{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14395", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-09T22:14:48.782Z", "datePublished": "2025-12-13T04:31:20.540Z", "dateUpdated": "2026-04-08T16:35:09.057Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:09.057Z"}, "affected": [{"vendor": "melodicmedia", "product": "Popover Windows", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Popover Windows plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple ajax actions (e.g., pop_submit, poptheme_submit) in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's settings and content."}], "title": "Popover Windows <= 1.2 - Missing Authorization to Authenticated (Subscriber+) Popover Configuration Update via AJAX Actions", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0cae43cb-a0b7-4067-95b3-26fec31ebf42?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/popover-windows/tags/1.2/popoveroptions.php#L98"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "timeline": [{"time": "2025-12-12T16:09:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:43:46.605047Z", "id": "CVE-2025-14395", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:48:39.117Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14395", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:43:46.605047Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:43:47.639Z"}}], "cna": {"title": "Popover Windows <= 1.2 - Missing Authorization to Authenticated (Subscriber+) Popover Configuration Update via AJAX Actions", "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "melodicmedia", "product": "Popover Windows", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-12T16:09:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0cae43cb-a0b7-4067-95b3-26fec31ebf42?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/popover-windows/tags/1.2/popoveroptions.php#L98"}], "descriptions": [{"lang": "en", "value": "The Popover Windows plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple ajax actions (e.g., pop_submit, poptheme_submit) in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's settings and content."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:09.057Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14395", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:35:09.057Z", "dateReserved": "2025-12-09T22:14:48.782Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-13T04:31:20.540Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Popover Windows plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple ajax actions (e.g., pop_submit, poptheme_submit) in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's settings and content."}], "id": "CVE-2025-14395", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-13T16:16:49.260", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/popover-windows/tags/1.2/popoveroptions.php#L98"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0cae43cb-a0b7-4067-95b3-26fec31ebf42?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:33:36.826868+00:00", "value": {"mitigation_remediation": ["Upgrade Popover Windows to the latest version that includes the missing capability checks for AJAX actions.", "Review all pop\u2011over settings to confirm no unauthorized changes were made.", "If an update is not available, disable or remove the vulnerable AJAX actions or use a security\u2011plugin to enforce higher capability requirements for these endpoints."], "summary": {"action": "Update Plugin", "impact": "Unauthorized configuration modification"}, "threat_synthesis": {"affected_systems": "The affected product is the Popover\u00a0Windows plugin from melodicmedia, all releases up to and including version\u00a01.2. WordPress sites hosting any of these versions are vulnerable. No specific CPE string is available in the data.", "description_and_impact": "The Popover Windows WordPress plugin contains a missing capability check on multiple AJAX actions such as pop_submit and poptheme_submit. This omission represents a CWE\u2011862 \u2013 missing authorization weakness, enabling authenticated users with subscriber-level access or higher to modify the plugin\u2019s settings and content through Ajax. The result is unauthorized configuration changes that can alter how pop\u2011over windows display and behave on the site.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate risk, and the EPSS score of less than\u00a01% suggests a very low probability of exploitation. Because the flaw requires authenticated access, an attacker must be logged in as a subscriber or higher; there is no remote code execution. The vulnerability is not listed in the CISA KEV catalog, implying it has not been publicly exploited at scale. The author of the plugin should prioritize fixing the missing capability checks, and site owners should apply the fix once available."}}}}, "created": "2025-12-14T21:14:53.598264+00:00", "updated": "2026-04-22T20:45:27.081612+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}