CVE-2025-14446 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Popup Builder (Easy Notify Lite) plugin for WordPress, developed by ghozylab. The issue exists in the easynotify_cp_reset() function, which lacks proper capability checks before allowing the reset of plugin settings to their default state. This flaw affects all versions up to and including 1.1.37. Because the function does not verify whether the user has sufficient privileges, any authenticated user with Subscriber-level access or higher can invoke this function to reset the plugin's configuration without authorization. The vulnerability is exploitable remotely over the network without requiring additional user interaction, making it relatively easy to exploit once an attacker has a valid account on the WordPress site. The impact primarily concerns the integrity and availability of the plugin's settings, potentially disrupting notification functionalities or causing denial of service by resetting critical configurations. Although no public exploits have been reported, the medium CVSS score of 6.5 reflects the moderate risk posed by this vulnerability. The lack of an official patch at the time of publication necessitates immediate attention from site administrators. The vulnerability highlights the importance of implementing proper authorization checks in WordPress plugin functions that modify critical settings, especially those accessible to lower-privileged users.

The vulnerability allows unauthorized modification of plugin settings by any authenticated user with Subscriber-level access or above, which can lead to disruption of notification services provided by the Popup Builder plugin. This can degrade the availability and integrity of website functionalities relying on these notifications, potentially affecting user experience and business operations. Attackers could exploit this to reset configurations repeatedly, causing administrative overhead and potential denial of service conditions. While confidentiality is not directly impacted, the integrity and availability of the plugin's settings are compromised. Organizations relying on this plugin for critical notifications or marketing may face operational disruptions. Since exploitation requires only authenticated access, sites with weak or compromised user credentials are particularly vulnerable. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially given the widespread use of WordPress and its plugins globally.

Administrators should immediately restrict access to the Popup Builder plugin settings by limiting Subscriber-level user capabilities or disabling accounts that do not require plugin interaction. Implementing strong authentication mechanisms, such as multi-factor authentication (MFA), can reduce the risk of unauthorized access by low-privileged users. Until an official patch is released, consider applying custom code to enforce capability checks on the easynotify_cp_reset() function or use security plugins that can monitor and block unauthorized REST API calls or AJAX requests related to this function. Regularly audit user roles and permissions to ensure minimal privilege principles are enforced. Monitoring logs for unusual reset activity can help detect exploitation attempts early. Additionally, keep the WordPress core and all plugins updated and subscribe to vendor advisories for timely patch deployment once available.