CVE-2025-26944 Overview
CVE-2025-26944 is a missing authorization vulnerability in the Crocoblock JetPopup plugin for WordPress. The flaw affects all versions up to and including 2.0.11. Attackers can access plugin functionality that is not properly constrained by Access Control Lists (ACLs). The vulnerability is classified under CWE-862: Missing Authorization and is exploitable over the network without authentication or user interaction. Successful exploitation allows unauthorized access to sensitive plugin operations, leading to confidentiality impact on affected WordPress installations.
Critical Impact
Unauthenticated remote attackers can invoke restricted JetPopup functionality, exposing sensitive plugin data and operations on affected WordPress sites.
Affected Products
- Crocoblock JetPopup WordPress plugin versions through 2.0.11
- WordPress sites running the jet-popup plugin
- Sites bundling JetPopup as part of the Crocoblock JetPlugins suite
Discovery Timeline
- 2025-04-15 - CVE-2025-26944 published to the National Vulnerability Database
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-26944
Vulnerability Analysis
The JetPopup plugin exposes administrative or privileged functionality through endpoints that lack proper authorization checks. The plugin registers actions and routes accessible to unauthenticated users without verifying the caller's capabilities or roles. This creates a broken access control condition where any network-based actor can invoke functionality intended for authenticated administrators.
The vulnerability falls within the Missing Authorization category [CWE-862]. The Patchstack advisory categorizes it as a broken access control issue in versions up to 2.0.11. Because the attack vector is network-based and requires no privileges or user interaction, automated scanning and exploitation against exposed WordPress sites is feasible.
Root Cause
The root cause is the absence of capability checks such as current_user_can() or nonce verification on plugin endpoints. WordPress AJAX handlers registered through wp_ajax_nopriv_* hooks, or REST routes lacking a permission_callback, allow any visitor to trigger privileged actions. JetPopup fails to enforce role-based authorization before executing sensitive operations.
Attack Vector
An unauthenticated attacker sends crafted HTTP requests directly to the vulnerable JetPopup endpoints over the network. No credentials, session tokens, or user interaction are required. The attacker abuses the missing ACL enforcement to access functionality that should be restricted to site administrators. Refer to the Patchstack Vulnerability Advisory for technical details on the affected endpoints.
Detection Methods for CVE-2025-26944
Indicators of Compromise
- Unexpected HTTP POST or GET requests to /wp-admin/admin-ajax.php containing jet_popup or jet-popup action parameters from unauthenticated sources
- REST API calls to JetPopup namespaces originating from external IP addresses without prior authentication
- Modifications to popup configurations, templates, or plugin settings outside scheduled administrative windows
- Anomalous spikes in traffic to JetPopup-related endpoints from automated scanners
Detection Strategies
- Audit WordPress access logs for requests to JetPopup AJAX actions where the requester is not authenticated
- Deploy a Web Application Firewall (WAF) rule set with virtual patching for the jet-popup plugin
- Inspect WordPress option tables and plugin storage for unauthorized changes to popup definitions
- Correlate plugin endpoint access patterns with IP reputation feeds to identify reconnaissance activity
Monitoring Recommendations
- Forward WordPress and web server logs to a centralized analytics platform for continuous review
- Alert on HTTP 200 responses to unauthenticated requests targeting plugin-specific action names
- Track plugin version inventory across WordPress estates to flag installations still running jet-popup at or below version 2.0.11
How to Mitigate CVE-2025-26944
Immediate Actions Required
- Update the Crocoblock JetPopup plugin to a version higher than 2.0.11 as soon as the vendor publishes a fixed release
- Inventory all WordPress sites to identify installations running vulnerable jet-popup versions
- Restrict access to /wp-admin/admin-ajax.php and REST endpoints from untrusted networks where feasible
- Review plugin and site configurations for unauthorized changes made prior to remediation
Patch Information
At the time of publication, refer to the Patchstack Vulnerability Advisory for vendor patch availability and upgrade guidance. Apply the latest plugin update from Crocoblock once released. Confirm the installed version is greater than 2.0.11 after patching.
Workarounds
- Deactivate and remove the JetPopup plugin until a patched version is installed if the functionality is non-essential
- Apply WAF rules to block unauthenticated requests targeting JetPopup AJAX actions and REST routes
- Limit administrative endpoint exposure through IP allowlisting at the reverse proxy or hosting layer
# Identify vulnerable JetPopup installations using WP-CLI
wp plugin list --name=jet-popup --fields=name,status,version
# Deactivate the plugin as an interim mitigation
wp plugin deactivate jet-popup
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
