Description
Missing Authorization vulnerability in Nelio Software Nelio Popups nelio-popups allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nelio Popups: from n/a through <= 1.3.5.
Published: 2026-02-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Access Control Bypass
Action: Patch
AI Analysis

Impact

The Nelio Popups plugin for WordPress contains a missing authorization flaw (CWE-862). Incorrectly configured access control security levels enable the plugin to grant users with insufficient privileges full access to popup configuration and management functions. This flaw allows an attacker who can authenticate as a low‑privilege user or obtain a session cookie to modify, delete, or create popups without proper authorization.

Affected Systems

Affected systems include WordPress sites running Nelio Software Nelio Popups plugin versions 1.3.5 or earlier. The vulnerability applies across all those releases, from the earliest advertised version through 1.3.5. Site owners using these versions of the plugin should verify their installed version number and determine whether an update is available.

Risk and Exploitability

The CVSS score for this issue is 4.3, which corresponds to a low impact level. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. The flaw can be exploited remotely by users who can gain a WordPress login session; however, the exact attack steps and whether outside users can trigger the exploitation are inferred from the description rather than directly stated. Nonetheless, should exploitation occur, the attacker could create or alter popups, potentially leading to defacement or phishing attacks. Administrators should treat this as low risk but apply mitigation promptly.

Generated by OpenCVE AI on April 16, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Nelio Popups plugin to the latest version, or apply any vendor‑available patch that addresses the access‑control flaw.
  • If an upgrade is not immediately possible, disable the Nelio Popups plugin or restrict its activation to trusted administrators only.
  • Implement strict role‑based access control in WordPress so that only users with the appropriate capabilities can access popup configuration and management pages.

Generated by OpenCVE AI on April 16, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 03 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Nelio Software Nelio Popups nelio-popups allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nelio Popups: from n/a through <= 1.3.5.
Title WordPress Nelio Popups plugin <= 1.3.5 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:41.816Z

Reserved: 2026-01-28T09:51:50.023Z

Link: CVE-2026-25016

cve-icon Vulnrichment

Updated: 2026-02-03T14:54:39.868Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T15:16:19.877

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25016

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:30:26Z

Weaknesses