{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14441", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-10T13:07:03.705Z", "datePublished": "2026-01-06T04:31:55.856Z", "dateUpdated": "2026-04-08T16:50:20.931Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:50:20.931Z"}, "affected": [{"vendor": "roxnor", "product": "Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary subscriber records."}], "title": "Popupkit <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Subscriber Data Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48f5a44d-d01f-4c41-98da-7c1f6c65c254?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/trunk/includes/Routes/Subscribers.php#L77"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.php#L77"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.php#L64"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3421671%40popup-builder-block&new=3421671%40popup-builder-block&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-12-10T13:22:23.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-05T16:05:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T14:36:10.070034Z", "id": "CVE-2025-14441", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:36:22.367Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14441", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T14:36:10.070034Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:36:18.415Z"}}], "cna": {"title": "Popupkit <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Subscriber Data Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "roxnor", "product": "Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-10T13:22:23.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-05T16:05:07.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48f5a44d-d01f-4c41-98da-7c1f6c65c254?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/trunk/includes/Routes/Subscribers.php#L77"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.php#L77"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.php#L64"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3421671%40popup-builder-block&new=3421671%40popup-builder-block&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary subscriber records."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:50:20.931Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14441", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:50:20.931Z", "dateReserved": "2025-12-10T13:07:03.705Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-06T04:31:55.856Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary subscriber records."}, {"lang": "es", "value": "El plugin Popupkit para WordPress es vulnerable a la eliminaci\u00f3n arbitraria de datos de suscriptor debido a la falta de autorizaci\u00f3n en el endpoint de la API REST DELETE `/subscribers` en todas las versiones hasta la 2.2.0, inclusive. Esto se debe a que la 'permission_callback' solo valida el nonce de wp_rest sin verificar las capacidades del usuario. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor o superior, eliminen registros de suscriptor arbitrarios."}], "id": "CVE-2025-14441", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-01-06T05:15:59.207", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.php#L64"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.php#L77"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/trunk/includes/Routes/Subscribers.php#L77"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3421671%40popup-builder-block&new=3421671%40popup-builder-block&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48f5a44d-d01f-4c41-98da-7c1f6c65c254?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:51:44.972603+00:00", "value": {"mitigation_remediation": ["Update Popup Builder to a version later than 2.2.0 that includes proper capability checks for the DELETE `/subscribers` endpoint.", "Configure the WordPress REST API or security plugins to restrict access to the `/subscribers` DELETE route to users with Administrator privileges only.", "As a temporary workaround, disable the subscriber delete functionality by adding code to the theme\u2019s functions.php or using a custom plugin that hooks into `rest_pre_dispatch` to block DELETE requests to `/subscribers`."], "summary": {"action": "Apply Patch", "impact": "Arbitrary Subscriber Data Deletion"}, "threat_synthesis": {"affected_systems": "The issue affects the Popup Builder plugin from roxnor, specifically all released versions up to and including 2.2.0. Users running any of these versions on a WordPress site are vulnerable. The vulnerability is present on the REST API route responsible for subscriber deletion.", "description_and_impact": "The Popup Builder plugin for WordPress contains a missing authorization check on the DELETE `/subscribers` REST API endpoint. The endpoint accepts a wp_rest nonce but does not verify that the authenticated user has sufficient capabilities. As a result, any authenticated user with Subscriber-level access or higher can delete arbitrary subscriber records. This allows attackers to remove subscriber data, potentially causing loss of contact information and disrupting marketing or communication functionality. The weak point is the lack of capability verification, which is a typical Missing Authorization weakness (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate impact. The EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to be authenticated with at least Subscriber privilege to exploit the flaw. Because the endpoint relies only on a nonce, privileged users can make a DELETE request and wipe subscriber records without further authorization checks. The practical risk is data loss for sites using the plugin, but the lack of wide exploitation potential and low EPSS score make it a moderate priority."}}}}, "created": "2026-01-06T14:16:13.987738+00:00", "updated": "2026-04-21T17:00:12.320261+00:00", "vendors": ["roxnor", "roxnor$PRODUCT$popup_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}