Cyber Resilience

CVE-2022-0479

CriticalPublic PoC

Published: 28 March 2022

Published
28 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7637 99.0th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-0479 is a critical-severity SQL Injection (CWE-89) vulnerability in Sygnoos Popup Builder. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is an SQL injection flaw in the Popup Builder WordPress plugin prior to version 4.1.1. It stems from a lack of sanitization and escaping on the sgpb-subscription-popup-id parameter when the value is incorporated into a SQL statement within the All Subscribers section of the administrative dashboard, and the same issue can be leveraged for reflected cross-site scripting.

An unauthenticated remote attacker can supply a malicious parameter value through a crafted request to the affected dashboard endpoint, enabling execution of arbitrary SQL queries that may result in data exfiltration, modification, or deletion. The reflected XSS vector allows the same payload to target a logged-in administrator who follows a malicious link, potentially leading to session hijacking or administrative account takeover.

The referenced WordPress plugin changeset and WPScan advisory document that the issue is resolved by updating to version 4.1.1 or later, which adds proper input sanitization and escaping for the parameter. The EPSS score has remained at its observed peak of 0.7637 since disclosure.

EU & UK References

Vulnerability details

The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform…

more

Reflected Cross-Site Scripting attack against a logged in admin opening a malicious link

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sygnoos
popup builder
≤ 4.1.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References