CVE-2025-14441 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Popupkit WordPress plugin developed by roxnor, which provides features such as Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers. The vulnerability exists in the REST API endpoint DELETE /subscribers, which is intended to allow deletion of subscriber records. The root cause is that the permission_callback function only validates the wp_rest nonce, a token designed to prevent CSRF attacks, but fails to verify the user's capabilities or roles. Consequently, any authenticated user with at least Subscriber-level access can invoke this endpoint to delete arbitrary subscriber data. This bypass of authorization controls compromises data integrity by enabling unauthorized data deletion. The vulnerability affects all versions up to and including 2.2.0 of the plugin. The CVSS 3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, no privileges beyond subscriber-level, no user interaction, and impacts integrity only without affecting confidentiality or availability. There are no known exploits in the wild at this time. The vulnerability was published on January 6, 2026, and no official patches have been linked yet. Given the plugin’s integration with WooCommerce and its use in marketing and subscriber management workflows, exploitation could disrupt subscriber data and marketing operations.

For European organizations, this vulnerability poses a risk primarily to the integrity of subscriber data managed through the Popupkit plugin. Unauthorized deletion of subscriber records can lead to loss of customer data, disruption of marketing campaigns, and potential compliance issues under GDPR due to data manipulation without proper authorization. While confidentiality and availability are not directly impacted, the integrity breach could undermine trust in data accuracy and operational continuity. Organizations relying on WooCommerce and targeted popup campaigns for customer engagement and sales conversions may experience operational setbacks. Additionally, attackers with minimal privileges can exploit this flaw, increasing the risk from insider threats or compromised low-level accounts. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed. European entities with large e-commerce footprints or extensive subscriber databases are particularly vulnerable to data integrity attacks that could affect customer relations and regulatory compliance.

To mitigate CVE-2025-14441, European organizations should immediately audit their WordPress environments for the presence of the Popupkit plugin and verify the version in use. Since no official patch is currently linked, temporary mitigations include restricting access to the REST API endpoints by implementing additional authorization checks at the web server or application firewall level, such as IP whitelisting or user role restrictions. Administrators can also disable or restrict the DELETE /subscribers endpoint via custom code or REST API filters to enforce capability checks beyond nonce validation. Monitoring and logging REST API calls related to subscriber data deletion can help detect suspicious activity. Organizations should also review user roles and permissions to minimize the number of users with Subscriber-level or higher access, applying the principle of least privilege. Once an official patch is released, prompt application is critical. Additionally, regular backups of subscriber data should be maintained to enable recovery from unauthorized deletions. Finally, educating users about the risk of compromised low-privilege accounts can reduce exploitation likelihood.