Platform
wordpress
Component
popover-windows
Fixed in
1.2.1
CVE-2025-14394 describes a Cross-Site Request Forgery (XSRF) vulnerability affecting the Popover Windows plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's settings by crafting malicious requests that trick administrators into performing unintended actions. The vulnerability impacts versions from 0.0.0 up to and including 1.2, and a fix is available in a future release.
The primary impact of this XSRF vulnerability lies in the potential for unauthorized modification of the Popover Windows plugin's configuration. An attacker could leverage this to alter the plugin’s behavior, potentially injecting malicious code or redirecting users. Successful exploitation requires the attacker to convince a site administrator to click on a specially crafted link or visit a malicious webpage. The blast radius is limited to the functionality controlled by the Popover Windows plugin itself, but depending on its role on the site, this could have significant consequences.
This vulnerability was publicly disclosed on 2025-12-13. There are currently no known public proof-of-concept exploits available. The vulnerability's severity is assessed as Medium. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2025-14394 is to upgrade the Popover Windows plugin to a version containing the nonce validation fix. Since a fixed version is not yet available, implement strict user access controls and educate administrators about the risks of clicking on suspicious links. Consider using a WordPress security plugin with XSRF protection capabilities. Regularly review plugin settings for any unauthorized changes. After applying any mitigation steps, verify the plugin's settings and functionality to ensure they remain as expected.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14394 is a Cross-Site Request Forgery (XSRF) vulnerability in the Popover Windows WordPress plugin, allowing attackers to modify plugin settings via forged requests.
You are affected if you are using the Popover Windows plugin in versions 0.0.0 through 1.2. Upgrade to a patched version as soon as it becomes available.
Upgrade the Popover Windows plugin to a version containing the nonce validation fix. Until then, implement strict user access controls and educate administrators.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Check the Popover Windows plugin's official website or WordPress plugin repository for updates and advisories related to CVE-2025-14394.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.