WordPress Plugin Vulnerabilities

PopupKit < 2.2.1 - Missing Authorization to Sensitive Information Disclosure and Data Deletion

Description

The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and delete analytics data including device types, browser information, countries, referrer URLs, and campaign metrics.

Affects Plugins

Plugin icon
popup-builder-block
Fixed in 2.2.1

References

CVE
CVE-2025-14895
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c13bb699-f065-4065-9ea5-bb86d24e09ab

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
29d51698-8a58-450b-bcba-93e08be7f251

Timeline

Publicly Published
2026-02-09 (about 3 months ago)
Added
2026-02-09 (about 3 months ago)
Last Updated
2026-02-10 (about 3 months ago)

Other

Published
Title
Published
2026-02-13
Title
Accordion and Accordion Slider < 1.4.6 - Missing Authorization to Authenticated (Contributor+) Attachment Metadata Modification
Published
2025-12-15
Title
My Calendar < 3.6.17 - Missing Authorization
Published
2024-04-25
Title
Secure Copy Content Protection and Content Locking < 3.9.1 - Missing Authorization
Published
2024-01-10
Title
EventON (Free < 2.2.8, Premium < 4.5.6) - Unauthenticated Arbitrary Post Metadata Update
Published
2025-11-10
Title
Find Unused Images <= 1.0.7 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion