Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-0228SQL Injection in Popup Builder

CWE-89SQL Injection4 documents4 sources
Severity
7.2HIGHNVD
EPSS
4.2%
top 11.30%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Sygnoos Popup Builder
Timeline
PublishedFeb 21
Latest updateFeb 22

Description

The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-w3jc-m34v-m835: The Popup Builder WordPress plugin before 42022-02-22
CVEList
Popup Builder < 4.0.7 - Admin+ SQL Injection2022-02-21

💥Exploits & PoCs

1
Nuclei
Popup Builder < 4.0.7 - SQL Injection
CVE-2022-0228 — SQL Injection in Sygnoos Popup Builder | cvebase