S4E

CVE-2022-0479 Scanner

CVE-2022-0479 Scanner - SQL Injection & XSS vulnerability in Popup Builder Plugin

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

2 weeks 14 hours

Scan only one

Domain, IPv4

Toolbox

-

The Popup Builder Plugin is a popular WordPress plugin used to create and manage popups for websites. It is widely used by website administrators to engage users through promotional offers, subscriptions, and other interactive content. The plugin integrates seamlessly with WordPress and offers flexibility for customizing popup designs and behavior. However, like other WordPress plugins, its security is critical to maintaining the safety and integrity of websites.

This scanner identifies a SQL Injection vulnerability in the Popup Builder Plugin, which allows attackers to execute unauthorized SQL queries. By exploiting this vulnerability, attackers can manipulate database queries to disclose sensitive information or corrupt data. This type of attack targets the sgpb-subscription-popup-id parameter, exposing WordPress sites to significant security risks. The scanner also detects a Reflected Cross-Site Scripting (XSS) vulnerability associated with the same parameter.

The SQL Injection vulnerability stems from improper sanitization of user inputs in the sgpb-subscription-popup-id parameter. Malicious actors can insert custom SQL queries via this parameter, potentially leading to unauthorized access or data modification. Additionally, the reflected XSS flaw allows injecting malicious scripts into web pages, enabling further exploitation. The scanner inspects requests and server responses to verify the vulnerability's presence.

Exploiting this vulnerability can result in unauthorized database access, exposure of confidential information, or corruption of website data. It could also facilitate phishing attacks, redirecting users to malicious websites, or taking control of the WordPress site. The reflected XSS vulnerability can enable attackers to perform actions on behalf of unsuspecting users or steal sensitive data.

REFERENCES

Get started to protecting your Free Full Security Scan