Unauthorized Data Modification Vulnerability in Popup Builder by WordPress
CVE-2025-14446

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Popup Builder
Vendor: CVE Published:; 13 December 2025

What is CVE-2025-14446?

The Popup Builder (Easy Notify Lite) plugin for WordPress contains a security flaw that allows authenticated attackers with Subscriber-level access or higher to tamper with its settings. This is due to a lack of a capability check in the easynotify_cp_reset() function, which allows for unauthorized resetting of plugin configurations to default values. This vulnerability threatens the integrity of user data and the intended functionality of the plugin, making it imperative for users to review their security measures.

Affected Version(s)

Popup Builder * <= 1.1.37

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/easy-notify-li...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 13, 2025
Vulnerability Reserved
Dec 10, 2025

Credit

Athiwat Tiprasaharn

JSON