Skip to main content

Wowoptin EUVDEUVD-2026-20400

| CVE-2026-39700 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-wf5f-qf83-4mr6
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20400
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in WPXPO WowOptin optin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WowOptin: from n/a through <= 1.4.32.

AnalysisAI

Missing authorization in WPXPO WowOptin plugin through version 1.4.32 allows unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured access control on plugin endpoints. The vulnerability carries a low CVSS score (5.3) and extremely low EPSS exploitation probability (0.02%, percentile 4%), indicating limited real-world attack incentive despite network-accessible exposure. No public exploit code or active exploitation has been confirmed.

Technical ContextAI

WowOptin is a WordPress plugin for managing email opt-in forms and lead capture. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to properly enforce access control checks on its functionality. This allows unauthenticated HTTP requests to access resources or perform actions that should be restricted. The CPE string (cpe:2.3:a:wpxpo:wowoptin:*:*:*:*:*:*:*:*) indicates the entire WowOptin product line is affected. The plugin likely has HTTP endpoints or REST API routes that lack proper capability checks or nonce validation, a common issue in WordPress plugin development where developers expose functionality without verifying user roles or authentication status.

RemediationAI

Update WPXPO WowOptin to a patched version beyond 1.4.32. WordPress administrators managing this plugin should navigate to the Plugins dashboard, locate WowOptin, and apply the available update immediately. Detailed advisory information and patch availability are documented in the Patchstack vulnerability record at https://patchstack.com/database/Wordpress/Plugin/optin/vulnerability/wordpress-wowoptin-plugin-1-4-32-broken-access-control-vulnerability?_s_id=cve. If a patched version is not yet available, administrators should temporarily disable the plugin until an update is released, as the plugin accepts unauthenticated requests that could expose site data.

Share

EUVD-2026-20400 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy