CVE-2026-4302

Name of the Vulnerable Software and Affected Versions WowOptin: Next-Gen Popup Maker plugin for WordPress versions through 1.4.29

Description The WowOptin: Next-Gen Popup Maker plugin for WordPress is susceptible to Server-Side Request Forgery (SSRF). This is caused by a publicly accessible REST API endpoint, /optn/v1/integration-action, utilizing a permission callback of return true. The plugin passes user-supplied URLs directly to the functions wp remote get() and wp remote post() within the Webhook::add subscriber() method without validating or restricting the URLs. The plugin does not employ wp safe remote get() or wp safe remote post(), which offer built-in SSRF protection. This allows unauthenticated attackers to make web requests to arbitrary locations from the web application, potentially enabling them to query and modify information from internal services.

Recommendations Versions prior to 1.4.29 should be updated. As a temporary workaround, restrict access to the /optn/v1/integration-action API endpoint.