Vulnerability Description
The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sygnoos | Popup Builder | < 4.0.7 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/2659117Release NotesThird Party Advisory
- https://wpscan.com/vulnerability/0f90f10c-4b0a-46da-ac1f-aa6a03312132ExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/2659117Release NotesThird Party Advisory
- https://wpscan.com/vulnerability/0f90f10c-4b0a-46da-ac1f-aa6a03312132ExploitThird Party Advisory
FAQ
What is CVE-2021-25082?
CVE-2021-25082 is a vulnerability with a CVSS score of 8.8 (HIGH). The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, sin...
How severe is CVE-2021-25082?
CVE-2021-25082 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-25082?
Check the references section above for vendor advisories and patch information. Affected products include: Sygnoos Popup Builder.