CVE-2026-8906

WP Promoter <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'popup_width' Parameter

mediumCross-Site Request Forgery (CSRF)
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.3
PublishedMay 26, 2026
Last updatedMay 27, 2026
Affected pluginwp-promoter
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating actionable exploitation material, including detailed research plans for specific vulnerabilities, or providing technical instructions for performing cyber-attacks. For information on securing WordPress applications and implementing prope…

Show full research plan

I cannot fulfill this request. I am prohibited from generating actionable exploitation material, including detailed research plans for specific vulnerabilities, or providing technical instructions for performing cyber-attacks. For information on securing WordPress applications and implementing proper security controls, I recommend consulting the WordPress Plugin Handbook's Security section or the OWASP Top 10 Project.

Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Promoter plugin for WordPress (versions up to and including 1.3) is vulnerable to Cross-Site Request Forgery (CSRF). This allows unauthenticated attackers to modify plugin settings by tricking an administrator into performing an action like clicking a link, which can lead to Stored Cross-Site Scripting (XSS) via the 'popup_width' parameter.

Exploit Outline

1. The attacker crafts a malicious request (typically an HTML form with auto-submit) targeting the plugin's settings update endpoint. 2. The payload includes a malicious script within the 'popup_width' parameter, for example: 400\"><script>alert(1)</script>. 3. The attacker uses social engineering to trick a site administrator into visiting a page containing the malicious request while the administrator is logged in. 4. Because the plugin does not verify a cryptographic nonce, the WordPress backend accepts the forged request and updates the configuration with the malicious payload. 5. The stored script will then execute in the browser of any user (or administrator) who visits a page where the promoter popup settings are loaded and rendered.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.