CVE-2026-4302 in WowOptin Plugin
Summary
by MITRE • 03/21/2026
The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin exposing a publicly accessible REST API endpoint (optn/v1/integration-action) with a permission_callback of __return_true that passes user-supplied URLs directly to wp_remote_get() and wp_remote_post() in the Webhook::add_subscriber() method without any URL validation or restriction. The plugin does not use wp_safe_remote_get/post which provide built-in SSRF protection. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/27/2026
The WowOptin: Next-Gen Popup Maker plugin for WordPress presents a critical Server-Side Request Forgery vulnerability (SSRF) that affects all versions up to and including 1.4.29. This vulnerability stems from the plugin's exposure of a publicly accessible REST API endpoint at optn/v1/integration-action that lacks proper authentication and authorization mechanisms. The permission_callback is set to __return_true which allows any unauthenticated user to access this endpoint, creating an attack surface that can be exploited by malicious actors without requiring valid credentials or privileges within the WordPress installation.
The technical flaw manifests in the Webhook::add_subscriber() method where user-supplied URLs are directly passed to WordPress's wp_remote_get() and wp_remote_post() functions without any validation or sanitization. This direct handling of user input bypasses WordPress's built-in security mechanisms that would normally protect against such attacks. The absence of wp_safe_remote_get/post functions, which provide inherent SSRF protection by validating and restricting outbound requests to safe destinations, leaves the application completely vulnerable to exploitation. This flaw allows attackers to craft malicious requests that can traverse the network boundaries of the server hosting the vulnerable WordPress installation.
The operational impact of this vulnerability is severe and multifaceted. Attackers can leverage this SSRF vulnerability to make web requests to arbitrary locations originating from the web application, potentially gaining access to internal services that would normally be protected by network segmentation. This capability enables reconnaissance activities where attackers can enumerate internal network resources, probe for vulnerable internal services, and potentially escalate their attacks to compromise internal systems. The vulnerability can also be used to perform data exfiltration, modify internal service configurations, or even pivot to attack other systems within the same network infrastructure that the vulnerable WordPress server can reach.
Organizations running vulnerable versions of this plugin face significant security risks that align with several ATT&CK techniques including T1105 (Ingress Tool Transfer) and T1071.1003 (Application Layer Protocol: DNS). The vulnerability creates opportunities for attackers to establish command and control channels, exfiltrate sensitive data, or use the compromised server as a pivot point for further network exploration. This SSRF vulnerability directly maps to CWE-918, which describes Server-Side Request Forgery vulnerabilities where an attacker can make the server perform unintended actions. The impact extends beyond simple data theft, as attackers could potentially manipulate internal services, access restricted APIs, or even compromise the entire network infrastructure that the vulnerable WordPress installation can reach, making this a critical vulnerability that requires immediate remediation through plugin updates or implementation of network-level mitigations.
The recommended mitigations include immediate updating of the plugin to the latest version that addresses this vulnerability, implementing network-level restrictions to prevent outbound requests to internal services, and configuring firewall rules to block access to the vulnerable REST API endpoint. Additionally, organizations should consider implementing WAF rules to detect and block suspicious requests to the optn/v1/integration-action endpoint and ensure that all WordPress installations maintain current versions of plugins and themes to prevent similar vulnerabilities from being exploited.