cleantalk
Vulnerabilities and Security Researches

WP Responsive Popup + Optin, CVE-2026-4131

CVE, Research URL

CVE-2026-4131

Home page URL

Security reports for WP Responsive Popup + Optin

Application

WP Responsive Popup + Optin

Published on
Apr 22, 2026
Research Description
The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page (wpo_admin_page.php) lacking nonce generation (wp_nonce_field) and verification (wp_verify_nonce/check_admin_referer). This makes it possible for unauthenticated attackers to update all plugin settings including the 'wpo_image_url' parameter via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Affected versions
max 1.4.
Status
vulnerable
Previous vulnerability researches
Call To Action Plugin (CVE-2026-4118) , Apr 23, 2026
New vulnerability
Gallery with thumbnail slider (CVE-2025-5092) , Apr 24, 2026
Featured Post Creative (CVE-2026-6443) , Apr 24, 2026
Google PageRank Display (CVE-2026-6294) , Apr 24, 2026
Ni WooCommerce Order Export (CVE-2026-4140) , Apr 24, 2026
Slider Bootstrap Carousel (CVE-2026-4076) , Apr 24, 2026