CVE-2026-4302 is a Server-Side Request Forgery (SSRF) vulnerability identified in the WowOptin: Next-Gen Popup Maker plugin for WordPress, affecting all versions up to and including 1.4.29. The vulnerability stems from the plugin exposing a REST API endpoint at optn/v1/integration-action that has a permission callback set to __return_true, effectively allowing any unauthenticated user to access it. This endpoint accepts user-supplied URLs which are then passed directly to WordPress functions wp_remote_get() and wp_remote_post() within the Webhook::add_subscriber() method without any validation or filtering. Critically, the plugin does not utilize wp_safe_remote_get() or wp_safe_remote_post(), which provide built-in protections against SSRF attacks by restricting requests to safe hosts. As a result, attackers can coerce the server to send HTTP requests to arbitrary internal or external addresses, potentially accessing internal services, metadata endpoints, or other sensitive resources not normally accessible externally. This can lead to unauthorized information disclosure and modification of internal data. The vulnerability has a CVSS v3.1 base score of 7.2 (high severity) with vector AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, indicating network exploitable, no privileges or user interaction required, and a scope change due to impact on confidentiality and integrity. No public exploits have been reported yet, but the risk is significant given the plugin's popularity for lead generation on WordPress sites. The flaw highlights a common SSRF risk when REST API endpoints accept URLs without validation and use unsafe HTTP request functions.

The impact of CVE-2026-4302 is primarily on the confidentiality and integrity of internal systems accessible from the vulnerable WordPress server. Attackers can leverage the SSRF flaw to send arbitrary HTTP requests from the server, potentially accessing internal-only services such as databases, metadata services in cloud environments, or administrative interfaces that are not exposed externally. This can lead to unauthorized disclosure of sensitive information, including credentials, configuration data, or internal APIs. Additionally, attackers might modify internal data or trigger actions on internal systems if those endpoints accept POST requests. Although availability is not directly impacted, the compromise of internal systems can lead to broader security breaches. Organizations worldwide using the WowOptin plugin are at risk, especially those with sensitive internal networks behind their WordPress servers. The vulnerability can be exploited remotely without authentication or user interaction, increasing the attack surface. If chained with other vulnerabilities, it could facilitate lateral movement or privilege escalation within an organization's infrastructure.

To mitigate CVE-2026-4302, organizations should first check for and apply any official patches or updates from the wpxpo vendor once available. In the absence of patches, immediate mitigations include disabling or restricting access to the vulnerable REST API endpoint (optn/v1/integration-action) via web application firewalls (WAFs) or server configuration to block unauthenticated requests. Implement strict network segmentation to limit the WordPress server's ability to reach internal services that should not be accessible externally. Administrators can also modify the plugin code to replace wp_remote_get() and wp_remote_post() calls with wp_safe_remote_get() and wp_safe_remote_post(), which enforce safe host restrictions, or add custom URL validation to restrict requests to trusted domains only. Monitoring outgoing HTTP requests from the WordPress server for unusual destinations can help detect exploitation attempts. Finally, conduct thorough security audits of internal services potentially exposed via SSRF and implement authentication and authorization controls on internal endpoints to reduce risk.