CVE-2026-8906

Vulnerability

The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.3. The vulnerability resides in the admin settings page (admin-wp-promoter.php) where the functions handling form submissions lack proper nonce validation [1][2]. This allows an attacker to forge a request that modifies plugin settings, including fields such as enable_wp_promoter, enable_wp_promoter_popup, and the content fields for bar and popup messages [3][4]. The settings page uses PHP code to output form values but does not include a CSRF token or check for one before processing updates.

Exploitation

An unauthenticated attacker can craft a malicious HTML page or link that, when visited by a logged-in WordPress administrator, triggers a POST or GET request to the WP Promoter settings update endpoint. The attacker does not need any prior authentication or access to the site; the only requirement is that the targeted administrator is tricked into clicking the forged link or visiting the attacker-controlled page. No user interaction beyond the initial click is required, as the browser automatically sends the forged request with the administrator's session cookies.

Impact

Successful exploitation allows the attacker to update the plugin's settings arbitrarily, including enabling or disabling the bar and popup, adjusting dimensions, and—most critically—injecting arbitrary HTML and JavaScript into the Bar Message and Popup Message fields, which are explicitly marked as "HTML is Allowed" [3][4]. This stored cross-site scripting (XSS) payload will then be executed in the browsers of any visitor, including the administrator, whenever the bar or popup is displayed. The attacker gains the ability to deface the site, steal session cookies, or perform other client-side attacks within the context of the affected WordPress installation.

Mitigation

As of the publication date (27 May 2026), no patched version of WP Promoter has been released. The vulnerability affects all versions up to and including 1.3. Site administrators should disable the WP Promoter plugin until a fixed version (e.g., 1.4 or later) is available and installed. There are no known workarounds provided by the vendor. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.