CVE-2026-9014

Vulnerability

The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 1.3. The reset_stats() function in the WPP_Ajax class (located in inc/class-wpp-ajax.php [1]) is registered to handle both the authenticated AJAX action wp_ajax_wpp-reset_stats and the unauthenticated AJAX action wp_ajax_nopriv_wpp-reset_stats [2]. The function contains no capability check, authentication, authorization, or nonce validation [1], making it accessible to any visitor.

Exploitation

An attacker does not need any authentication or user interaction. By sending a POST request to the WordPress AJAX endpoint with the action parameter set to wpp-reset_stats, an unauthenticated user can trigger the reset_stats() method [1]. The method executes delete_option('wpp_bar') and delete_option('wpp_popup') without any verification [1].

Impact

Successful exploitation allows an unauthenticated attacker to delete the plugin's bar and popup statistical data stored in the wpp_bar and wpp_popup WordPress options. This results in unauthorized modification of data, leading to loss of collected analytics and potentially disrupting the plugin's displayed statistics.

Mitigation

As of the publication date, there is no patched version available. The fixed version has not been released. Users should disable or remove the WP Promoter plugin until a security update is provided [1][2].