WordPress Plugin Vulnerabilities

Popup Box < 2.2 - Admin+ LFI

Description

The plugin does not properly validate the current tab used before generating a path and using it in an include statement, which could lead to LFI

Affects Plugins

Plugin icon
popup-box
Fixed in 2.2

References

CVE
CVE-2022-29445

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
0xB9
Verified
Yes
WPVDB ID
2ecda8d1-3562-461c-bbe3-9267a33be380

Timeline

Publicly Published
2022-05-17 (about 3 years ago)
Added
2022-05-18 (about 3 years ago)
Last Updated
2023-02-12 (about 3 years ago)

Other

Published
Title
Published
2026-01-13
Title
Hostme v2 <= 7.0 - Unauthenticated Arbitrary File Deletion
Published
2026-01-16
Title
Gutenberg Thim Blocks < 1.0.2 - Authenticated (Contributor+) Arbitrary File Read via 'iconSVG' Parameter
Published
2025-01-23
Title
Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget < 1.7 - Authenticated (Contributor+) Local File Inclusion via post_type_ajax_handler()
Published
2026-01-16
Title
Feeds for YouTube Pro < 2.6.1 - Unauthenticated Arbitrary File Read via Path Traversal
Published
2023-05-26
Title
WP Directory Kit < 1.2.0 - Unauthenticated Local File Inclusion