{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14895", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-18T16:04:05.446Z", "datePublished": "2026-02-10T09:26:06.042Z", "dateUpdated": "2026-04-08T17:19:50.834Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:50.834Z"}, "affected": [{"vendor": "roxnor", "product": "Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and delete analytics data including device types, browser information, countries, referrer URLs, and campaign metrics."}], "title": "PopupKit <= 2.2.0 - Missing Authorization to Sensitive Information Disclosure and Data Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c13bb699-f065-4065-9ea5-bb86d24e09ab?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Popup.php#L145"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Popup.php#L32"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Popup.php#L85"}, {"url": "https://research.cleantalk.org/cve-2025-14895"}, {"url": "https://plugins.trac.wordpress.org/changeset/3421671/popup-builder-block/trunk/includes/Routes/Popup.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2026-02-03T22:04:16.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-09T20:31:47.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T16:08:34.765978Z", "id": "CVE-2025-14895", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:10:07.358Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14895", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T16:08:34.765978Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:10:00.808Z"}}], "cna": {"title": "PopupKit <= 2.2.0 - Missing Authorization to Sensitive Information Disclosure and Data Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "roxnor", "product": "Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-03T22:04:16.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-09T20:31:47.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c13bb699-f065-4065-9ea5-bb86d24e09ab?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Popup.php#L145"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Popup.php#L32"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Popup.php#L85"}, {"url": "https://research.cleantalk.org/cve-2025-14895"}, {"url": "https://plugins.trac.wordpress.org/changeset/3421671/popup-builder-block/trunk/includes/Routes/Popup.php"}], "descriptions": [{"lang": "en", "value": "The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and delete analytics data including device types, browser information, countries, referrer URLs, and campaign metrics."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:50.834Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14895", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:19:50.834Z", "dateReserved": "2025-12-18T16:04:05.446Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-10T09:26:06.042Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and delete analytics data including device types, browser information, countries, referrer URLs, and campaign metrics."}, {"lang": "es", "value": "El plugin PopupKit para WordPress es vulnerable a una omisi\u00f3n de autorizaci\u00f3n en todas las versiones hasta la 2.2.0, inclusive. Esto se debe a que el plugin no verifica correctamente que un usuario est\u00e1 autorizado para acceder al endpoint de la API REST /popup/logs. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor o superior, lean y eliminen datos anal\u00edticos, incluyendo tipos de dispositivos, informaci\u00f3n del navegador, pa\u00edses, URLs de referencia y m\u00e9tricas de campa\u00f1a."}], "id": "CVE-2025-14895", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-10T10:15:56.950", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Popup.php#L145"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Popup.php#L32"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Popup.php#L85"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3421671/popup-builder-block/trunk/includes/Routes/Popup.php"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2025-14895"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c13bb699-f065-4065-9ea5-bb86d24e09ab?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.0]"}}], "product": "popup_builder_with_gamification,_multi-step_popups,_page-level_targeting,_and_woocommerce_triggers", "vendor": "roxnor"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-21T16:03:12.182760+00:00", "value": {"mitigation_remediation": ["Upgrade the Popup builder plugin to the latest version that removes the authorization bypass on the \"/popup/logs\" endpoint.", "If an upgrade is not immediately possible, add a rule to block or restrict the \"/popup/logs\" REST API endpoint for all roles below Administrator, using a plugin, .htaccess rule, or custom code based on the REST API namespace.", "Configure role permissions so that Subscriber and lower roles cannot perform actions on the REST API, ensuring only Administrators retain access to analytics data."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Information Disclosure and Data Deletion via authorization bypass"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Popup builder plugin (ro xnor: Popup builder with Gamification, Multi\u2011Step Popups, Page\u2011Level Targeting, and WooCommerce Triggers) installed in versions 2.2.0 or earlier are affected. All versions up to and including 2.2.0 expose the \"/popup/logs\" REST endpoint, which is accessible to authenticated users with Subscriber-level access and above.", "description_and_impact": "The PopupKit plugin is vulnerable because it fails to verify that a user is authorized to access the \"/popup/logs\" REST API endpoint. As a result, any authenticated user with a Subscriber role or higher can read analytics data that includes device types, browser information, countries, referrer URLs, and campaign metrics. The attacker can also delete this data. The core weakness is an access control flaw (CWE-862).", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate risk, and the EPSS score of less than 1\u202f% suggests a low exploitation probability at the time of analysis. The vulnerability is not listed in the CISA KEV catalog, and the attack requires only a valid authenticated session with Subscriber privileges or higher, so it is relatively easy to exploit if a user can authenticate. Once the endpoint is accessed, attackers can exfiltrate sensitive analytics information and remove it, compromising confidentiality and integrity of site data."}}}}, "created": "2026-02-10T11:34:23.018004+00:00", "updated": "2026-04-21T16:15:40.493784+00:00", "vendors": ["roxnor", "roxnor$PRODUCT$popup_builder_with_gamification,_multi-step_popups,_page-level_targeting,_and_woocommerce_triggers", "wordpress", "wordpress$PRODUCT$wordpress"]}