CVE-2020-9006

high-risk
Published 2020-02-17

The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on Wordpress instances. (This issue has been fixed in the 3.x branch of popup-builder.)

Do I need to act?

!
41.3% chance of exploitation in next 30 days
EPSS score — higher than 59% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Sygnoos

References (8)

Exploit https://plugins.trac.wordpress.org/browser/popup-builder/tags/2.2.8/files/sg_pop...
Release Notes https://wordpress.org/plugins/popup-builder/#developers
Third Party Advisory https://wpvulndb.com/vulnerabilities/10073
Exploit https://zeroauth.ltd/blog/2020/02/16/cve-2020-9006-popup-builder-wp-plugin-sql-i...
Exploit https://plugins.trac.wordpress.org/browser/popup-builder/tags/2.2.8/files/sg_pop...
Release Notes https://wordpress.org/plugins/popup-builder/#developers
Third Party Advisory https://wpvulndb.com/vulnerabilities/10073
Exploit https://zeroauth.ltd/blog/2020/02/16/cve-2020-9006-popup-builder-wp-plugin-sql-i...
54
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 17/34 · Moderate
Exposure 5/34 · Minimal