Unauthorized Data Modification in WP Promoter Plugin for WordPress
CVE-2026-9014

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: WP Promoter
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-9014?

The WP Promoter plugin for WordPress has been identified with a vulnerability that allows unauthorized modification of data due to a missing capability check on the reset_stats() function. This security flaw exists in versions up to and including 1.3, where the function is linked to actions that do not require authentication, authorization, or nonce validation. As a result, unauthorized users can manipulate the plugin's statistics by removing the data stored in the wpp_bar and wpp_popup options, potentially leading to a disruption in service and data integrity.

Affected Version(s)

WP Promoter 0 <= 1.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-promoter/ta...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 19, 2026

Credit

Muhammad Nur Ibnu Hubab

CVE-2026-9014 Data

JSON