CVE-2022-0479 – Popup Builder < 4.1.1 - SQL Injection to Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0479
The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a malicious link El plugin Popup Builder de WordPress versiones anteriores a 4.1.1, no sanea ni escapa del parámetro sgpb-subscription-popup-id antes de usarlo en una sentencia SQL en el panel de administración de All Subscribers, conllevando a una inyección SQL, que también podría usarse para llevar a cabo un ataque de tipo Cross-Site Scripting Reflejado contra un administrador conectado que abra un enlace malicioso • https://plugins.trac.wordpress.org/changeset/2686454 https://wpscan.com/vulnerability/0d2bbbaf-fbfd-4921-ba4e-684e2e77e816 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-25082 – Popup Builder < 4.0.7 - LFI to RCE
https://notcve.org/view.php?id=CVE-2021-25082
The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR El plugin Popup Builder de WordPress versiones anteriores a 4.0.7, no comprueba ni sanea el parámetro sgpb_type antes de usarlo en una sentencia require, lo que conlleva un problema de inclusión de archivos locales. Además, dado que el comienzo de la cadena puede ser controlado, el problema puede conllevar a una vulnerabilidad RCE por medio de wrappers como PHAR • https://plugins.trac.wordpress.org/changeset/2659117 https://wpscan.com/vulnerability/0f90f10c-4b0a-46da-ac1f-aa6a03312132 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVE-2022-0228 – Popup Builder < 4.0.7 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-0228
The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection El plugin Popup Builder de WordPress versiones anteriores a 4.0.7, no comprueba ni escapa correctamente de los parámetros orderby y order antes de usarlos en una sentencia SQL en el panel de administración, lo que podría permitir a usuarios con altos privilegios llevar a cabo una inyección SQL • https://plugins.trac.wordpress.org/changeset/2659117 https://wpscan.com/vulnerability/22facac2-52f4-4e5f-be59-1d2934b260d9 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-24152 – Popup Builder < 3.74 - Authenticated Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24152
The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting. La página de configuración "All Subscribers" de Popup Builder era vulnerable a un ataque de tipo cross-site scripting reflejadas • https://wpscan.com/vulnerability/597e9686-f4e2-43bf-85ef-c5967e5652bd • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-10196 – Popup Builder <= 3.63 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-10196
An XSS vulnerability in the popup-builder plugin before 3.64.1 for WordPress allows remote attackers to inject arbitrary JavaScript into existing popups via an unsecured ajax action in com/classes/Ajax.php. It is possible for an unauthenticated attacker to insert malicious JavaScript in several of the popup's fields by sending a request to wp-admin/admin-ajax.php with the POST action parameter of sgpb_autosave and including additional data in an allPopupData parameter, including the popup's ID (which is visible in the source of the page in which the popup is inserted) and arbitrary JavaScript which will then be executed in the browsers of visitors to that page. Because the plugin functionality automatically adds script tags to data entered into these fields, this injection will typically bypass most WAF applications. Una vulnerabilidad de tipo XSS en el plugin popup-builder versiones anteriores a 3.64.1 para WordPress, permite a atacantes remotos inyectar JavaScript arbitrario en los ventanas emergentes existentes por medio de una acción ajax no segura en el archivo com/classes/Ajax.php. Es posible que un atacante no autenticado inserte JavaScript malicioso en varios de los campos de la ventana emergente mediante el envío de una petición al archivo wp-admin/admin-ajax.php con el parámetro POST action de sgpb_autosave e incluyendo datos adicionales en un parámetro allPopupData, incluyendo el ID de la ventana emergente (que es visible en la fuente de la página en la que se inserta la ventana emergente) y JavaScript arbitrario que luego será ejecutado en los navegadores de los visitantes a esa página. • https://wpvulndb.com/vulnerabilities/10127 https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-popup-builder-plugin-affecting-over-100000-sites • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •