CVE-2026-1720
Unauthorized Plugin Installation in WowOptin WordPress Plugin
Publication date: 2026-03-05
Last updated on: 2026-03-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpxpo | optin | to 1.4.24 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the WowOptin: Next-Gen Popup Maker WordPress plugin, versions up to and including 1.4.24. It is caused by a missing capability check in the 'install_and_active_plugin' function, which allows authenticated users with Subscriber-level access or higher to install and activate arbitrary plugins without proper authorization.
How can this vulnerability impact me? :
Because the vulnerability allows authenticated users with low-level access (Subscriber or above) to install and activate arbitrary plugins, an attacker could escalate privileges, introduce malicious code, or compromise the entire WordPress site. This can lead to full site takeover, data theft, defacement, or disruption of services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability allows authenticated users with Subscriber-level access and above to install and activate arbitrary plugins due to a missing capability check in the 'install_and_active_plugin' function."}, {'type': 'paragraph', 'content': 'Detection can involve monitoring for unusual plugin installation or activation activities initiated by low-privilege users.'}, {'type': 'paragraph', 'content': "Since the plugin installation and activation is handled via AJAX POST requests to the WordPress admin area, you can look for suspicious POST requests to admin-ajax.php with the action 'optn_install'."}, {'type': 'list_item', 'content': "Check web server logs for POST requests to 'wp-admin/admin-ajax.php' with parameter 'action=optn_install'."}, {'type': 'list_item', 'content': 'Use WordPress CLI to list recently installed or activated plugins: `wp plugin list --status=active --field=name --format=json` and check for unexpected plugins.'}, {'type': 'list_item', 'content': 'Audit user roles and capabilities to verify if Subscriber-level users have performed plugin installation or activation.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the WowOptin plugin to a version later than 1.4.24 where the missing capability check is fixed.
If an update is not immediately available, restrict plugin installation and activation capabilities to trusted users only, and monitor for suspicious activity.
Additionally, consider temporarily disabling the WowOptin plugin until a patch is applied.
Review and tighten user role permissions to prevent Subscriber-level users from performing actions beyond their intended scope.