Popover Windows <= 1.2 - 跨站请求伪造可导致任意 Popover 配置更新

The primary impact of this XSRF vulnerability lies in the potential for unauthorized modification of the Popover Windows plugin's configuration. An attacker could leverage this to alter the plugin’s behavior, potentially injecting malicious code or redirecting users. Successful exploitation requires the attacker to convince a site administrator to click on a specially crafted link or visit a malicious webpage. The blast radius is limited to the functionality controlled by the Popover Windows plugin itself, but depending on its role on the site, this could have significant consequences.

WordPress websites utilizing the Popover Windows plugin, particularly those with shared hosting environments or legacy configurations lacking robust user access controls, are at increased risk. Site administrators who routinely click on links from untrusted sources are also more vulnerable.

• wordpress / composer / npm:

grep -r 'Popover Windows' /var/www/html/wp-content/plugins/
wp plugin list | grep 'Popover Windows'

• generic web:

curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=popover_windows_settings_update&setting_name=some_setting&setting_value=some_value

1. 2025-12-13Disclosure

   disclosure

1. 已保留2025-12-09
2. 发布日期2025-12-13
3. 修改日期2026-04-08
4. EPSS 更新日期2026-03-23

The immediate mitigation for CVE-2025-14394 is to upgrade the Popover Windows plugin to a version containing the nonce validation fix. Since a fixed version is not yet available, implement strict user access controls and educate administrators about the risks of clicking on suspicious links. Consider using a WordPress security plugin with XSRF protection capabilities. Regularly review plugin settings for any unauthorized changes. After applying any mitigation steps, verify the plugin's settings and functionality to ensure they remain as expected.