Threat Entry Updated 2026-02-10

CVE-2025-14895 - Popupkit Plugin

The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and delete analytics data including device types, browser information, countries, referrer URLs, and campaign metrics.

PLUGIN Popupkit

CVE-2025-14895

MEDIUM CVSS 5.4 2026-02-10

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-08

CVE-2025-14441 - Popupkit Plugin

The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary subscriber records.

PLUGIN Popupkit

CVE-2025-14441

MEDIUM CVSS 5.3 2026-01-06

Risk Score

Open Full Technical Breakdown