What is GHSA-j5qh-rj6w-86m8?

GHSA-j5qh-rj6w-86m8 is a security advisory published by GitHub Security Advisories with Medium severity. The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a...

Which CVE IDs does GHSA-j5qh-rj6w-86m8 cover?

GHSA-j5qh-rj6w-86m8 covers the following CVE IDs: CVE-2026-9014. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-j5qh-rj6w-86m8?

GHSA-j5qh-rj6w-86m8 has a CVSS v3 base score of 5.3, published by GitHub Security Advisories.

GHSA-j5qh-rj6w-86m8MediumCVSS 5.3

The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a...

Vendor

GitHub Security Advisories

Published

May 27, 2026

Last Modified

May 27, 2026

🔗 CVE IDs covered (1)

CVE-2026-9014 →

📋 Description

The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_stats() function in versions up to, and including, 1.3. The function is hooked to both the wp_ajax_wpp-reset_stats and wp_ajax_nopriv_wpp-reset_stats actions and contains no authentication, authorization, or nonce validation. This makes it possible for unauthenticated attackers to reset the plugin's bar and popup statistics by deleting the wpp_bar and wpp_popup options.

🔗 References (5)

https://nvd.nist.gov/vuln/detail/CVE-2026-9014
https://plugins.trac.wordpress.org/browser/wp-promoter/tags/1.3/inc/class-wpp-ajax.php#L23
https://plugins.trac.wordpress.org/browser/wp-promoter/tags/1.3/inc/class-wpp-ajax.php#L28
https://www.wordfence.com/threat-intel/vulnerabilities/id/ce546f2e-5323-44b9-b980-5619f2db2944?source=cve
https://github.com/advisories/GHSA-j5qh-rj6w-86m8