CVE-2025-14895 in PopupKit Plugin
Summary
by MITRE • 02/10/2026
The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and delete analytics data including device types, browser information, countries, referrer URLs, and campaign metrics.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/10/2026
The vulnerability identified as CVE-2025-14895 affects the PopupKit plugin for WordPress, a widely used tool for creating and managing popups on websites. This authorization bypass flaw exists in all versions up to and including 2.2.0, representing a significant security weakness that undermines the integrity of user data protection mechanisms. The vulnerability stems from insufficient access control validation within the plugin's REST API implementation, specifically concerning the /popup/logs endpoint that handles analytics data collection and retrieval. The flaw allows attackers with minimal privileges to exploit the system's security controls and access sensitive information that should remain restricted to authorized personnel.
The technical implementation of this vulnerability resides in the plugin's failure to properly validate user permissions when accessing the REST API endpoint. According to CWE-863, this represents a weakness in authorization where the system does not correctly verify that an authenticated user has sufficient privileges to perform specific operations. The affected endpoint lacks proper capability checks that would normally verify whether a user possesses the necessary permissions to access or modify analytics data. This authorization bypass allows attackers to bypass standard WordPress access control mechanisms that typically restrict data access based on user roles and capabilities. The vulnerability specifically impacts the plugin's REST API implementation, which is designed to provide programmatic access to popup analytics but fails to enforce proper access controls.
The operational impact of this vulnerability extends beyond simple data exposure, as it provides attackers with comprehensive analytics data that could be used for various malicious activities. Subscribers and users with higher privileges can access detailed information including device types, browser information, geographic location data, referrer URLs, and campaign metrics that reveal user behavior patterns and website traffic characteristics. This intelligence gathering capability can be exploited for competitive analysis, social engineering attacks, or targeted phishing campaigns. The ability to delete analytics data also creates potential for data integrity violations and operational disruption, as attackers can remove historical records that may be crucial for understanding user engagement patterns and marketing campaign effectiveness.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1213.002 which involves data from information repositories, specifically targeting analytics and logging data. The vulnerability creates an attack surface that allows privilege escalation from subscriber level to unauthorized data access, representing a significant risk to website owners and their users. Organizations using affected versions of PopupKit should immediately implement mitigation strategies including plugin updates, access control hardening, and monitoring for unauthorized API access attempts. The vulnerability demonstrates the critical importance of proper input validation and access control implementation in web applications, particularly those handling user analytics and behavioral data. Security teams should conduct comprehensive audits of all WordPress plugins to identify similar authorization bypass issues and ensure that all REST API endpoints properly validate user permissions before granting access to sensitive data resources.