CVE-2025-69025

MEDIUM
2025-12-30 [email protected]
Information Disclosure
4.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 30, 2025 - 11:16 nvd
MEDIUM 4.3

DescriptionNVD

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Aethonic Poptics poptics allows Retrieve Embedded Sensitive Data.This issue affects Poptics: from n/a through <= 1.0.20.

AnalysisAI

Aethonic Poptics WordPress plugin through version 1.0.20 exposes sensitive system information to authenticated users through an information disclosure vulnerability. Authenticated attackers with low-level privileges can retrieve embedded sensitive data without user interaction, though exploitation requires valid login credentials. The issue carries a modest CVSS score of 4.3 and extremely low EPSS probability (0.04th percentile), indicating real-world exploitation risk is minimal despite the confirmed vulnerability.

Technical ContextAI

This vulnerability is classified under CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), which describes a failure to properly restrict access to sensitive data within system boundaries. The Aethonic Poptics plugin (a WordPress plugin for AI-powered popup building and lead generation) contains inadequate access controls that allow authenticated users with low privileges to retrieve sensitive embedded data that should be restricted. The root cause is insufficient data isolation or authorization checks between privilege levels, allowing lateral data exposure within the same authenticated context. The vulnerability affects all versions from the beginning of tracked version history through version 1.0.20.

Affected ProductsAI

Aethonic Poptics WordPress plugin versions up to and including 1.0.20 are affected. The vulnerability impacts all installations of this AI-powered popup builder plugin for WordPress that have not been patched beyond version 1.0.20. Additional product information and the full advisory are available through the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/poptics/vulnerability/wordpress-poptics-ai-powered-popup-builder-for-lead-generation-conversions-exit-intent-email-opt-ins-woocommerce-sales-plugin-1-0-20-sensitive-data-exposure-vulnerability?_s_id=cve

RemediationAI

Update the Aethonic Poptics WordPress plugin to the patched version immediately available from the plugin repository or vendor update mechanism. The recommended action is to upgrade to a version newer than 1.0.20, which should be available through the WordPress Plugin Directory or directly from Aethonic. Administrators should verify the patched version restricts access to embedded sensitive data based on user privilege level. For installations unable to immediately patch, restrict WordPress user accounts to only essential roles and reduce the number of low-privileged accounts with plugin access. Refer to the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/poptics/vulnerability/...) for the exact patched version number once released.

Share

CVE-2025-69025 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy