MEDIUMCVE-2026-4131CVSS 6.1

WP Responsive Popup + Optin <= 1.4 - 'wpo_image_url' 参数的跨站请求伪造导致存储型跨站脚本攻击

Q: What is CVE-2026-4131 — XSS in WP Responsive Popup + Optin?

CVE-2026-4131 is a Cross-Site Scripting (XSS) vulnerability affecting the WP Responsive Popup + Optin plugin for WordPress versions up to 1.4. It allows attackers to modify plugin settings via forged requests, potentially leading to malicious code execution.

Q: Am I affected by CVE-2026-4131 in WP Responsive Popup + Optin?

You are affected if your WordPress site uses the WP Responsive Popup + Optin plugin and is running version 1.4 or earlier. Check your plugin version and upgrade immediately.

Q: How do I fix CVE-2026-4131 in WP Responsive Popup + Optin?

Upgrade the WP Responsive Popup + Optin plugin to the latest available version. If upgrading is not possible, implement a WAF rule to block suspicious requests to the admin page.

Q: Is CVE-2026-4131 being actively exploited?

There is currently no evidence of CVE-2026-4131 being actively exploited in the wild, but the vulnerability's ease of exploitation warrants prompt mitigation.

Q: Where can I find the official WP Responsive Popup advisory for CVE-2026-4131?

Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information regarding CVE-2026-4131.

平台

wordpress

组件

wp-popup-optin

修复版本

1.4.1

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

CVE-2026-4131 describes a Cross-Site Scripting (XSS) vulnerability present in the WP Responsive Popup + Optin plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings, potentially leading to malicious code execution on the site. The vulnerability affects versions of the plugin up to and including 1.4, and a fix is available in a subsequent release. Addressing this vulnerability is crucial to protect WordPress sites from potential compromise.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

The primary impact of CVE-2026-4131 lies in the attacker's ability to modify plugin settings through Cross-Site Request Forgery (CSRF). Specifically, an attacker could alter the 'wpoimageurl' parameter, potentially injecting malicious JavaScript code. This could lead to various consequences, including redirecting users to phishing sites, stealing user credentials, or defacing the website. While the vulnerability requires tricking an administrator into performing an action, the potential for widespread impact across a WordPress site is significant, especially if administrators are frequently targeted with social engineering attacks. The lack of nonce verification makes exploitation relatively straightforward.

利用背景翻译中…

CVE-2026-4131 was published on April 21, 2026. There is no indication of this vulnerability being actively exploited in the wild at this time. The vulnerability is not currently listed on KEV or EPSS, suggesting a low probability of exploitation. Public Proof-of-Concept (PoC) code is not widely available, but the vulnerability's nature makes it relatively easy to exploit given administrator access.

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

报告1 份威胁报告

EPSS

0.01% (1% 百分位)

CISA SSVC

利用情况none

可自动化no

技术影响partial

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 无 — 无需认证，无需凭证即可利用。
User Interaction: 需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope: 已改变 — 攻击可以超出脆弱组件，影响其他系统。
Confidentiality: 低 — 可访问部分数据。
Integrity: 低 — 攻击者可修改部分数据，影响有限。
Availability: 无 — 无可用性影响。

受影响的软件

组件wp-popup-optin

供应商wordfence

影响范围修复版本

0.0.0 – 1.41.4.1

1.41.4.1

软件包信息

活跃安装数: 10
插件评分: 3.7
需要WordPress版本: 3.2+
兼容至: 4.1.42

主页

弱点分类 (CWE)

CWE-352

时间线

已保留2026-03-13
发布日期2026-04-21
修改日期2026-04-22
EPSS 更新日期2026-04-29

未修复 — 披露已33天

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-4131 is to upgrade the WP Responsive Popup + Optin plugin to a version that includes nonce generation and verification. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests to the wpoadminpage.php endpoint without proper authentication. Additionally, educate administrators about the risks of clicking on suspicious links and performing actions without verifying the source. There are no specific Sigma or YARA rules applicable to this vulnerability, as it relies on CSRF and manipulation of plugin settings. After upgrading, confirm the fix by attempting to access the admin page and verifying that nonce fields are present and correctly validated.

修复方法

没有已知的补丁可用。请深入审查漏洞的详细信息，并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2026-4131 — XSS in WP Responsive Popup + Optin?

CVE-2026-4131 is a Cross-Site Scripting (XSS) vulnerability affecting the WP Responsive Popup + Optin plugin for WordPress versions up to 1.4. It allows attackers to modify plugin settings via forged requests, potentially leading to malicious code execution.

Am I affected by CVE-2026-4131 in WP Responsive Popup + Optin?

You are affected if your WordPress site uses the WP Responsive Popup + Optin plugin and is running version 1.4 or earlier. Check your plugin version and upgrade immediately.

How do I fix CVE-2026-4131 in WP Responsive Popup + Optin?

Upgrade the WP Responsive Popup + Optin plugin to the latest available version. If upgrading is not possible, implement a WAF rule to block suspicious requests to the admin page.

Is CVE-2026-4131 being actively exploited?

There is currently no evidence of CVE-2026-4131 being actively exploited in the wild, but the vulnerability's ease of exploitation warrants prompt mitigation.

Where can I find the official WP Responsive Popup advisory for CVE-2026-4131?

Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information regarding CVE-2026-4131.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE