CVE-2025-14895

Name of the Vulnerable Software and Affected Versions PopupKit versions prior to 2.2.1

Description The PopupKit plugin for WordPress is affected by an authorization bypass issue. The plugin does not properly verify user authorization when accessing the /popup/logs API endpoint. This allows authenticated attackers with Subscriber-level access or higher to read and delete analytics data, including device types, browser information, countries, referrer URLs, and campaign metrics.

Recommendations Update PopupKit to version 2.2.1 or later.