CVE-2026-9014
Unauthenticated Data Reset in WP Promoter WordPress Plugin
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_promoter | wp_promoter | to 1.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Promoter plugin for WordPress has a vulnerability in its reset_stats() function in versions up to and including 1.3. This function lacks proper capability checks, meaning it does not verify if the user is authorized to perform the action.
Because the function is hooked to both authenticated and unauthenticated AJAX actions without any authentication, authorization, or nonce validation, an attacker who is not logged in can reset the plugin's bar and popup statistics by deleting certain stored options.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to reset the statistics tracked by the WP Promoter plugin, specifically the bar and popup statistics.
While it does not allow data disclosure or deletion beyond these statistics, it can impact the integrity of the plugin's data by allowing unauthorized modification, potentially disrupting analytics or marketing efforts that rely on these statistics.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized modification of data via the reset_stats() function in the WP Promoter plugin for WordPress. Detection can focus on identifying unauthorized or suspicious requests to the AJAX actions wp_ajax_wpp-reset_stats and wp_ajax_nopriv_wpp-reset_stats, which are used to reset plugin statistics without authentication.
To detect exploitation attempts on your system or network, you can monitor web server logs for HTTP requests targeting the wp-admin/admin-ajax.php endpoint with the action parameter set to wpp-reset_stats.
- Use command-line tools like grep to search your web server access logs for suspicious requests, for example:
- grep 'admin-ajax.php?action=wpp-reset_stats' /var/log/apache2/access.log
- or for nginx logs:
- grep 'admin-ajax.php?action=wpp-reset_stats' /var/log/nginx/access.log
Additionally, monitoring for unexpected resets of the wpp_bar and wpp_popup options in the WordPress database could indicate exploitation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should update the WP Promoter plugin to a version later than 1.3 where the missing capability check on the reset_stats() function is fixed.
If an update is not immediately available, consider temporarily disabling the plugin or restricting access to the wp-admin/admin-ajax.php endpoint to trusted users only.
Implementing web application firewall (WAF) rules to block unauthenticated requests to the wp_ajax_wpp-reset_stats and wp_ajax_nopriv_wpp-reset_stats actions can also help prevent exploitation.