CVE-2021-25082

HIGH EXPLOITED NUCLEI

Popup Builder WordPress <4.0.7 - Code Injection

Title source: llm

Description

The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR

Nuclei Templates (1)

WordPress Popup Builder < 4.0.7 - Remote Code Execution

CRITICALVERIFIEDby 0x_Akoko

References (2)

[Release Notes, Third Party Advisory] https://plugins.trac.wordpress.org/changeset/2659117

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/0f90f10c-4b0a-46da-ac1f-aa6a03312132

Scores

CVSS v3 8.8

EPSS 0.1989

EPSS Percentile 95.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2022-12-19

CWE

CWE-22

Status published

Products (1)

sygnoos/popup_builder < 4.0.7

Published Feb 21, 2022

Tracked Since Feb 18, 2026