Popup Builder < 3.0 - SQL injection via PHP Deserialization



Description
"The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on WordPress instances."

"This issue has been fixed in the 3.x branch of popup-builder. Versions 2.2.8 through 2.5.3 do not need a nonce, however 2.5.4 through 2.6.7.6 would need a valid nonce."

Affects Plugin

References

CVE 2020-9006
URL https://zeroauth.ltd/blog/2020/02/16/cve-2020-9006-popup-builder-wp-plugin-sql-injection-via-php-deserialization/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Original Researcher ZeroAuth
Views 4159
Verified No
WPVDB ID 10073

Timeline

Publicly Published 2020-02-16 (about 2 months ago)
Added 2020-02-17 (about 2 months ago)
Last Updated 2020-02-18 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin