VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 7 known issues Latest disclosed Feb 09, 2026

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers Vulnerabilities

Review known vulnerability records for the WordPress plugin Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers (`popup-builder-block`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-14895, CVE-2025-13192 and CVE-2025-14441, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
7
High or Critical
3
Patch Coverage
100%
Last Updated
Mar 27, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
7 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 3 high severity findings.
Recent CVEs
CVE-2025-14895, CVE-2025-13192 and CVE-2025-14441
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-14895
PopupKit <= 2.2.0 - Missing Authorization to Sensitive Information Disclosure and Data Deletion

The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. This makes it possible for authenticated at...

Published
Feb 09, 2026
Patched Release
2.2.1
Affected Versions
Versions up to 2.2.0
Next Step
Update to 2.2.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-13192
Popup builder with Gamification <= 2.2.0 - Unauthenticated SQL Injection via Multiple REST API Endpoints

The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to generic SQL Injection via the multiple REST API endpoints in all versions up to, and including, 2.2.0 due to insufficient escaping on the u...

Published
Feb 04, 2026
Patched Release
2.2.1
Affected Versions
Versions up to 2.2.0
Next Step
Update to 2.2.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-14441
Popupkit <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Subscriber Data Deletion

The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce wi...

Published
Jan 05, 2026
Patched Release
2.2.1
Affected Versions
Versions up to 2.2.0
Next Step
Update to 2.2.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: No CVE-2025-69026
PopupKit <= 2.2.1 - Authenticated (Subscriber+) Information Exposure

The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.1. This makes it possible for authenticated attackers, with Subscr...

Published
Dec 29, 2025
Patched Release
Not published
Affected Versions
Versions up to 2.2.1
Next Step
Open the full report for remediation notes and references.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-14314
PopupKit <= 2.1.5 - Authenticated (Subscriber+) SQL Injection

The PopupKit plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, w...

Published
Nov 21, 2025
Patched Release
2.2.0
Affected Versions
Versions up to 2.1.5
Next Step
Update to 2.2.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-10861
Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers <= 2.1.4 - Unauthenticated Server-Side Request Forgery

The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.1.4. This is due to insufficient validation on the URLs supplied via th...

Published
Oct 23, 2025
Patched Release
2.1.5
Affected Versions
Versions up to 2.1.4
Next Step
Update to 2.1.5 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-10862
Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers <= 2.1.3 - Unauthenticated SQL Injection via 'id'

The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.1.3. This is due to insufficient escaping on the 'id' parameter and lack of sufficien...

Published
Oct 08, 2025
Patched Release
2.1.4
Affected Versions
Versions up to 2.1.3
Next Step
Update to 2.1.4 or newer if supported.
Open Full Report Open CVE Reference