Server-Side Request Forgery in Popup Builder for WordPress
CVE-2025-10861

7.5HIGH

Key Information:

Vendor: WordPress
Status: Popup Builder With Gamification, Multi-step Popups, Page-level Targeting, And WooCommerce Triggers
Vendor: CVE Published:; 24 October 2025

What is CVE-2025-10861?

The Popup Builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is exploitable through Server-Side Request Forgery due to insufficient URL validation. This allows unauthenticated attackers to issue web requests to unauthorized locations, potentially allowing information retrieval and modification from internal services, as well as the ability to conduct network reconnaissance activities. While a partial patch was introduced in version 2.1.4, users of the affected versions should remain vigilant and apply all recommended security measures.

Affected Version(s)

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers * <= 2.1.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/popup-builder-...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 24, 2025
Vulnerability Reserved
Sep 22, 2025

Credit

Rafshanzani Suhada

JSON