CVE-2020-9006

CRITICAL

Sygnoos Popup Builder < 2.6.7.6 - Insecure Deserialization

Title source: rule

Description

The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on Wordpress instances. (This issue has been fixed in the 3.x branch of popup-builder.)

Exploits (1)

nomisec WORKING POC

by s3rgeym · poc

https://github.com/s3rgeym/cve-2020-9006

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://plugins.trac.wordpress.org/browser/popup-builder/tags/2.2.8/files/sg_popup_ajax.php#L69

[Release Notes] https://wordpress.org/plugins/popup-builder/#developers

[Third Party Advisory] https://wpvulndb.com/vulnerabilities/10073

[Exploit, Third Party Advisory] https://zeroauth.ltd/blog/2020/02/16/cve-2020-9006-popup-builder-wp-plugin-sql-injection-via-php-deserialization/

Scores

CVSS v3 9.8

EPSS 0.4125

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502 CWE-89

Status published

Affected Products (1)

sygnoos/popup_builder < 2.6.7.6

Timeline

Published Feb 17, 2020

Tracked Since Feb 18, 2026