CVE-2020-9006

Exploit

EPSS 41.25%
Veröffentlicht 17.02.2020 15:15:12
Zuletzt bearbeitet 21.11.2024 05:39:49
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Popup Builder 2.2.8 - 2.6.7.6 - PHP Object Injection

The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on Wordpress instances. (This issue has been fixed in the 3.x branch of popup-builder.)

Mögliche Gegenmaßnahme

Popup Builder – Create highly converting, mobile friendly marketing popups.: Update to version 3.0, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 8

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Popup Builder – Create highly converting, mobile friendly marketing popups.

Version 2.2.8-2.6.7.6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sygnoos ≫ Popup Builder SwPlatformwordpress Version >= 2.2.8 <= 2.6.7.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	41.25%	0.973

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

https://wordpress.org/plugins/popup-builder/#developers

Release Notes

https://plugins.trac.wordpress.org/browser/popup-builder/tags/2.2.8/files/sg_popup_ajax.php#L69

Third Party Advisory

Exploit

https://wpvulndb.com/vulnerabilities/10073

Third Party Advisory

https://zeroauth.ltd/blog/2020/02/16/cve-2020-9006-popup-builder-wp-plugin-sql-injection-via-php-deserialization/

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/470fbac6-45bf-400e-b415-32e7989abbad

Third Party Advisory