CVE-2025-68502

2025-12-29 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 29, 2025 - 22:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Authorization Bypass Through User-Controlled Key vulnerability in Crocoblock JetPopup jet-popup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetPopup: from n/a through <= 2.0.20.1.

Analysis

Authorization Bypass in Crocoblock JetPopup WordPress plugin through version 2.0.20.1 allows attackers to exploit incorrectly configured access control security levels via user-controlled keys, enabling unauthorized access to protected popup content and functionality. EPSS score of 0.04% indicates low exploitation probability despite the authorization flaw; no public exploit code or active exploitation has been identified.

Technical Context

JetPopup is a WordPress plugin for creating and managing popups with conditional display logic and access controls. The vulnerability stems from CWE-639 (Authorization Through User-Controlled Key), a flaw where access control decisions are based on user-supplied identifiers or keys that are not properly validated server-side. In this case, the plugin fails to enforce proper authorization checks when determining whether a user should have access to specific popup configurations or content, allowing attackers to manipulate request parameters (likely popup IDs or access tokens) to bypass intended restrictions. The affected CPE is implicit to WordPress plugin ecosystem: WordPress JetPopup plugin versions from unspecified initial release through 2.0.20.1.

Affected Products

Crocoblock JetPopup WordPress plugin is affected in all versions from the initial release through and including version 2.0.20.1. The plugin is distributed via the WordPress.org plugin repository and is subject to WordPress and PHP environment dependencies.

Remediation

Upgrade JetPopup to a version beyond 2.0.20.1; consult the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/jet-popup for the specific patched version number and release date. As an immediate interim measure, review and manually verify access control rules configured within JetPopup's security level settings to ensure popup access restrictions are correctly enforced. If a patched version is not immediately available, consider disabling or restricting access to JetPopup functionality until the patch is released, or implement Web Application Firewall (WAF) rules to block requests with suspicious or manipulated popup identifiers.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-68502 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy