CVE-2025-69026

MEDIUM
2025-12-30 [email protected]
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 30, 2025 - 11:16 nvd
MEDIUM 4.3

Tags

WordPress PHP Information Disclosure

Description

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Roxnor PopupKit popup-builder-block allows Retrieve Embedded Sensitive Data.This issue affects PopupKit: from n/a through <= 2.2.4.

Analysis

Roxnor PopupKit popup-builder-block plugin through version 2.2.4 exposes sensitive system information to authenticated users via an information disclosure vulnerability. An authenticated attacker can retrieve embedded sensitive data that should not be accessible, potentially gaining insight into system configuration or other restricted information. The CVSS 4.3 score reflects low real-world impact (confidentiality only, low privileges required), and EPSS exploitation probability is minimal at 0.04%, indicating this is a lower-priority vulnerability despite affecting a WordPress plugin.

Technical Context

This vulnerability involves improper access control on sensitive data within the PopupKit WordPress plugin, classified under CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere). The plugin fails to properly restrict access to embedded sensitive data, allowing authenticated users (those with WordPress login credentials) to bypass intended authorization checks and retrieve information not meant for their privilege level. The root cause is inadequate data classification and access control enforcement in the plugin's code, likely in API endpoints or admin panels that serve or cache sensitive configuration details without proper capability checks.

Affected Products

Roxnor PopupKit popup-builder-block WordPress plugin version 2.2.4 and earlier are affected. The vulnerability impacts all installations of this plugin up to and including version 2.2.4. Further version history details and exact version mapping are available in the Patchstack vulnerability database referenced in the advisory.

Remediation

Update the PopupKit popup-builder-block plugin to a version newer than 2.2.4 immediately. Visit the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/popup-builder-block/vulnerability/wordpress-popupkit-plugin-2-1-5-sensitive-data-exposure-vulnerability?_s_id=cve for the specific patched version number and installation instructions. If a patched version is not yet available, restrict WordPress user access to the minimum necessary privilege level and audit which authenticated users have access to the plugin's admin interfaces. Test the patched version in a staging environment before deploying to production.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2025-69026 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy