Description
The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.1.4. This is due to insufficient validation on the URLs supplied via the URL parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, as well as conduct network reconnaissance. The vulnerability was partially patched in version 2.1.4.
Published: 2025-10-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Server-Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

The Popup builder plugin lacks validation on the URL parameter used in its FetchDemo route, allowing any user to direct the server to retrieve data from arbitrary URLs. This Server‑Side Request Forgery grants unauthenticated attackers the ability to query internal services, alter data, or perform network reconnaissance, potentially exposing sensitive information or enabling further attacks.

Affected Systems

Affected products are the Popup builder with Gamification, Multi‑Step Popups, Page‑Level Targeting, and WooCommerce Triggers plugin distributed by Roxnor, all releases up to and including version 2.1.4 are vulnerable. The version 2.1.4 patch only partially mitigated the issue, meaning earlier releases remain at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score is below 1%, suggesting low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending a crafted HTTP request containing a malicious URL to the plugin’s endpoint, with no authentication required. Successful exploitation could lead to arbitrary internal data exposure or manipulation.

Generated by OpenCVE AI on April 22, 2026 at 12:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest released version (2.1.5 or newer) that fully resolves the vulnerability.
  • If an upgrade is not immediately possible, alter the plugin’s code to disable the FetchDemo route or enforce authentication and validate the URL parameter against a whitelist.
  • Deploy a web application firewall rule to block requests to the vulnerable endpoint or restrict outbound connections from the WordPress instance.

Generated by OpenCVE AI on April 22, 2026 at 12:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Popup Builder
Popup Builder popup Builder
Roxnor
Roxnor popup Builder
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Popup Builder
Popup Builder popup Builder
Roxnor
Roxnor popup Builder
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Fri, 24 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Oct 2025 11:45:00 +0000

Type Values Removed Values Added
Description The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.1.4. This is due to insufficient validation on the URLs supplied via the URL parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, as well as conduct network reconnaissance. The vulnerability was partially patched in version 2.1.4.
Title Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers <= 2.1.4 - Unauthenticated Server-Side Request Forgery
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Popup Builder Popup Builder
Roxnor Popup Builder
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:20.864Z

Reserved: 2025-09-22T22:56:11.517Z

Link: CVE-2025-10861

cve-icon Vulnrichment

Updated: 2025-10-24T12:18:59.740Z

cve-icon NVD

Status : Deferred

Published: 2025-10-24T12:15:37.340

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10861

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:00:09Z

Weaknesses