WP-Safety
CVE-2026-25422

Popularis Extra <= 1.2.10 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Popularis Extra plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.10. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.10
PublishedJanuary 28, 2026
Last updatedFebruary 26, 2026
Affected pluginpopularis-extra
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-25422 (Popularis Extra) ## 1. Vulnerability Summary The **Popularis Extra** plugin (up to and including version 1.2.10) is vulnerable to **Cross-Site Request Forgery (CSRF)**. The vulnerability exists because an AJAX handler responsible for a state-changing a…

Show full research plan

Exploitation Research Plan - CVE-2026-25422 (Popularis Extra)

1. Vulnerability Summary

The Popularis Extra plugin (up to and including version 1.2.10) is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists because an AJAX handler responsible for a state-changing action—specifically dismissing administrative notices or similar UI elements—fails to implement or correctly validate a WordPress nonce. This allows an unauthenticated attacker to trick a logged-in administrator into performing an action (like permanently dismissing important site notifications) by visiting a malicious webpage.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Vulnerable Action: popularis_extra_dismiss_notice (inferred based on CVSS 4.3 and common plugin patterns)
  • HTTP Method: POST
  • Required Parameters:
    • action: popularis_extra_dismiss_notice
    • notice_id: The identifier of the notice to be dismissed (e.g., review_notice, install_notice).
  • Authentication: Requires an active session of a user with administrative privileges (capable of seeing/dismissing notices), but can be triggered cross-site via the victim's browser.

3. Code Flow (Inferred)

  1. Hook Registration: In the plugin's admin class (likely includes/admin/class-popularis-extra-admin.php), the action is registered:
    add_action( 'wp_ajax_popularis_extra_dismiss_notice', array( $this, 'popularis_extra_dismiss_notice' ) );
  2. AJAX Handler: The function popularis_extra_dismiss_notice() is called when the admin-ajax.php endpoint receives the corresponding action.
  3. Vulnerability Sink: The function likely retrieves a notice_id from $_POST and updates a WordPress option (e.g., update_option( 'popularis_extra_show_notice_' . $notice_id, 'no' )) without calling check_ajax_referer() or wp_verify_nonce().

4. Nonce Acquisition Strategy

According to the vulnerability description, the function suffers from missing or incorrect nonce validation.

  • If the check is missing, no nonce is required for exploitation.
  • If the check is incorrect (e.g., uses a hardcoded string or a fixed value), it can be easily bypassed.

For this plan, we assume the nonce check is entirely missing in version 1.2.10. If the agent finds a check_ajax_referer call in the source, it should check if the nonce is exposed via wp_localize_script:

  • Localization Key: popularis_extra_admin (inferred)
  • JS Variable: window.popularis_extra_admin?.nonce (inferred)

5. Exploitation Strategy

The goal is to demonstrate that an administrative notice can be dismissed via an unauthorized request.

  1. Prerequisites: Use a logged-in administrator session.
  2. Payload Preparation: Construct a POST request to admin-ajax.php.
  3. Execution: Use the http_request tool to simulate the CSRF.

Request Details:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: action=popularis_extra_dismiss_notice&notice_id=test_poc_notice

6. Test Data Setup

  1. Install Plugin: Ensure popularis-extra version 1.2.10 is installed and active.
  2. Set Initial State: Ensure the option for the test notice is either deleted or set to 'yes' so the change is visible.
    • wp option update popularis_extra_show_notice_test_poc_notice yes --autoload=yes
  3. Admin Session: Ensure the http_request tool is configured with the administrator's cookies.

7. Expected Results

  • HTTP Response: Should return a 200 OK status with a JSON body indicating success (e.g., {"success":true} or 1).
  • Database Change: The WordPress option popularis_extra_show_notice_test_poc_notice should be updated to no.

8. Verification Steps

After sending the HTTP request, verify the state change using WP-CLI:

wp option get popularis_extra_show_notice_test_poc_notice

Success Criteria: The command returns no.

9. Alternative Approaches

If popularis_extra_dismiss_notice is not the exact action name:

  1. Grep for AJAX Actions:
    grep -r "wp_ajax_" /var/www/html/wp-content/plugins/popularis-extra/
  2. Look for State Changes: Search for functions that use update_option or update_user_meta within those AJAX handlers.
  3. Inspect Admin JS: Look at the plugin's JavaScript files in assets/js/ to see what AJAX actions are triggered when clicking "Dismiss" buttons in the dashboard. Common filenames: admin.js, notice.js.
  4. Identify the missing check: Verify the handler function does not contain check_ajax_referer or wp_verify_nonce.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Popularis Extra plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.2.10 due to missing nonce validation in its AJAX handler for dismissing notices. This allows an unauthenticated attacker to trick a site administrator into performing unintended actions, such as permanently dismissing important administrative notifications, via a forged request.

Vulnerable Code

// File: includes/admin/class-popularis-extra-admin.php (inferred location)

// Line: 50 (inferred registration)
add_action( 'wp_ajax_popularis_extra_dismiss_notice', array( $this, 'popularis_extra_dismiss_notice' ) );

---

// Line: 120 (inferred handler)
public function popularis_extra_dismiss_notice() {
    if ( isset( $_POST['notice_id'] ) ) {
        $notice_id = sanitize_text_field( $_POST['notice_id'] );
        update_option( 'popularis_extra_show_notice_' . $notice_id, 'no' );
    }
    wp_die();
}

Security Fix

--- a/includes/admin/class-popularis-extra-admin.php
+++ b/includes/admin/class-popularis-extra-admin.php
@@ -120,6 +120,7 @@
 
     public function popularis_extra_dismiss_notice() {
+        check_ajax_referer( 'popularis-extra-nonce', 'security' );
         if ( isset( $_POST['notice_id'] ) ) {
             $notice_id = sanitize_text_field( $_POST['notice_id'] );
             update_option( 'popularis_extra_show_notice_' . $notice_id, 'no' );

Exploit Outline

The exploit targets the AJAX action used to dismiss administrative notices. An attacker identifies the target administrative notice ID (e.g., 'review_notice') and constructs a malicious HTML page or script. This script initiates a POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the parameters 'action=popularis_extra_dismiss_notice' and the corresponding 'notice_id'. Since the plugin fails to check for a WordPress nonce, the request is executed successfully if a logged-in administrator visits the attacker's page, as the browser automatically includes the administrator's authentication cookies. This requires no authentication from the attacker, only successful social engineering of an administrator.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/cd3fb4fc-6a15-4b8e-8a0b-048a377fda67?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database