How to fix CVE-2025-68568?

Within 24 hours: Audit all WordPress installations for Claspo plugin presence and disable/deactivate the plugin immediately if installed. Within 7 days: If Claspo functionality is critical, document all affected systems and implement network-level access restrictions to the WordPress admin panel via WAF or IP allowlisting. Within 30 days: Monitor vendor advisory channels for patch release (no current fix identified); evaluate alternative plugins with equivalent functionality that address authorization controls, or plan upgrade to patched version once available.

Is PHP affected by CVE-2025-68568?

Claspo WordPress plugin versions through 1.0.7 contain a missing authorization flaw that permits unauthenticated attackers to modify data without valid credentials, affecting the integrity of website content and configuration.

CVE-2025-68568

HIGH

2025-12-24 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 01, 2026 - 15:22 vuln.today

CVE Published

Dec 24, 2025 - 13:16 nvd

HIGH 7.5

Description

Missing Authorization vulnerability in Claspo Popup Builders Claspo - Popups, Spin the Wheel & Email Capture claspo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Claspo - Popups, Spin the Wheel & Email Capture: from n/a through <= 1.0.7.

Analysis

Missing authorization in Claspo WordPress plugin through version 1.0.7 allows unauthenticated remote attackers to modify data via incorrectly configured access controls. With CVSS 7.5 (High integrity impact) but only 0.04% EPSS probability, this represents elevated exposure in vulnerable installations despite low observed exploitation likelihood. No public exploit identified at time of analysis, though the authentication bypass tag indicates potential for unauthorized actions without credentials.

Technical Context

This vulnerability stems from CWE-862 (Missing Authorization), a common access control failure where security checks are absent or improperly implemented in critical functionality. The Claspo plugin provides popup builders, spin-wheel interfaces, and email capture forms for WordPress sites. The CVSS vector (AV:N/AC:L/PR:N) confirms network-accessible endpoints lack proper authorization validation, allowing any remote user to interact with protected functions without authentication. This represents a broken access control condition where the application fails to verify whether users have permission to perform sensitive operations, distinct from authentication bypass (which defeats credential checks) but functionally similar in allowing unauthorized access. WordPress plugins frequently exhibit this vulnerability class when developers expose AJAX handlers or REST API endpoints without WordPress's built-in capability checks (current_user_can()) or nonce verification.

Affected Products

The vulnerability affects Claspo Popup Builder WordPress plugin (also marketed as Claspo - Popups, Spin the Wheel & Email Capture) in all versions from the initial release through version 1.0.7 inclusive. This is a WordPress plugin available through the official WordPress.org repository, used for creating popup builders, exit-intent popups, spin-the-wheel gamification elements, newsletter signup forms, and lead generation interfaces. The vendor advisory from Patchstack indicates the vulnerability was identified in version 1.0.5 but persists through 1.0.7, suggesting multiple releases remained unpatched. Full advisory details are available at https://patchstack.com/database/Wordpress/Plugin/claspo/vulnerability/wordpress-popup-builder-exit-intent-pop-up-spin-the-wheel-newsletter-signup-email-capture-lead-generation-forms-maker-plugin-1-0-5-broken-access-control-vulnerability.

Remediation

Website administrators should immediately upgrade the Claspo plugin to version 1.0.8 or later where the missing authorization checks have been addressed (note: patch availability presumed from vulnerability disclosure timeline, verify current version in WordPress repository). Access the WordPress admin dashboard, navigate to Plugins > Installed Plugins, locate Claspo, and select Update Now if available. If automatic updates are enabled, verify the plugin has updated to a patched version. As a temporary workaround pending patching, administrators can deactivate the Claspo plugin to eliminate the attack surface, though this removes popup and lead capture functionality from the site. For organizations unable to immediately patch, implement web application firewall (WAF) rules to restrict access to Claspo plugin endpoints to authenticated administrator sessions only. Monitor WordPress audit logs for unexpected administrative actions or form submissions that bypass normal authentication flows. Complete vendor advisory and technical details available at https://patchstack.com/database/Wordpress/Plugin/claspo/vulnerability/wordpress-popup-builder-exit-intent-pop-up-spin-the-wheel-newsletter-signup-email-capture-lead-generation-forms-maker-plugin-1-0-5-broken-access-control-vulnerability.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

CVE-2025-68568 vulnerability details – vuln.today

Back

CVE-2025-68568

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-68568

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code