WordPress Plugin Vulnerabilities

WP Popup Banners <= 1.2.5 - Subscriber+ SQLi

Description

The plugin does not properly sanitise and escape the banner_id parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers

Affects Plugins

Plugin icon
wp-popup-banners
No known fix

References

CVE
CVE-2023-1471

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Etan Imanol Castro Aldrete
Verified
No
WPVDB ID
e8a30eb6-72ca-4469-83a7-041d6a1d9e96

Timeline

Publicly Published
2023-03-17 (about 3 years ago)
Added
2023-03-17 (about 3 years ago)
Last Updated
2023-03-17 (about 3 years ago)

Other

Published
Title
Published
2025-06-27
Title
WP Forum Server <= 1.8.2 - Authenticated (Administrator+) SQL Injection
Published
2019-07-18
Title
Everest Forms < 1.5.0 - SQL Injection
Published
2025-10-02
Title
Wp cycle text announcement <= 8.1 - Authenticated (Contributor+) SQL Injection
Published
2025-06-23
Title
Amely < 3.2.0 - Unauthenticated SQL Injection
Published
2017-05-02
Title
Calendar by WD < 1.5.52 - Admin+ SQL injection