CVE-2021-25082: Path Traversal
First published: Mon Feb 21 2022(Updated: )
The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Sygnoos Popup Builder | <4.0.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for the Popup Builder WordPress plugin issue?
The vulnerability ID for the Popup Builder WordPress plugin issue is CVE-2021-25082.
What is the severity rating for CVE-2021-25082?
CVE-2021-25082 has a severity rating of 8.8 (High).
What is the affected software version for CVE-2021-25082?
The affected software version for CVE-2021-25082 is Popup Builder plugin before 4.0.7.
What is the CVE CWE ID for Popup Builder vulnerability?
The CVE CWE ID for Popup Builder vulnerability is CWE-22.
How can I fix the Popup Builder vulnerability?
To fix the Popup Builder vulnerability, update the plugin to version 4.0.7 or later.
- collector/nvd-index
- vendor/sygnoos
- canonical/sygnoos popup builder