Plugin Vulnerability Hub

Plugin 2 known issues Latest disclosed May 26, 2026

WP Promoter Vulnerabilities

Review known vulnerability records for the WordPress plugin WP Promoter (`wp-promoter`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-8906 and CVE-2026-9014, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

May 26, 2026

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for WP Promoter so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

2 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

0 critical and 0 high severity findings.

Recent CVEs

CVE-2026-8906 and CVE-2026-9014

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-8906 Medium No patch listed

WP Promoter <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'popup_width' Parameter

The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function...

Published

May 26, 2026

Patch Status

Not published

Open Full Report

CVE-2026-9014 Medium No patch listed

WP Promoter <= 1.3 - Missing Authorization to Unauthenticated Statistics Reset via wpp-reset_stats AJAX Action

The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_stats() function in versions up to, and including, 1.3....

Published

May 26, 2026

Patch Status

Not published

Open Full Report

Known Vulnerabilities

Reports for WP Promoter

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: No CVE-2026-8906

WP Promoter <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'popup_width' Parameter

The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malic...

Published

May 26, 2026

Patched Release

Not published

Affected Versions

Versions up to 1.3

Next Step

Open the full report for remediation notes and references.

Open Full Report Open CVE Reference

Plugin Medium Patched: No CVE-2026-9014

WP Promoter <= 1.3 - Missing Authorization to Unauthenticated Statistics Reset via wpp-reset_stats AJAX Action

The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_stats() function in versions up to, and including, 1.3. The function is hooked to both the wp_ajax_wpp-reset_stats and wp_ajax_nopriv_wpp-reset_s...

Published

May 26, 2026

Patched Release

Not published

Affected Versions

Versions up to 1.3

Next Step

Open the full report for remediation notes and references.

Open Full Report Open CVE Reference