CVE-2026-39700

Vulnerability

Overview The WowOptin plugin for WordPress suffers from a Missing Authorization vulnerability affecting versions up to and including 1.4.32. This is a broken access control issue where the software fails to properly validate a user's permission level when processing certain actions [1]. The root cause is the omission of capability or nonce checks in one or more functions, which would normally restrict sensitive operations to authenticated, privileged users.

Exploitation

Details An attacker can exploit this vulnerability by sending crafted requests to the vulnerable WordPress installation without needing any prior authentication. Since the plugin incorrectly configures access control security levels, even unprivileged or anonymous users can trigger functions that should be limited to administrators or other high-privilege roles [1]. The attack surface is broad because the plugin can be targeted in automated, mass-exploit campaigns against thousands of websites simultaneously, regardless of their size or popularity.

Impact

Successful exploitation allows an attacker to perform unauthorized actions such as modifying plugin settings, creating or deleting optin forms, or accessing sensitive data. Depending on the specific missing authorization, the impact could range from data exposure to complete compromise of the site's functionality [1]. The CVSS base score of 5.3 (Medium) reflects the lack of authentication required and the potential for significant disruption or information disclosure.

Mitigation

Users are strongly advised to update the plugin to a patched version as soon as possible. If an immediate update is not possible, contact your hosting provider or a web developer for assistance. The vulnerability is publicly documented and has been flagged as part of mass-exploit campaigns, making timely patching critical [1].