CVE-2026-25016

Nelio Popups, a WordPress plugin, versions up to and including 1.3.5 contain a Missing Authorization vulnerability. The root cause is that the plugin fails to properly enforce access control security levels, allowing an attacker to exploit incorrectly configured access controls [1]. This type of issue is classified as Broken Access Control, where a missing authorization, authentication, or nonce token check in a function can lead to an unprivileged user performing a higher-privileged action [1].

To exploit this vulnerability, an attacker requires no authentication or special privileges, as the access control is missing entirely. The attack vector is network-based via the WordPress admin interface, with low attack complexity [1]. Successful exploitation allows an unprivileged user to execute certain actions normally reserved for higher-privileged roles, such as modifying plugin settings or accessing restricted data [1].

The impact of this vulnerability is considered low severity, with a CVSS v3 base score of 4.3 (Medium). While the vulnerability is unlikely to be exploited on a large scale, it has been noted that similar issues are used in mass-exploit campaigns targeting thousands of websites regardless of traffic or popularity [1].

The vendor has released a patch in version 1.3.6 of Nelio Popups. Users are strongly advised to update immediately. For those unable to update, contacting the hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins to mitigate this issue [1].