EUVD-2026-13980
GHSA-jrvw-hv7x-27p4
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Description
The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin exposing a publicly accessible REST API endpoint (optn/v1/integration-action) with a permission_callback of __return_true that passes user-supplied URLs directly to wp_remote_get() and wp_remote_post() in the Webhook::add_subscriber() method without any URL validation or restriction. The plugin does not use wp_safe_remote_get/post which provide built-in SSRF protection. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services.
Analysis
The WowOptin: Next-Gen Popup Maker plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability affecting all versions up to and including 1.4.29. An unauthenticated attacker can exploit a publicly accessible REST API endpoint (optn/v1/integration-action) that passes user-supplied URLs directly to wp_remote_get() and wp_remote_post() without validation, allowing arbitrary web requests from the server. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all WordPress installations running WowOptin plugin versions ≤1.4.29 and disable the plugin immediately. Within 7 days: Implement WAF rules to block requests to the optn/v1/integration-action endpoint and audit logs for suspicious REST API activity. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today