CVE-2026-25016
Missing Authorization in Nelio Popups β€1.3.5 Enables Unauthorized Access
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nelio_software | nelio_popups | to 1.3.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Broken Access Control issue allowing users with Contributor or Developer privileges to perform actions reserved for higher-privileged roles. However, the CVSS score of 4.3 indicates a low impact and low priority risk.
There is no specific information provided about how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-25016 is a Broken Access Control vulnerability in the WordPress Nelio Popups Plugin versions up to and including 1.3.5.
This issue arises from missing authorization, authentication, or nonce token checks within certain functions, allowing unprivileged users (with Contributor or Developer privileges) to perform actions reserved for higher-privileged roles.
It is classified under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
The vulnerability allows users with lower privileges (Contributor or Developer) to perform actions that should be restricted to higher-privileged roles.
However, the CVSS severity score is 4.3, indicating a low impact and low priority risk.
It is considered unlikely to be exploited due to its low severity.
Users are advised to update to version 1.3.6 or later to mitigate the risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability arises from missing authorization checks in the Nelio Popups WordPress plugin versions up to 1.3.5, allowing users with Contributor or Developer privileges to perform unauthorized actions.'}, {'type': 'paragraph', 'content': 'Detection involves verifying the plugin version installed on your WordPress site and checking for unauthorized privilege escalations or actions performed by lower-privileged users.'}, {'type': 'paragraph', 'content': 'You can detect the vulnerable plugin version by running the following WP-CLI command to list installed plugins and their versions:'}, {'type': 'list_item', 'content': 'wp plugin list --format=table'}, {'type': 'paragraph', 'content': "Look specifically for 'nelio-popups' and check if its version is less than or equal to 1.3.5."}, {'type': 'paragraph', 'content': 'Additionally, you can audit user actions or logs to identify if users with Contributor or Developer roles are performing actions reserved for higher-privileged roles.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Nelio Popups plugin to version 1.3.6 or later, where this vulnerability has been fixed.
If immediate updating is not possible, restrict user roles to prevent Contributors or Developers from performing sensitive actions until the patch can be applied.
Consider using automated update tools such as Patchstack to rapidly apply security patches for vulnerable plugins.
Review and tighten access control configurations within your WordPress installation to minimize the risk of unauthorized privilege escalation.