CVE-2026-4302
Published: 21 March 2026
Summary
CVE-2026-4302 is a high-severity SSRF (CWE-918) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-supplied URLs before passing them to wp_remote_get() and wp_remote_post() to directly prevent SSRF exploitation.
Mandates timely flaw remediation by patching or updating the vulnerable WowOptin plugin versions up to 1.4.29.
Enforces information flow control policies to restrict the web application from originating requests to arbitrary internal or external locations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing WordPress plugin directly exploitable via T1190; enables internal network service probing (T1046) and common metadata API access (T1522) for sensitive data.
NVD Description
The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin exposing a publicly accessible REST API endpoint (optn/v1/integration-action) with a permission_callback of…
more
__return_true that passes user-supplied URLs directly to wp_remote_get() and wp_remote_post() in the Webhook::add_subscriber() method without any URL validation or restriction. The plugin does not use wp_safe_remote_get/post which provide built-in SSRF protection. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services.
Deeper analysisAI
CVE-2026-4302 is a Server-Side Request Forgery (SSRF) vulnerability affecting the WowOptin: Next-Gen Popup Maker plugin for WordPress in all versions up to and including 1.4.29. The issue stems from a publicly accessible REST API endpoint at optn/v1/integration-action, which uses a permission_callback of __return_true, allowing unrestricted access. This endpoint passes user-supplied URLs directly to wp_remote_get() and wp_remote_post() functions within the Webhook::add_subscriber() method without any validation or restrictions, bypassing the SSRF protections offered by wp_safe_remote_get() and wp_safe_remote_post().
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required, achieving a confidential and integrity impact rated at CVSS 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) under CWE-918. By sending crafted requests to the endpoint, attackers can force the WordPress server to originate web requests to arbitrary internal or external locations, enabling them to query sensitive information from internal services or potentially modify data via POST operations.
References provided in the CVE disclosure point to specific vulnerable code locations in the plugin's source repository, including lines 44 and 55 in frontend/class-rest-frontend.php and lines 38 and 45 in includes/integrations/implementations/class-webhook.php across tags 1.4.23 and the trunk branch. No patch details or mitigation advisories are specified in the available information.
Details
- CWE(s)