", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.24", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WowOptin: Next-Gen Popup Maker \u2013 Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'install_and_active_plugin' function in all versions up to, and including, 1.4.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins."}], "title": "WowOptin: Next-Gen Popup Maker \u2013 Create Stunning Popups and Optins for Lead Generation <= 1.4.24 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee0c0e29-b117-4480-b5b7-995878af8c57?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/optin/trunk/includes/utils/class-notice.php#L848"}, {"url": "https://plugins.trac.wordpress.org/changeset/3456826/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}], "timeline": [{"time": "2026-02-08T06:50:05.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-04T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T14:15:43.358526Z", "id": "CVE-2026-1720", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T14:15:49.474Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WowOptin: Next-Gen Popup Maker \u2013 Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'install_and_active_plugin' function in all versions up to, and including, 1.4.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins."}, {"lang": "es", "value": "El plugin WowOptin: Next-Gen Popup Maker \u2013 Create Stunning Popups and Optins for Lead Generation para WordPress es vulnerable a la instalaci\u00f3n arbitraria de plugins no autorizados debido a la ausencia de una comprobaci\u00f3n de capacidad en la funci\u00f3n 'install_and_active_plugin' en todas las versiones hasta la 1.4.24, inclusive. Esto permite a atacantes autenticados, con acceso de nivel Suscriptor y superior, instalar y activar plugins arbitrarios."}], "id": "CVE-2026-1720", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-05T14:16:13.673", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/optin/trunk/includes/utils/class-notice.php#L848"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3456826/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee0c0e29-b117-4480-b5b7-995878af8c57?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.24]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WowOptin: Next-Gen Popup Maker \u2013 Create Stunning Popups and Optins for Lead Generation", "source": "cna", "vendor": "wpxpo"}, "product": "wowoptin:_next-gen_popup_maker_\u2013_create_stunning_popups_and_optins_for_lead_generation", "vendor": "wpxpo"}], "analysis": {"en": {"generated_at": "2026-04-15T16:47:51.385361+00:00", "value": {"mitigation_remediation": ["Upgrade WowOptin to the latest version (1.4.25 or newer) or uninstall it if an upgrade is unavailable", "Revoke the \u2018install_and_active_plugin\u2019 capability from Subscriber and lower roles; ensure only Administrators retain plugin installation rights", "Use a security plugin or code snippet to block access to the plugin\u2019s installation interface, and regularly audit the Plugins directory for unexpected files"], "summary": {"action": "Patch Now", "impact": "Arbitrary Plugin Installation"}, "threat_synthesis": {"affected_systems": "All versions of WowOptin up to and including 1.4.24 are affected. The plugin is a WordPress add\u2011on developed by wpxpo. Because the vulnerability relies on the built\u2011in WordPress role hierarchy, any WordPress installation that has the plugin installed and allows Subscribers or higher to access the admin area is impacted.", "description_and_impact": "The WowOptin plugin contains a missing capability check in its 'install_and_active_plugin' function. This flaw enables any authenticated user with Subscriber-level access or higher to install and activate arbitrary plugins on the WordPress site. With the ability to install plugins, an attacker can introduce malicious code, backdoors, or further compromise website functionality, leading to potential data exfiltration, defacement, or full site takeover. The vulnerability is classified as CWE\u2011862, reflecting an authorization error.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity. Exploitation requires only a user account with Subscriber privileges or better; no external network access or complex preconditions are needed. Although the EPSS score is below 1%, the attack remains realistic given the commonplace distribution of the plugin. The vulnerability is not yet listed in the CISA KEV catalog, but the missing authorization represents a critical control gap. An attacker exploiting this flaw can immediately load arbitrary code via the plugin installation interface, without needing to compromise the server root or exploit additional vulnerabilities."}}}}, "created": "2026-03-06T15:07:40.777343+00:00", "updated": "2026-04-15T17:00:07.049698+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpxpo", "wpxpo$PRODUCT$wowoptin:_next-gen_popup_maker_\u2013_create_stunning_popups_and_optins_for_lead_generation"]}