CVE-2025-14441 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Popupkit plugin for WordPress, which provides features like Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers. The issue exists because the DELETE /subscribers REST API endpoint does not properly enforce authorization beyond validating the wp_rest nonce. Specifically, the permission_callback function fails to check the user's capabilities, allowing any authenticated user with Subscriber-level privileges or higher to delete arbitrary subscriber records. This flaw compromises the integrity of subscriber data by enabling unauthorized deletion. The vulnerability affects all versions of the plugin up to and including 2.2.0. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based, requires no user interaction, and no privileges beyond authentication are needed. Confidentiality and availability are not impacted, but integrity is compromised. No public exploits have been reported to date. The vulnerability is significant because subscriber data is often critical for marketing and customer engagement, and unauthorized deletion can disrupt business operations and customer relations. The root cause is an insufficient permission check in the REST API endpoint, a common security oversight in WordPress plugin development. Remediation will require patching the plugin to implement proper capability checks in the permission_callback or restricting access to the endpoint to trusted roles only.

The primary impact of CVE-2025-14441 is the unauthorized deletion of subscriber data, which undermines data integrity and can disrupt marketing campaigns, customer engagement, and business analytics relying on subscriber information. Organizations relying on the Popupkit plugin for managing subscribers, especially those integrating WooCommerce for e-commerce, may face operational disruptions and loss of valuable subscriber data. Although confidentiality and availability are not directly affected, the loss of subscriber records can lead to reputational damage, loss of customer trust, and potential financial impact due to interrupted marketing workflows. Attackers with subscriber-level access, which is a low privilege level, can exploit this vulnerability, increasing the risk surface. The vulnerability does not require user interaction and can be exploited remotely over the network, making it easier for attackers within the authenticated user base to abuse. This risk is particularly relevant for websites with multiple users or where subscriber accounts are common, such as membership sites or e-commerce platforms. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks.

To mitigate CVE-2025-14441, organizations should: 1) Monitor for and apply official patches or updates from roxnor as soon as they are released that address the missing authorization checks. 2) Until patches are available, restrict access to the DELETE /subscribers REST API endpoint by implementing custom permission callbacks that verify user capabilities beyond nonce validation, ensuring only authorized roles (e.g., administrators) can perform deletions. 3) Review and tighten WordPress user roles and permissions to minimize the number of users with subscriber-level or higher access, especially on sites with many registered users. 4) Employ Web Application Firewalls (WAFs) to detect and block suspicious REST API calls targeting subscriber deletion endpoints. 5) Conduct regular backups of subscriber data to enable recovery in case of unauthorized deletions. 6) Audit logs for unusual subscriber deletion activity to detect potential exploitation attempts. 7) Educate site administrators and developers on secure REST API endpoint design and the importance of capability checks in permission callbacks to prevent similar issues in the future.