Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in WPXPO WowOptin optin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WowOptin: from n/a through <= 1.4.32.
AnalysisAI
Missing authorization in WPXPO WowOptin plugin through version 1.4.32 allows unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured access control on plugin endpoints. The vulnerability carries a low CVSS score (5.3) and extremely low EPSS exploitation probability (0.02%, percentile 4%), indicating limited real-world attack incentive despite network-accessible exposure. No public exploit code or active exploitation has been confirmed.
Technical ContextAI
WowOptin is a WordPress plugin for managing email opt-in forms and lead capture. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to properly enforce access control checks on its functionality. This allows unauthenticated HTTP requests to access resources or perform actions that should be restricted. The CPE string (cpe:2.3:a:wpxpo:wowoptin:*:*:*:*:*:*:*:*) indicates the entire WowOptin product line is affected. The plugin likely has HTTP endpoints or REST API routes that lack proper capability checks or nonce validation, a common issue in WordPress plugin development where developers expose functionality without verifying user roles or authentication status.
RemediationAI
Update WPXPO WowOptin to a patched version beyond 1.4.32. WordPress administrators managing this plugin should navigate to the Plugins dashboard, locate WowOptin, and apply the available update immediately. Detailed advisory information and patch availability are documented in the Patchstack vulnerability record at https://patchstack.com/database/Wordpress/Plugin/optin/vulnerability/wordpress-wowoptin-plugin-1-4-32-broken-access-control-vulnerability?_s_id=cve. If a patched version is not yet available, administrators should temporarily disable the plugin until an update is released, as the plugin accepts unauthenticated requests that could expose site data.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20400
GHSA-wf5f-qf83-4mr6