CVE-2021-25082
HIGH EXPLOITED NUCLEIPopup Builder WordPress <4.0.7 - Code Injection
Title source: llmExploitation Summary
CVE-2021-25082 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR
Nuclei Templates (1)
WordPress Popup Builder < 4.0.7 - Remote Code Execution
CRITICALVERIFIEDby 0x_Akoko
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/0f90f10c-4b0a-46da-ac1f-aa6a03312132
Release Notes, Third Party Advisory x_refsource_confirm
https://plugins.trac.wordpress.org/changeset/2659117
Scores
CVSS v3
8.8
EPSS
0.0537
EPSS Percentile
91.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2022-12-19
CWE
CWE-22
Status
published
Products (1)
sygnoos/popup_builder
< 4.0.7
Published
Feb 21, 2022
Tracked Since
Feb 18, 2026