CVE-2020-9006

Опубликовано: 17 фев. 2020

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Средний

Описание

The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on Wordpress instances. (This issue has been fixed in the 3.x branch of popup-builder.)

Ссылки

https://plugins.trac.wordpress.org/browser/popup-builder/tags/2.2.8/files/sg_popup_ajax.php#L69
Exploit
Third Party Advisory
https://wordpress.org/plugins/popup-builder/#developers
Release Notes
https://wpvulndb.com/vulnerabilities/10073
Third Party Advisory
https://zeroauth.ltd/blog/2020/02/16/cve-2020-9006-popup-builder-wp-plugin-sql-injection-via-php-deserialization/
Exploit
Third Party Advisory
https://plugins.trac.wordpress.org/browser/popup-builder/tags/2.2.8/files/sg_popup_ajax.php#L69
Exploit
Third Party Advisory
https://wordpress.org/plugins/popup-builder/#developers
Release Notes
https://wpvulndb.com/vulnerabilities/10073
Third Party Advisory
https://zeroauth.ltd/blog/2020/02/16/cve-2020-9006-popup-builder-wp-plugin-sql-injection-via-php-deserialization/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:sygnoos:popup_builder:*:*:*:*:*:wordpress:*:*

Версия от 2.2.8 (включая) до 2.6.7.6 (включая)

EPSS

Процентиль: 97%

0.41252

Средний

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-89

Связанные уязвимости

GHSA-7w63-rpf8-69q7

github

больше 3 лет назад