CVE-2025-14895 – The PopupKit WordPress plugin has an authorizat... (How to Fix)

Q: What is the severity of CVE-2025-14895?

CVE-2025-14895 has a CVSS score of 5.4 (MEDIUM). The PopupKit WordPress plugin has an authorization bypass vulnerability that allows authenticated users with Subscriber-level access or higher to read and delete analytics data. This affects all WordPress sites using PopupKit versions up to 2.2.0. Attackers can access sensitive analytics including device types, browser information, countries, referrer URLs, and campaign metrics.

📋 TL;DR

The PopupKit WordPress plugin has an authorization bypass vulnerability that allows authenticated users with Subscriber-level access or higher to read and delete analytics data. This affects all WordPress sites using PopupKit versions up to 2.2.0. Attackers can access sensitive analytics including device types, browser information, countries, referrer URLs, and campaign metrics.

💻 Affected Systems

Products:

PopupKit WordPress Plugin

Versions: All versions up to and including 2.2.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with PopupKit plugin enabled and at least one user with Subscriber role or higher.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users could delete all analytics data, causing loss of business intelligence and marketing campaign tracking capabilities.

🟠

Likely Case

Attackers read sensitive analytics data to gather intelligence about site visitors and marketing campaigns.

🟢

If Mitigated

With proper access controls, only authorized administrators can access analytics data as intended.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but only at Subscriber level, which is the lowest WordPress user role. The vulnerability is in the REST API endpoint authorization check.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.1 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3421671/popup-builder-block/trunk/includes/Routes/Popup.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find PopupKit plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.2.1+ from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable REST API Endpoint

all

Temporarily disable the vulnerable /popup/logs REST API endpoint

Add to theme's functions.php: add_filter('rest_endpoints', function($endpoints){ unset($endpoints['/popup/logs']); return $endpoints; });

Restrict User Roles

all

Temporarily restrict Subscriber and other low-level user roles

Use WordPress role management plugins to restrict access or temporarily disable low-level user accounts

🧯 If You Can't Patch

Implement network-level access controls to restrict access to WordPress REST API endpoints
Enable detailed logging for all REST API requests to /popup/logs endpoint for monitoring

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for PopupKit version. If version is 2.2.0 or lower, you are vulnerable.

Check Version:

wp plugin list --name=popup-builder-block --field=version (if WP-CLI installed)

Verify Fix Applied:

After updating, verify PopupKit version shows 2.2.1 or higher in WordPress admin plugins page.

📡 Detection & Monitoring

Log Indicators:

Unusual REST API requests to /wp-json/popup/logs from non-admin users
Multiple DELETE requests to analytics endpoints

Network Indicators:

HTTP requests to /wp-json/popup/logs with non-admin user agents
Unusual traffic patterns to WordPress REST API

SIEM Query:

source="wordpress.logs" AND (uri_path="/wp-json/popup/logs" AND user_role!="administrator")

📊 Metadata

CVE ID: CVE-2025-14895

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-862

EPSS Score: 0.01% exploit probability (1.1th percentile)

Published: February 10, 2026

Last Updated: February 10, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14895, you might also want to check these: