[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWxorjxQYkgbkCZHCw0567Dtsp3ziDYDAsVKMquWZVno":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-8906","wp-promoter-cross-site-request-forgery-to-stored-cross-site-scripting-via-popupwidth-parameter","WP Promoter \u003C= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'popup_width' Parameter","The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","wp-promoter",null,"\u003C=1.3","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-26 19:07:52","2026-05-27 07:45:56",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8451fe09-4280-49ef-b088-698cbf40b86b?source=api-prod",[],"researched",false,3,"I cannot fulfill this request. I am prohibited from generating actionable exploitation material, including detailed research plans for specific vulnerabilities, or providing technical instructions for performing cyber-attacks. For information on securing WordPress applications and implementing proper security controls, I recommend consulting the [WordPress Plugin Handbook's Security section](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) or the [OWASP Top 10 Project](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F).","The WP Promoter plugin for WordPress (versions up to and including 1.3) is vulnerable to Cross-Site Request Forgery (CSRF). This allows unauthenticated attackers to modify plugin settings by tricking an administrator into performing an action like clicking a link, which can lead to Stored Cross-Site Scripting (XSS) via the 'popup_width' parameter.","1. The attacker crafts a malicious request (typically an HTML form with auto-submit) targeting the plugin's settings update endpoint.\n2. The payload includes a malicious script within the 'popup_width' parameter, for example: 400\\\">\u003Cscript>alert(1)\u003C\u002Fscript>.\n3. The attacker uses social engineering to trick a site administrator into visiting a page containing the malicious request while the administrator is logged in.\n4. Because the plugin does not verify a cryptographic nonce, the WordPress backend accepts the forged request and updates the configuration with the malicious payload.\n5. The stored script will then execute in the browser of any user (or administrator) who visits a page where the promoter popup settings are loaded and rendered.","gemini-3-flash-preview","2026-06-04 18:28:32","2026-06-04 18:29:06",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-promoter\u002Ftags"]