Medium severity4.3NVD Advisory· Published Jan 6, 2026· Updated Apr 15, 2026
CVE-2025-14441
CVE-2025-14441
Description
The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE /subscribers REST API endpoint in all versions up to, and including, 2.2.0. This is due to the permission_callback only validating wp_rest nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary subscriber records.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.phpnvd
- plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.phpnvd
- plugins.trac.wordpress.org/browser/popup-builder-block/trunk/includes/Routes/Subscribers.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/48f5a44d-d01f-4c41-98da-7c1f6c65c254nvd
News mentions
0No linked articles in our index yet.