CVE-2026-24619

Vulnerability

Overview The PopCash.Net Code Integration Tool plugin for WordPress (popcashnet-code-integration-tool) contains a missing authorization vulnerability in versions up to and including 1.8. This broken access control issue means that certain functions lack proper authentication or nonce token checks, allowing unprivileged users to perform actions intended for higher-privileged roles [1].

Exploitation

Conditions The vulnerability can be exploited without authentication, as the missing authorization checks are missing. An attacker can send crafted requests to the plugin's endpoints to trigger privileged actions. The attack surface is broad because the plugin is widely used for ad code integration, and the flaw does not require any unauthenticated visitor to interact with protected functions [1].

Impact

Successful exploitation could allow an attacker to modify plugin settings, inject malicious code, or disrupt the ad integration functionality. While the CVSS score is medium (CVSS 5.3), the vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites regardless of size [1].

Mitigation

The vendor has released version 2.0 which resolves the issue. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].