CVE-2026-1720 identifies a missing authorization vulnerability (CWE-862) in the WowOptin: Next-Gen Popup Maker WordPress plugin, which is designed to create popups and optins for lead generation. The flaw exists in the 'install_and_active_plugin' function, where the plugin fails to verify whether the authenticated user has sufficient privileges to install and activate plugins. This missing capability check allows any authenticated user with Subscriber-level access or higher to exploit the vulnerability to install and activate arbitrary plugins. Since WordPress Subscriber roles typically have minimal permissions, this vulnerability significantly elevates their privileges, enabling potential site takeover. The vulnerability affects all versions up to and including 1.4.24. The CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates that the attack can be performed remotely over the network with low attack complexity, requires only low privileges, no user interaction, and impacts confidentiality, integrity, and availability at a high level. Although no exploits are currently known in the wild, the vulnerability poses a severe risk due to the common use of the plugin and the ease of exploitation. Attackers could leverage this flaw to install malicious plugins that provide backdoors, execute arbitrary code, or disrupt site operations.

The vulnerability allows attackers with minimal authenticated access to escalate privileges and gain full control over affected WordPress sites. This can lead to unauthorized data access, data modification, defacement, malware distribution, and complete site compromise. Organizations relying on the WowOptin plugin for lead generation risk exposure of sensitive customer data and loss of trust. The ability to install arbitrary plugins can facilitate persistent backdoors and lateral movement within hosting environments. The impact extends to website availability if attackers deploy disruptive or destructive payloads. Given WordPress's widespread use globally, this vulnerability can affect a broad range of organizations, from small businesses to large enterprises, especially those that allow user registrations or have multiple user roles. The lack of required user interaction and low complexity of exploitation increase the likelihood of attacks once the vulnerability becomes widely known.

Immediate mitigation steps include restricting user registration and limiting Subscriber-level access to trusted users only. Administrators should audit existing user roles and remove unnecessary accounts with low privileges. Monitoring plugin installation and activation logs can help detect suspicious activity. Applying the latest plugin updates as soon as a patch is released is critical to fully remediate the vulnerability. Until a patch is available, consider disabling or removing the WowOptin plugin if it is not essential. Employing a Web Application Firewall (WAF) with rules to detect and block unauthorized plugin installation attempts can provide additional protection. Regular backups and incident response plans should be in place to recover quickly from potential compromises. Security teams should also review and harden WordPress configurations, including file permissions and plugin management policies, to reduce attack surface.