Authorization Bypass in PopupKit Plugin for WordPress
CVE-2025-14895

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Popup Builder With Gamification, Multi-step Popups, Page-level Targeting, And WooCommerce Triggers
Vendor: CVE Published:; 10 February 2026

What is CVE-2025-14895?

The PopupKit plugin for WordPress suffers from an authorization bypass flaw which affects all versions up to 2.2.0. The vulnerability arises because the plugin fails to correctly verify user permissions for accessing the /popup/logs REST API endpoint. This allows authenticated attackers, including those with merely Subscriber-level access, to gain unauthorized access to sensitive analytics data, such as device types, browser information, geographic location, referrer URLs, and campaign performance metrics. It is crucial for users to implement the latest security updates to mitigate this risk.

Affected Version(s)

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers 0 <= 2.2.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/popup-builder-...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 10, 2026
Vulnerability Reserved
Dec 18, 2025

Credit

Dmitrii Ignatyev

CVE-2025-14895 Data

JSON