CVE-2026-24616

Vulnerability

Overview

The WP Popups plugin for WordPress (versions up to and including 2.2.0.5) contains a missing authorization vulnerability. This flaw stems from an incorrectly configured access control security level, where certain functions lack proper authorization checks, nonce tokens, or authentication requirements [1]. The issue is classified as a broken access control vulnerability, which can allow unprivileged users to perform actions that should be restricted to higher-privileged roles.

Exploitation

Attackers can exploit this vulnerability without needing any unauthenticated user, without needing any special privileges. The attack vector is network-based and requires no user interaction. The vulnerability is particularly concerning because it is known to be used in mass-exploit campaigns, targeting thousands of websites simultaneously regardless of their size or traffic [1].

Impact

Successful exploitation could allow an attacker to execute certain higher-privileged actions within the plugin, potentially leading to unauthorized modifications or data exposure. The CVSS v3 base score is 6.5 (Medium), indicating a moderate severity. The impact is considered low severity, but the ease of exploitation and potential for automated attacks increases the risk [1].

Mitigation

The vulnerability has been patched in version 2.2.0.6 of the WP Popups plugin. Users are strongly advised to update immediately. If updating is not possible, users should contact their hosting provider or web developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins to protect their sites [1].