CVE-2022-0479
published 2022-03-28CVE-2022-0479: The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
44.08%
98.6th percentile
The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a malicious link
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sygnoos | popup_builder | < 4.1.1 | 4.1.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/edit.php?post_type=popupbuilder&page=sgpbSubscribers&sgpb-subscription-popup-id=0%29+union+all++select+1%2C0x3c696d6720737263206f6e6572726f723d616c65727428646f63756d656e742e646f6d61696e293e%2C3%2C4%2C5%2C6+--+g↗
othersgpb-subscription-popup-id=0) union all select 1,<img src onerror=alert(document.domain)>,3,4,5,6 -- g↗
- →Fingerprint vulnerable Popup Builder installations by checking for the presence of '/wp-content/plugins/popup-builder' in the page body before attempting exploitation. ↗
- →The attack targets the authenticated endpoint GET /wp-admin/edit.php with query parameters post_type=popupbuilder&page=sgpbSubscribers and injects a UNION-based SQL payload via the sgpb-subscription-popup-id parameter. ↗
- →The SQL injection payload uses a UNION SELECT with an XSS payload encoded as hex (0x3c696d6720737263206f6e6572726f723d616c65727428646f63756d656e742e646f6d61696e293e) to achieve Reflected XSS. Detect the decoded string '<img src onerror=alert(document.domain)>' in HTTP responses to the admin subscribers page. ↗
- →Monitor for POST requests to /wp-login.php followed immediately by GET requests to /wp-admin/edit.php?post_type=popupbuilder&page=sgpbSubscribers containing SQL UNION keywords in the sgpb-subscription-popup-id parameter — this two-step pattern is the full exploit flow. ↗
- →FOFA/Shodan fingerprint query for exposed Popup Builder instances: search for body containing '/wp-content/plugins/popup-builder'. ↗
- ·Exploitation requires the attacker to be authenticated as an admin (logged-in admin opening a malicious link). The Nuclei template authenticates via /wp-login.php before triggering the injection, so unauthenticated scanning will not reproduce the full attack. ↗
- ·The vulnerability affects Popup Builder WordPress plugin versions before 4.1.1 only. Instances running 4.1.1 or later are not affected. ↗
- ·The UNION SELECT payload targets a 6-column table structure (select 1,<payload>,3,4,5,6). If the underlying DB schema differs, the payload column count must be adjusted. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Popup Builder Plugin - SQL Injection and Cross-Site Scripting
nuclei·CVSS 9.8
CVE-2022-0479 [CRITICAL] Popup Builder Plugin - SQL Injection and Cross-Site Scripting
Popup Builder Plugin - SQL Injection and Cross-Site Scripting
The Popup Builder WordPress plugin before 4.1.1 is vulnerable to SQL Injection and Reflected XSS via the sgpb-subscription-popup-id parameter.
Template:
id: CVE-2022-0479
info:
name: Popup Builder Plugin - SQL Injection and Cross-Site Scripting
author: ritikchaddha
severity: critical
description: |
The Popup Builder WordPress plugin before 4.1.1 is vulnerable to SQL Injection and Reflected XSS via the sgpb-subscription-popup-id parameter.
impact: |
Allows attackers to execute malicious SQL queries and inject scripts into web pages
remediation: |
Update Popup Builder Plugin to the latest secure version
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0479
cwe-id: CWE-
No writeups or analysis indexed.
2022-03-28
Published