WordPress Plugin Vulnerabilities

Popupkit < 2.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Subscriber Data Deletion

Description

The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary subscriber records.

Affects Plugins

Plugin icon
popup-builder-block
Fixed in 2.2.1

References

CVE
CVE-2025-14441
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/48f5a44d-d01f-4c41-98da-7c1f6c65c254

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
a194eded-aed2-4d9f-abaf-9a517402420e

Timeline

Publicly Published
2026-01-05 (about 4 months ago)
Added
2026-01-05 (about 4 months ago)
Last Updated
2026-03-27 (about 1 month ago)

Other

Published
Title
Published
2026-02-18
Title
NitroPack < 1.19.4 - Missing Authorization
Published
2025-03-31
Title
Google SEO Pressor Snippet <= 2.0 - Missing Authorization
Published
2024-06-21
Title
Optinly < 1.0.19 - Missing Authorization
Published
2025-05-09
Title
SMS Alert Order Notifications – WooCommerce < 3.8.2 - Authenticated (Subscriber+) Privilege Escalation via handleWpLoginCreateUserAction Function
Published
2024-08-16
Title
Asset CleanUp: Page Speed Booster < 1.3.9.4 - Missing Authorization