Popup Builder <= 4.0.6 is vulnerable to SQL Injection (SQLi) vulnerability

Administrator

Published
2022-01-23

The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection

CVE

https://www.cve.org/CVERecord?id=CVE-2022-0228

CVSS

Score:7.2

Severity:High

Version: 4.0.6

There is a patch available in v4.0.7 and we strongly recommend you update to this version as soon as possible.