Plateforme
wordpress
Composant
optin
Corrigé dans
1.4.30
CVE-2026-4302 describes a Server-Side Request Forgery (SSRF) vulnerability affecting the WowOptin: Next-Gen Popup Maker plugin for WordPress. This vulnerability allows unauthenticated attackers to potentially access internal resources by manipulating URLs passed to the plugin's integration action endpoint. Versions 1.0.0 through 1.4.29 are vulnerable, and a fix is available in version 1.4.30.
The SSRF vulnerability in WowOptin allows an attacker to craft malicious URLs that are then processed by the plugin's wpremoteget() and wpremotepost() functions without proper validation. This means an attacker can potentially trigger requests to internal services or resources that are not directly accessible from the outside. For example, an attacker could attempt to access internal admin panels, database servers, or other sensitive systems within the WordPress environment. The lack of authentication required to exploit this vulnerability significantly increases the potential attack surface, as any unauthenticated user can trigger the SSRF. This vulnerability is similar in nature to other SSRF vulnerabilities where attackers leverage internal network access to gain further control or exfiltrate sensitive data.
CVE-2026-4302 was publicly disclosed on 2026-03-21. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The CVSS score of 7.2 (HIGH) indicates a significant potential impact if exploited.
WordPress websites using the WowOptin: Next-Gen Popup Maker plugin, particularly those with limited network segmentation or internal services accessible from the web server, are at risk. Shared hosting environments where users have limited control over plugin configurations are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'optn/v1/integration-action' /var/www/html/wp-content/plugins/wow-optin-next-gen-popup-maker/• generic web:
curl -I https://your-wordpress-site.com/optn/v1/integration-action # Check for 200 OK response indicating endpoint exposuredisclosure
Statut de l'Exploit
EPSS
0.06% (percentile 20%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-4302 is to immediately upgrade the WowOptin: Next-Gen Popup Maker plugin to version 1.4.30 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the optn/v1/integration-action endpoint. Alternatively, restrict network access to the WordPress server to only allow outbound connections to trusted domains. Review and audit any existing integration actions to ensure they are not susceptible to SSRF vulnerabilities. After upgrading, confirm the vulnerability is resolved by attempting to access an internal resource via the vulnerable endpoint and verifying that the request is blocked or fails.
Mettre à jour vers la version 1.4.30, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-4302 is a Server-Side Request Forgery (SSRF) vulnerability in the WowOptin plugin for WordPress, allowing attackers to potentially access internal resources via crafted URLs.
If you are using WowOptin: Next-Gen Popup Maker versions 1.0.0 through 1.4.29, you are vulnerable to this SSRF vulnerability.
Upgrade the WowOptin plugin to version 1.4.30 or later. Consider WAF rules or network restrictions as temporary mitigations.
There is currently no evidence of active exploitation in the wild, and no public proof-of-concept code has been released.
Refer to the official WowOptin plugin website or WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.