CVE-2026-9014: CWE-862 Missing Authorization in rahulbhangale WP Promoter
The WP Promoter WordPress plugin up to version 1. 3 contains a missing authorization vulnerability in its reset_stats() function. This function is accessible via AJAX actions without any authentication, authorization, or nonce validation, allowing unauthenticated attackers to reset plugin statistics by deleting specific options. The vulnerability has a CVSS score of 5. 3, indicating medium severity. No official patch or remediation guidance is currently provided by the vendor. There are no known exploits in the wild at this time.
AI Analysis
Technical Summary
CVE-2026-9014 describes a missing authorization vulnerability (CWE-862) in the WP Promoter plugin for WordPress. The reset_stats() function, hooked to both authenticated and unauthenticated AJAX actions (wp_ajax_wpp-reset_stats and wp_ajax_nopriv_wpp-reset_stats), lacks any capability checks or nonce validation. This allows unauthenticated attackers to invoke this function and reset the plugin's bar and popup statistics by deleting the wpp_bar and wpp_popup options. The vulnerability affects versions up to and including 1.3. The CVSS 3.1 base score is 5.3 (medium severity) with network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to integrity loss without confidentiality or availability impact. No patch or official remediation is currently documented.
Potential Impact
An unauthenticated attacker can reset the WP Promoter plugin's statistics by deleting stored options, causing loss of integrity of statistical data. There is no impact on confidentiality or availability. The attack requires no privileges and can be performed remotely over the network. While this does not lead to code execution or data disclosure, it can disrupt analytics or reporting relying on these statistics.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting access to the AJAX endpoints or disabling the plugin if the statistics reset functionality is not required. Implementing custom authorization checks or nonce validation on the reset_stats() function can mitigate unauthorized access.
CVE-2026-9014: CWE-862 Missing Authorization in rahulbhangale WP Promoter
Description
The WP Promoter WordPress plugin up to version 1. 3 contains a missing authorization vulnerability in its reset_stats() function. This function is accessible via AJAX actions without any authentication, authorization, or nonce validation, allowing unauthenticated attackers to reset plugin statistics by deleting specific options. The vulnerability has a CVSS score of 5. 3, indicating medium severity. No official patch or remediation guidance is currently provided by the vendor. There are no known exploits in the wild at this time.
CVSS v3.1
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9014 describes a missing authorization vulnerability (CWE-862) in the WP Promoter plugin for WordPress. The reset_stats() function, hooked to both authenticated and unauthenticated AJAX actions (wp_ajax_wpp-reset_stats and wp_ajax_nopriv_wpp-reset_stats), lacks any capability checks or nonce validation. This allows unauthenticated attackers to invoke this function and reset the plugin's bar and popup statistics by deleting the wpp_bar and wpp_popup options. The vulnerability affects versions up to and including 1.3. The CVSS 3.1 base score is 5.3 (medium severity) with network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to integrity loss without confidentiality or availability impact. No patch or official remediation is currently documented.
Potential Impact
An unauthenticated attacker can reset the WP Promoter plugin's statistics by deleting stored options, causing loss of integrity of statistical data. There is no impact on confidentiality or availability. The attack requires no privileges and can be performed remotely over the network. While this does not lead to code execution or data disclosure, it can disrupt analytics or reporting relying on these statistics.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting access to the AJAX endpoints or disabling the plugin if the statistics reset functionality is not required. Implementing custom authorization checks or nonce validation on the reset_stats() function can mitigate unauthorized access.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-19T14:27:00.556Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a169069e29bf47b509e187d
Added to database: 5/27/2026, 6:34:17 AM
Last enriched: 5/27/2026, 6:48:44 AM
Last updated: 5/27/2026, 8:52:55 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.