cbcvebase.
CVE-2022-0479
published 2022-03-28

CVE-2022-0479: The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
44.08%
98.6th percentile
The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a malicious link

Affected

1 ranges
VendorProductVersion rangeFixed in
sygnoospopup_builder< 4.1.14.1.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/edit.php?post_type=popupbuilder&page=sgpbSubscribers&sgpb-subscription-popup-id=0%29+union+all++select+1%2C0x3c696d6720737263206f6e6572726f723d616c65727428646f63756d656e742e646f6d61696e293e%2C3%2C4%2C5%2C6+--+g
path/wp-content/plugins/popup-builder
path/wp-admin/edit.php
othersgpb-subscription-popup-id=0) union all select 1,<img src onerror=alert(document.domain)>,3,4,5,6 -- g
  • Fingerprint vulnerable Popup Builder installations by checking for the presence of '/wp-content/plugins/popup-builder' in the page body before attempting exploitation.
  • The attack targets the authenticated endpoint GET /wp-admin/edit.php with query parameters post_type=popupbuilder&page=sgpbSubscribers and injects a UNION-based SQL payload via the sgpb-subscription-popup-id parameter.
  • The SQL injection payload uses a UNION SELECT with an XSS payload encoded as hex (0x3c696d6720737263206f6e6572726f723d616c65727428646f63756d656e742e646f6d61696e293e) to achieve Reflected XSS. Detect the decoded string '<img src onerror=alert(document.domain)>' in HTTP responses to the admin subscribers page.
  • Monitor for POST requests to /wp-login.php followed immediately by GET requests to /wp-admin/edit.php?post_type=popupbuilder&page=sgpbSubscribers containing SQL UNION keywords in the sgpb-subscription-popup-id parameter — this two-step pattern is the full exploit flow.
  • FOFA/Shodan fingerprint query for exposed Popup Builder instances: search for body containing '/wp-content/plugins/popup-builder'.
  • ·Exploitation requires the attacker to be authenticated as an admin (logged-in admin opening a malicious link). The Nuclei template authenticates via /wp-login.php before triggering the injection, so unauthenticated scanning will not reproduce the full attack.
  • ·The vulnerability affects Popup Builder WordPress plugin versions before 4.1.1 only. Instances running 4.1.1 or later are not affected.
  • ·The UNION SELECT payload targets a 6-column table structure (select 1,<payload>,3,4,5,6). If the underlying DB schema differs, the payload column count must be adjusted.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.