QwikSec

Security Database

CVE

CWE

Training

CVE-2021-25082

Published: Feb 21, 2022

Modified: Aug 3, 2024

PUBLISHED

Description

The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR

Vendor	Product	Versions
Unknown	Popup Builder – Create highly converting, mobile friendly marketing popups.	affected `4.0.7 - < 4.0.7`

Weaknesses (CWE)

References

https://wpscan.com/vulnerability/0f90f10c-4b0a-46da-ac1f-aa6a03312132

x_refsource_MISC

https://plugins.trac.wordpress.org/changeset/2659117

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.