{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4131", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-13T14:14:27.086Z", "datePublished": "2026-04-22T07:45:30.687Z", "dateUpdated": "2026-04-22T13:05:41.928Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:30.687Z"}, "affected": [{"vendor": "sphex1987", "product": "WP Responsive Popup + Optin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page (wpo_admin_page.php) lacking nonce generation (wp_nonce_field) and verification (wp_verify_nonce/check_admin_referer). This makes it possible for unauthenticated attackers to update all plugin settings including the 'wpo_image_url' parameter via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."}], "title": "WP Responsive Popup + Optin <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'wpo_image_url' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0a8a49c4-21e8-447c-94da-8241c7d66c29?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wpo_admin_page.php#L103"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wpo_admin_page.php#L103"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wpo_admin_page.php#L104"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wpo_admin_page.php#L104"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wp-popup-optin.php#L218"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wp-popup-optin.php#L218"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wpo_admin_page.php#L15"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wpo_admin_page.php#L15"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wpo_admin_page.php#L43"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wpo_admin_page.php#L43"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-04-21T19:08:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:05:30.342431Z", "id": "CVE-2026-4131", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:05:41.928Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4131", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T13:05:30.342431Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:05:34.089Z"}}], "cna": {"title": "WP Responsive Popup + Optin <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'wpo_image_url' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "sphex1987", "product": "WP Responsive Popup + Optin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-21T19:08:08.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0a8a49c4-21e8-447c-94da-8241c7d66c29?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wpo_admin_page.php#L103"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wpo_admin_page.php#L103"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wpo_admin_page.php#L104"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wpo_admin_page.php#L104"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wp-popup-optin.php#L218"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wp-popup-optin.php#L218"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wpo_admin_page.php#L15"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wpo_admin_page.php#L15"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wpo_admin_page.php#L43"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wpo_admin_page.php#L43"}], "descriptions": [{"lang": "en", "value": "The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page (wpo_admin_page.php) lacking nonce generation (wp_nonce_field) and verification (wp_verify_nonce/check_admin_referer). This makes it possible for unauthenticated attackers to update all plugin settings including the 'wpo_image_url' parameter via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:30.687Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4131", "state": "PUBLISHED", "dateUpdated": "2026-04-22T13:05:41.928Z", "dateReserved": "2026-03-13T14:14:27.086Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-22T07:45:30.687Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page (wpo_admin_page.php) lacking nonce generation (wp_nonce_field) and verification (wp_verify_nonce/check_admin_referer). This makes it possible for unauthenticated attackers to update all plugin settings including the 'wpo_image_url' parameter via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."}], "id": "CVE-2026-4131", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:24.080", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wp-popup-optin.php#L218"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wpo_admin_page.php#L103"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wpo_admin_page.php#L104"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wpo_admin_page.php#L15"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/tags/1.4/wpo_admin_page.php#L43"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wp-popup-optin.php#L218"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wpo_admin_page.php#L103"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wpo_admin_page.php#L104"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wpo_admin_page.php#L15"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-popup-optin/trunk/wpo_admin_page.php#L43"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0a8a49c4-21e8-447c-94da-8241c7d66c29?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP Responsive Popup + Optin", "source": "cna", "vendor": "sphex1987"}, "product": "wp_responsive_popup_+_optin", "vendor": "sphex1987"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T10:24:43.710548+00:00", "value": {"mitigation_remediation": ["Upgrade or replace the WP Responsive Popup + Optin plugin with a version newer than 1.4 if available; if not, disable or uninstall the plugin until a patch is released", "If the plugin must remain active, tightly restrict the wpo_image_url input by implementing server\u2011side validation to accept only safe URLs or by sanitizing it before rendering", "Implement or enable multi\u2011factor authentication for administrator accounts and monitor all admin traffic for unexpected POST requests to wpo_admin_page.php"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "Sites running any version of WP Responsive Popup + Optin up to and including 1.4 are affected. Administrators who have active accounts on such installations are at risk; upgrades or removal of the plugin beyond version 1.4 eliminate the vulnerability.", "description_and_impact": "The WP Responsive Popup + Optin plugin does not protect its admin settings form with WordPress nonce checks, allowing an attacker to forge a request that changes the plugin\u2019s configuration. The forged request can set the wpo_image_url parameter to an arbitrary value, which is then stored and output directly in the WordPress admin interface. This flaw is a classic example of CWE\u2011352, a Cross\u2011Site Request Forgery weakness that enables stored cross\u2011site scripting. A malicious actor could inject JavaScript that executes whenever any administrator reviews the plugin\u2019s settings page, potentially compromising administrator sessions or injecting further malicious content.", "risk_and_exploitability": "The CVSS score of 6.1 classifies this flaw as moderate severity, yet the lack of an EPSS score means exploitation probability remains unknown, and it is not listed in the CISA KEV catalog. To exploit, an attacker must convince an administrator to visit a crafted link or submit a form that triggers the forged request\u2014 a realistic social\u2011engineering vector. Once the malicious URL is stored, the injected script runs each time the admin page loads, allowing cookie theft, phishing, or further site compromise."}}}}, "created": "2026-04-22T10:30:14.511310+00:00", "updated": "2026-04-22T11:44:25.509631+00:00", "vendors": ["sphex1987", "sphex1987$PRODUCT$wp_responsive_popup_+_optin", "wordpress", "wordpress$PRODUCT$wordpress"]}