CVE-2026-4131

The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page (wpo admin page.php) lacking nonce generation (wp nonce field) and verification (wp verify nonce/check admin referer). This makes it possible for unauthenticated attackers to update all plugin settings including the 'wpo image url' parameter via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.