Vulnerabilities and security researches forwp-popup-optin wp-popup-optin

Apr 24, 2026

CVE, Research URL: CVE-2026-4131
Home page URL: Security reports for WP Responsive Popup + Optin
Application: WP Responsive Popup + Optin
Date: Apr 22, 2026
Research Description: The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page (wpo_admin_page.php) lacking nonce generation (wp_nonce_field) and verification (wp_verify_nonce/check_admin_referer). This makes it possible for unauthenticated attackers to update all plugin settings including the 'wpo_image_url' parameter via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Affected versions: max 1.4.
Status: vulnerable