Description
The Popover Windows plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple ajax actions (e.g., pop_submit, poptheme_submit) in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's settings and content.
Published: 2025-12-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration modification
Action: Update Plugin
AI Analysis

Impact

The Popover Windows WordPress plugin contains a missing capability check on multiple AJAX actions such as pop_submit and poptheme_submit. This omission represents a CWE‑862 – missing authorization weakness, enabling authenticated users with subscriber-level access or higher to modify the plugin’s settings and content through Ajax. The result is unauthorized configuration changes that can alter how pop‑over windows display and behave on the site.

Affected Systems

The affected product is the Popover Windows plugin from melodicmedia, all releases up to and including version 1.2. WordPress sites hosting any of these versions are vulnerable. No specific CPE string is available in the data.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk, and the EPSS score of less than 1% suggests a very low probability of exploitation. Because the flaw requires authenticated access, an attacker must be logged in as a subscriber or higher; there is no remote code execution. The vulnerability is not listed in the CISA KEV catalog, implying it has not been publicly exploited at scale. The author of the plugin should prioritize fixing the missing capability checks, and site owners should apply the fix once available.

Generated by OpenCVE AI on April 22, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Popover Windows to the latest version that includes the missing capability checks for AJAX actions.
  • Review all pop‑over settings to confirm no unauthorized changes were made.
  • If an update is not available, disable or remove the vulnerable AJAX actions or use a security‑plugin to enforce higher capability requirements for these endpoints.

Generated by OpenCVE AI on April 22, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 13 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Popover Windows plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple ajax actions (e.g., pop_submit, poptheme_submit) in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's settings and content.
Title Popover Windows <= 1.2 - Missing Authorization to Authenticated (Subscriber+) Popover Configuration Update via AJAX Actions
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:09.057Z

Reserved: 2025-12-09T22:14:48.782Z

Link: CVE-2025-14395

cve-icon Vulnrichment

Updated: 2025-12-15T15:43:47.639Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:49.260

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14395

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:45:27Z

Weaknesses