CVE-2025-68508

Brave · Brave Popup Builder

A missing authorization vulnerability in Brave Popup Builder allows attackers to exploit incorrectly configured access control security levels.

Executive summary

Brave Popup Builder is affected by a critical authorization vulnerability that allows unauthorized actors to circumvent security controls and potentially manipulate plugin settings.

Vulnerability

This vulnerability is caused by missing authorization checks within the plugin's functional components. This flaw allows an attacker to perform actions that should be restricted to authorized administrators.

Business impact

With a CVSS score of 9.1, this vulnerability poses a severe risk to the security of the website where the plugin is installed. Unauthorized access to the popup builder could allow an attacker to inject malicious content or redirect users, leading to reputational damage and potential compromise of site visitors.

Remediation

Immediate Action: Update the Brave Popup Builder to the latest version provided by the vendor to ensure all access control checks are correctly enforced.

Proactive Monitoring: Review logs for unauthorized attempts to access or modify popup configurations, looking for requests from users lacking administrative credentials.

Compensating Controls: If an update cannot be applied immediately, use a WAF to restrict access to the plugin's administrative functionality to known, authorized IP addresses.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Administrators must prioritize the remediation of this vulnerability to prevent unauthorized access. Apply the latest software update as soon as possible to mitigate the risk of exploitation and maintain the security posture of the application.