CVE-2022-0228
Published: 21 February 2022
Summary
CVE-2022-0228 is a high-severity SQL Injection (CWE-89) vulnerability in Sygnoos Popup Builder. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 11.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Popup Builder WordPress plugin before version 4.0.7 contains a SQL injection vulnerability tracked as CVE-2022-0228. The flaw arises because the plugin fails to validate or escape the orderby and order parameters before incorporating them into SQL statements executed from the administrative dashboard, corresponding to CWE-89.
High-privilege users with access to the admin dashboard can supply crafted values for these parameters to inject arbitrary SQL. Successful exploitation can result in disclosure, modification, or deletion of database contents, producing a CVSS 3.1 score of 7.2 with high impact across confidentiality, integrity, and availability.
The referenced changesets on the WordPress plugin repository and the WPScan advisory indicate that the issue is resolved by updating to Popup Builder 4.0.7 or later, which adds proper sanitization of the affected parameters. The EPSS score reached a peak of 0.0705 before receding to its current value of 0.0416.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15425
Vulnerability details
The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.