Primary

Context

Popupkit WordPress Plugin Missing Authorization Vulnerability Allows Arbitrary Subscriber Data Deletion

Vulnerability

A vulnerability exists in the Popupkit plugin for WordPress, specifically in versions through 2.2.0. The issue arises from a lack of proper authorization on the DELETE '/subscribers' REST API endpoint. The 'permission_callback' only verifies the wp_rest nonce without assessing user capabilities. This flaw enables authenticated users with Subscriber-level access or higher to delete any subscriber records.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of subscriber data.

Remediation

Users can update to version 2.2.1 or a newer patched version to address this vulnerability.

Added: Jan 6, 2026, 5:20 AM

Updated: Jan 6, 2026, 5:20 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

7.7

relevance

1.9

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

7.7

relevance

1.9

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Popupkit WordPress Plugin Missing Authorization Vulnerability Allows Arbitrary Subscriber Data Deletion

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating