First published: Mon Mar 28 2022(Updated: )
The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a malicious link
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Sygnoos Popup Builder | <4.1.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-0479 is a vulnerability in the Popup Builder WordPress plugin before version 4.1.1.
CVE-2022-0479 has a severity rating of 9.8 (Critical).
The affected software is the Popup Builder WordPress plugin before version 4.1.1.
CVE-2022-0479 can be exploited through a SQL injection attack on the All Subscribers admin dashboard.
To fix CVE-2022-0479, update the Popup Builder WordPress plugin to version 4.1.1 or later.