CVE-2025-14446 identifies a missing authorization vulnerability (CWE-862) in the Popup Builder (Easy Notify Lite) plugin for WordPress, developed by ghozylab. The vulnerability exists in the easynotify_cp_reset() function, which lacks a proper capability check, allowing any authenticated user with at least Subscriber-level access to invoke this function and reset the plugin’s settings to their default state. This flaw affects all versions up to and including 1.1.37. Since WordPress typically assigns Subscriber roles to users with minimal privileges, this vulnerability significantly lowers the attack barrier, enabling low-privilege users to disrupt plugin configurations. The vulnerability does not expose confidential data but compromises the integrity and availability of the plugin’s settings, potentially disrupting website functionality or user experience. The vulnerability can be exploited remotely without user interaction, increasing its risk profile. No patches or official fixes have been published yet, and no known exploits have been detected in the wild. The CVSS v3.1 score of 6.5 (medium severity) reflects the network attack vector, low attack complexity, no privileges required beyond Subscriber, no user interaction, and impact limited to integrity and availability. This vulnerability highlights the importance of proper authorization checks in WordPress plugins, especially those that allow configuration changes.

For European organizations, this vulnerability can lead to unauthorized resetting of plugin configurations on WordPress sites, potentially causing service disruptions, loss of customized settings, and degraded user experience. While it does not directly expose sensitive data, the integrity and availability impacts could affect customer-facing websites, marketing campaigns, or notification systems relying on the Popup Builder plugin. Organizations in sectors such as e-commerce, media, and online services that rely heavily on WordPress plugins for user engagement and notifications may experience operational interruptions. Attackers with minimal privileges could exploit this vulnerability to cause repeated resets, forcing administrators to spend time restoring configurations and investigating incidents, increasing operational costs and reducing trust in the affected websites. Additionally, if combined with other vulnerabilities or social engineering, this flaw could be part of a larger attack chain. The lack of known exploits in the wild currently reduces immediate risk, but the ease of exploitation and widespread use of WordPress in Europe necessitate proactive mitigation.

European organizations should immediately audit their WordPress installations to identify the presence of the Popup Builder (Easy Notify Lite) plugin, especially versions up to 1.1.37. Until an official patch is released, consider disabling the plugin or restricting access to users with higher privileges only, removing Subscriber-level users where possible. Implement strict role-based access controls to limit the number of users with authenticated access to the WordPress backend. Monitor logs for unusual activity related to plugin settings resets. Employ Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized calls to the easynotify_cp_reset() function endpoint. Regularly back up plugin configurations and website data to enable quick restoration if unauthorized resets occur. Engage with the plugin vendor or community to track patch releases and apply updates promptly once available. Additionally, educate site administrators about the risks of granting unnecessary privileges to low-level users and enforce the principle of least privilege.