CVE-2025-14441
Authorization Bypass in Popupkit Plugin Allows Subscriber Data Deletion
Publication date: 2026-01-06
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | popupkit | to 2.2.0 (inc) |
| unknown_vendor | popup_builder_block | 2.2.0 |
| unknown_vendor | popup_builder_block | 2.2.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Popupkit WordPress plugin (up to version 2.2.0) allows authenticated users with Subscriber-level access or higher to delete arbitrary subscriber records via the DELETE /subscribers REST API endpoint. This happens because the permission check only validates a WordPress REST nonce but does not verify the user's capabilities, leading to missing proper authorization. As a result, attackers can exploit this flaw to delete subscriber data they should not have permission to remove. [1, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers with Subscriber-level access or above to delete subscriber data arbitrarily. This could lead to loss of important subscriber information, disruption of marketing or communication campaigns, and potential damage to your user database integrity. Since the deletion is unauthorized, it could also be used maliciously to sabotage subscriber records or cause data inconsistencies. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by monitoring REST API DELETE requests to the /subscribers endpoint on your WordPress site using the Popupkit plugin (version 2.2.0 or earlier). Look for DELETE requests that include subscriber IDs in the request body. Commands to detect such activity could include using curl to test the endpoint or using network monitoring tools to capture HTTP DELETE requests. For example, you can use curl to attempt a DELETE request with a nonce header to see if unauthorized deletion is possible: curl -X DELETE https://yourwordpresssite.com/wp-json/popup-builder-block/v1/subscribers -H 'X-WP-Nonce: <nonce>' -d '{"id": [1,2,3]}' -H 'Content-Type: application/json'. Additionally, monitoring your web server logs or using tools like Wireshark or tcpdump to filter DELETE requests to /subscribers can help detect exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Popupkit plugin to version 2.2.1 or later, where the vulnerability has been addressed. If updating is not immediately possible, restrict access to the REST API DELETE /subscribers endpoint by limiting permissions to trusted users only, or disable the endpoint temporarily if feasible. Additionally, monitor subscriber deletion activities closely and audit user roles to ensure that only authorized users have Subscriber-level access or higher. Implementing Web Application Firewall (WAF) rules to block unauthorized DELETE requests to this endpoint can also help mitigate exploitation. [4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Subscriber-level access and above to delete arbitrary subscriber records due to missing proper authorization on the DELETE /subscribers REST API endpoint. This unauthorized deletion of subscriber data could lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require proper controls over personal data access and modification. However, the provided resources do not explicitly discuss compliance impacts or regulatory considerations. [1, 3]