CVE-2026-9014

The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset stats() function in versions up to, and including, 1.3. The function is hooked to both the wp ajax wpp-reset stats and wp ajax nopriv wpp-reset stats actions and contains no authentication, authorization, or nonce validation. This makes it possible for unauthenticated attackers to reset the plugin's bar and popup statistics by deleting the wpp bar and wpp popup options.