CVE-2020-9006

CRITICAL

Popup Builder 2.2.8-2.6.7.6 - SQL Injection via PHP Deserialization in sgImportPopups

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-9006. PoCs published by s3rgeym.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-9006, which targets a PHP deserialization vulnerability in the WordPress Popup-Builder plugin. The exploit generates a serialized payload to create an admin user via SQL injection, leveraging WordPress's md5 password hashing mechanism.

Description

The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on Wordpress instances. (This issue has been fixed in the 3.x branch of popup-builder.)

Exploits (1)

nomisec WORKING POC
by s3rgeym · poc
https://github.com/s3rgeym/cve-2020-9006

This repository contains a functional exploit for CVE-2020-9006, which targets a PHP deserialization vulnerability in the WordPress Popup-Builder plugin. The exploit generates a serialized payload to create an admin user via SQL injection, leveraging WordPress's md5 password hashing mechanism.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: WordPress Popup-Builder Plugin
No auth needed
Prerequisites: Access to the target WordPress site · Popup-Builder plugin installed and vulnerable
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.0856
EPSS Percentile 94.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502 CWE-89
Status published
Products (1)
sygnoos/popup_builder 2.2.8 - 2.6.7.6
Published Feb 17, 2020
Tracked Since Feb 18, 2026