Primary

Context

WP Promoter Missing Authorization Vulnerability in WordPress Plugin

Vulnerability

A vulnerability exists in the WP Promoter plugin for WordPress, in versions through 1.3, allowing unauthorized data modification. The issue arises from a missing capability check in the reset_stats() function, which is linked to the wp_ajax_wpp-reset_stats and wp_ajax_nopriv_wpp-reset_stats actions. Without proper authentication, authorization, or nonce validation, unauthenticated attackers can exploit this vulnerability to reset the plugin's bar and popup statistics by removing the wpp_bar and wpp_popup options.

Impact

Exploitation of this vulnerability allows for unauthorized resetting of the WP Promoter plugin's statistics, specifically the bar and popup data, which could disrupt the user's analytics and performance tracking.

Remediation

No known patch is available. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.

Added: May 27, 2026, 7:18 AM

Updated: May 27, 2026, 7:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

9.7

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

9.7

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WP Promoter Missing Authorization Vulnerability in WordPress Plugin

Vulnerability

Impact

Remediation

Affected Products

WP Promoter

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating