CVE-2025-2011
published 2025-05-06CVE-2025-2011: The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including…
PriorityP184high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
46.72%
98.7th percentile
The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| averta | depicter_popup_slider_builder | <= 3.6.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-ajax.php?s=9999')union+select+111,222,(select(concat(0x44617461626173653a20,database()))),4444,+5--+-&perpage=20&page=1&orderBy=source_id&dateEnd=&dateStart=&order=DESC&sources=&action=depicter-lead-index↗
url/wp-admin/admin-ajax.php?s=test%' AND EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7e))='&perpage=20&page=1&orderBy=source_id&dateEnd=&dateStart=&order=DESC&sources=&action=depicter-lead-index↗
commands=test%' AND EXTRACTVALUE(1,CONCAT(0x7e,({sql_query}),0x7e))='&perpage=20&page=1&orderBy=source_id&dateEnd=&dateStart=&order=DESC&sources=&action=depicter-lead-index↗
yara↗
words: ['Database: ', 'commonFields', 'content'] condition: and
bytes↗
0x44617461626173653a20
- →Alert on HTTP responses containing 'XPATH syntax error' alongside 'depicter-lead-index' action requests, which indicates successful error-based SQL injection exploitation. ↗
- →Monitor for the presence of 'Database: ' and 'commonFields' in HTTP response bodies to /wp-admin/admin-ajax.php, indicating successful UNION-based SQL injection data exfiltration via the Depicter plugin. ↗
- →Flag requests where the 's' parameter contains SQL metacharacters such as single quotes, UNION SELECT, or EXTRACTVALUE with hex-encoded strings (e.g., 0x7e) targeting the depicter-lead-index action. ↗
- →Use the Google/PublicWWW dork 'inurl:/wp-content/plugins/depicter/' to identify exposed WordPress instances running the vulnerable Depicter plugin for proactive scanning. ↗
- ·The exploit is unauthenticated — no session cookie or authentication token is required, meaning WAF rules must trigger on anonymous GET requests to admin-ajax.php with the depicter-lead-index action. ↗
- ·The EPSS score is 0.52383 (97.9th percentile), indicating very high likelihood of active exploitation in the wild; prioritize detection and patching accordingly. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-84xp-2wxp-xq57: The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and in
ghsa_unreviewed·2025-05-06
CVE-2025-2011 [HIGH] CWE-89 GHSA-84xp-2wxp-xq57: The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and in
The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
VulnCheck
depicter depicter Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2025·CVSS 7.5
CVE-2025-2011 [HIGH] depicter depicter Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
depicter depicter Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected: Depicter Slider & Popup Builder Plugin for WordPress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Ex
CISA
Microsoft Windows Remote Code Execution Vulnerability
cisa·2025-10-06·CVSS 8.8
CVE-2011-3402 [HIGH] Microsoft Windows Remote Code Execution Vulnerability
Vulnerability: Microsoft Windows Remote Code Execution Vulnerability
Affected: Microsoft Windows
Microsoft Windows Kernel contains an unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers that allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-087 ; https://nvd.nist.gov/vuln/detail/CVE-2011-3402
Remediation Due Date: 2025-10-27
Citrix
Citrix Security Bulletin CTX134303
vendor_citrix·CVSS 6.8
CVE-2011-2593 [MEDIUM] Citrix Security Bulletin CTX134303
Citrix Security Bulletin CTX134303
CVE References: CVE-2011-2593, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX128167
vendor_citrix·CVSS 6.8
CVE-2011-1101 [MEDIUM] Citrix Security Bulletin CTX128167
Citrix Security Bulletin CTX128167
CVE References: CVE-2011-1101, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Suricata
ET EXPLOIT CA Total Defense Suite SQLi Attempt Inbound (CVE-2011-1653)
suricata·2025-04-23·CVSS 10.0
CVE-2011-1653 [CRITICAL] ET EXPLOIT CA Total Defense Suite SQLi Attempt Inbound (CVE-2011-1653)
ET EXPLOIT CA Total Defense Suite SQLi Attempt Inbound (CVE-2011-1653)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT CA Total Defense Suite SQLi Attempt Inbound (CVE-2011-1653)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"modifiedData="; fast_pattern; pcre:"/^.{0,50}\x3b.*?\s[A-Z]{1,20}\s/R"; reference:cve,2011-1653; classtype:web-application-attack; sid:2061826; rev:1; metadata:attack_target Server, created_at 2025_04_23, cve CVE_2011_1653, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
Exploit-DB
WordPress Depicter Plugin 3.6.1 - SQL Injection
exploitdb·2025-05-09·CVSS 7.5
CVE-2025-2011 [HIGH] WordPress Depicter Plugin 3.6.1 - SQL Injection
WordPress Depicter Plugin 3.6.1 - SQL Injection
---
# Exploit Title: WordPress Depicter Plugin 3.6.1 - SQL Injection
# Google Dork: inurl:/wp-content/plugins/depicter/
# Date: 2025-05-06
# Exploit Author: Andrew Long (datagoboom)
# Vendor Homepage: https://wordpress.org/plugins/depicter/
# Software Link: https://downloads.wordpress.org/plugin/depicter.3.6.1.zip
# Version: <= 3.6.1
# Tested on: WordPress 6.x
# CVE: CVE-2025-2011
# Description:
# The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in all versions up to, and including, 3.6.1.
# The vulnerability exists due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
# This makes it possible for unauthentica
Nuclei
Slider & Popup Builder by Depicter <= 3.6.1 - Unauthenticated SQL Injection
nuclei·CVSS 7.5
CVE-2025-2011 [HIGH] Slider & Popup Builder by Depicter <= 3.6.1 - Unauthenticated SQL Injection
Slider & Popup Builder by Depicter <= 3.6.1 - Unauthenticated SQL Injection
The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Template:
id: CVE-2025-2011
info:
name: Slider & Popup Builder by Depicter <= 3.6.1 - Unauthenticated SQL Injection
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
The Slider & Popup Builder by Depicter plugin for WordPress is
Metasploit
WordPress Depicter Plugin SQL Injection (CVE-2025-2011)
metasploit·CVSS 7.5
CVE-2025-2011 [HIGH] WordPress Depicter Plugin SQL Injection (CVE-2025-2011)
WordPress Depicter Plugin SQL Injection (CVE-2025-2011)
The Slider & Popup Builder by Depicter plugin for WordPress <= 3.6.1 is vulnerable to unauthenticated SQL injection via the 's' parameter in admin-ajax.php.
https://plugins.trac.wordpress.org/browser/depicter/trunk/app/src/Controllers/Ajax/LeadsAjaxController.php?rev=3156664#L179https://plugins.trac.wordpress.org/browser/depicter/trunk/app/src/Controllers/Ajax/LeadsAjaxController.php?rev=3156664#L23https://plugins.trac.wordpress.org/browser/depicter/trunk/app/src/Controllers/Ajax/LeadsAjaxController.php?rev=3156664#L49https://plugins.trac.wordpress.org/browser/depicter/trunk/app/src/Database/Repository/LeadRepository.php?rev=3156664#L224https://plugins.trac.wordpress.org/browser/depicter/trunk/app/src/Services/LeadService.php?rev=3156664#L82https://plugins.trac.wordpress.org/changeset/3287525/https://wordpress.org/plugins/depicter/#descriptionhttps://www.wordfence.com/threat-intel/vulnerabilities/id/49b36cde-39d8-4a69-8d7c-7b850b76a7cd?source=cvehttps://github.com/datagoboom/CVE-2025-2011
2025-05-06
Published
Exploited in the wild