CVE-2025-14441 - Vulnerability Details

- Popupkit <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Subscriber Data Deletion

Description

The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary subscriber records.

Published: 2026-01-06

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Popup Builder plugin for WordPress contains a missing authorization check on the DELETE `/subscribers` REST API endpoint. The endpoint accepts a wp_rest nonce but does not verify that the authenticated user has sufficient capabilities. As a result, any authenticated user with Subscriber-level access or higher can delete arbitrary subscriber records. This allows attackers to remove subscriber data, potentially causing loss of contact information and disrupting marketing or communication functionality. The weak point is the lack of capability verification, which is a typical Missing Authorization weakness (CWE‑862).

Affected Systems

The issue affects the Popup Builder plugin from roxnor, specifically all released versions up to and including 2.2.0. Users running any of these versions on a WordPress site are vulnerable. The vulnerability is present on the REST API route responsible for subscriber deletion.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate impact. The EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to be authenticated with at least Subscriber privilege to exploit the flaw. Because the endpoint relies only on a nonce, privileged users can make a DELETE request and wipe subscriber records without further authorization checks. The practical risk is data loss for sites using the plugin, but the lack of wide exploitation potential and low EPSS score make it a moderate priority.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

roxnor

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.2.0

No data.

Vendor	Product	Confidence	Versions
Roxnor	Popup Builder	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Popup Builder to a version later than 2.2.0 that includes proper capability checks for the DELETE `/subscribers` endpoint.
Configure the WordPress REST API or security plugins to restrict access to the `/subscribers` DELETE route to users with Administrator privileges only.
As a temporary workaround, disable the subscriber delete functionality by adding code to the theme’s functions.php or using a custom plugin that hooks into `rest_pre_dispatch` to block DELETE requests to `/subscribers`.

Generated by OpenCVE AI on April 21, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00052.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.php#L64
https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.php#L77
https://plugins.trac.wordpress.org/browser/popup-builder-block/trunk/includes/Routes/Subscribers.php#L77
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3421671%40popup-builder-block&new=3421671%40popup-builder-block&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/48f5a44d-d01f-4c41-98da-7c1f6c65c254?source=cve

History

Wed, 08 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`	cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Tue, 06 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 06 Jan 2026 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Roxnor Roxnor popup Builder Wordpress Wordpress wordpress
Vendors & Products		Roxnor Roxnor popup Builder Wordpress Wordpress wordpress

Tue, 06 Jan 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary subscriber records.
Title		Popupkit <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Subscriber Data Deletion
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.php#L64 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.php#L77 https://plugins.trac.wordpress.org/browser/popup-builder-block/trunk/includes/Routes/Subscribers.php#L77 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3421671%40popup-builder-block&new=3421671%40popup-builder-block&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/48f5a44d-d01f-4c41-98da-7c1f6c65c254?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Roxnor Popup Builder

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-01-06T04:31:55.856Z

Updated: 2026-04-08T16:50:20.931Z

Reserved: 2025-12-10T13:07:03.705Z

Link: CVE-2025-14441

Vulnrichment

Updated: 2026-01-06T14:36:18.415Z

NVD

Status : Deferred

Published: 2026-01-06T05:15:59.207

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14441

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T17:00:12Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object