Exploitation Summary
CVE-2022-0228 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection
Nuclei Templates (1)
Popup Builder < 4.0.7 - SQL Injection
HIGHVERIFIEDby r3Y3r53
Shodan:
http.html:/wp-content/plugins/popup-builder/
FOFA:
body=/wp-content/plugins/popup-builder/
References (2)
Core 2
Core References
Release Notes, Third Party Advisory x_refsource_confirm
https://plugins.trac.wordpress.org/changeset/2659117
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/22facac2-52f4-4e5f-be59-1d2934b260d9
Scores
CVSS v3
7.2
EPSS
0.0584
EPSS Percentile
92.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
sygnoos/popup_builder
< 4.0.7
Published
Feb 21, 2022
Tracked Since
Feb 18, 2026