CVE-2021-24458SQL Injection in PRO Popup BOX

CWE-89SQL Injection3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.5%
top 32.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
AYS PRO Popup BOXAys-pro Popup BOX
Timeline
PublishedAug 2
Latest updateMay 24

Description

The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 2.3.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5ays_pro/popup_box2.3.42.3.4
NVDays-pro/popup_box< 2.3.4

🔴Vulnerability Details

2
GHSA
GHSA-q2r7-2hcj-h5f3: The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 22022-05-24
CVEList
Popup box < 2.3.4 - Authenticated Blind SQL Injections2021-08-02
CVE-2021-24458 — SQL Injection in AYS PRO Popup BOX | cvebase