CVE-2025-14895
Description
The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and delete analytics data including device types, browser information, countries, referrer URLs, and campaign metrics.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PopupKit <=2.2.0 has a missing authorization vulnerability allowing authenticated subscribers to read and delete analytics data via the /popup/logs REST endpoint.
Vulnerability
Overview
The PopupKit plugin for WordPress, in all versions up to and including 2.2.0, contains a missing authorization vulnerability in its REST API endpoint /popup/logs. The plugin fails to properly verify that the requesting user has the necessary capabilities to access this endpoint, relying instead on nonce validation which can be obtained by any authenticated user [1]. This design flaw means that the endpoint is not restricted to administrators as intended, but is reachable by any authenticated user who can obtain a WordPress REST nonce [1].
Exploitation
An attacker with Subscriber-level access or above can exploit this vulnerability by obtaining a valid WordPress REST nonce and then making requests to the /popup/logs endpoint. The endpoint does not perform capability checks to ensure the user is authorized to view or delete analytics data [1]. This makes the vulnerability particularly impactful on sites with public registration and large numbers of low-privilege accounts, such as ecommerce, membership, and community-driven sites [1].
Impact
Successful exploitation allows an authenticated attacker to read and delete analytics data collected by the plugin. This data includes device types, browser information, countries, referrer URLs, and campaign metrics [1]. The data represents marketing leads and subscriber activity, which are often treated as sensitive business assets [1]. When a Subscriber can access this data, it breaks the expected privacy and role separation model of WordPress, and creates a direct integrity issue because the same low-privilege user can erase records and undermine reporting [1].
Mitigation
As of the publication date, the vulnerability has been publicly disclosed and a proof of concept exists, but no exploit code has been reported [1]. Users of PopupKit should update to a patched version beyond 2.2.0 as soon as it becomes available. Site administrators should also review their user base and consider restricting registration or applying additional access controls to sensitive REST endpoints [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Popup.phpnvd
- plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Popup.phpnvd
- plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Popup.phpnvd
- plugins.trac.wordpress.org/changeset/3421671/popup-builder-block/trunk/includes/Routes/Popup.phpnvd
- research.cleantalk.org/cve-2025-14895nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/c13bb699-f065-4065-9ea5-bb86d24e09abnvd
News mentions
0No linked articles in our index yet.