Cyber Resilience

CVE-2022-0228

HighPublic PoC

Published: 21 February 2022

Published
21 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0416 88.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-0228 is a high-severity SQL Injection (CWE-89) vulnerability in Sygnoos Popup Builder. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 11.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Popup Builder WordPress plugin before version 4.0.7 contains a SQL injection vulnerability tracked as CVE-2022-0228. The flaw arises because the plugin fails to validate or escape the orderby and order parameters before incorporating them into SQL statements executed from the administrative dashboard, corresponding to CWE-89.

High-privilege users with access to the admin dashboard can supply crafted values for these parameters to inject arbitrary SQL. Successful exploitation can result in disclosure, modification, or deletion of database contents, producing a CVSS 3.1 score of 7.2 with high impact across confidentiality, integrity, and availability.

The referenced changesets on the WordPress plugin repository and the WPScan advisory indicate that the issue is resolved by updating to Popup Builder 4.0.7 or later, which adds proper sanitization of the affected parameters. The EPSS score reached a peak of 0.0705 before receding to its current value of 0.0416.

EU & UK References

Vulnerability details

The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sygnoos
popup builder
≤ 4.0.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References