Approved changes feed: RSS · Atom
cpe:2.3:a:wpxpo:wowoptin:_next-gen_popup_maker_–_create_stunning_popups_and_optins_for_lead_generation:*:*:*:*:*:*:*:*
part: a version: _next-gen_popup_maker_–_create_stunning_popups_and_optins_for_lead_generation update: *
| Vendor | Wpxpo (c5bc2b74-4fb9-5b98-a1a9-71c128f75636) |
|---|---|
| Product | Wowoptin (0d8bf2a0-aa36-5a7a-b098-8abe8dafa9b9) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-4302 |
vulnerable | 2026-06-08 08:05:13.158545 |
WowOptin: Next-Gen Popup Maker <= 1.4.29 - Unauthenticated Server-Side Request Forgery via 'link' Parameter in REST API
HIGH (7.2)
The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin exposing a publicly accessible REST API endpoint (optn/v1/integration-action) with a permission_callback of __return_true that passes user-supplied URLs directly to wp_remote_get() and wp_remote_post() in the Webhook::add_subscriber() method without any URL validation or restriction. The plugin does not use wp_safe_remote_get/post which provide built-in SSRF protection. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services.
Published: 2026-03-21T01:24:38.205Z
Updated: 2026-04-08T17:16:18.488Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1720 |
vulnerable | 2026-06-08 07:49:09.469601 |
WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation <= 1.4.24 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation
HIGH (8.8)
The WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'install_and_active_plugin' function in all versions up to, and including, 1.4.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins.
Published: 2026-03-05T13:24:00.942Z
Updated: 2026-04-08T17:31:43.712Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.