CVE-2022-0479
Published: 28 March 2022
Summary
CVE-2022-0479 is a critical-severity SQL Injection (CWE-89) vulnerability in Sygnoos Popup Builder. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is an SQL injection flaw in the Popup Builder WordPress plugin prior to version 4.1.1. It stems from a lack of sanitization and escaping on the sgpb-subscription-popup-id parameter when the value is incorporated into a SQL statement within the All Subscribers section of the administrative dashboard, and the same issue can be leveraged for reflected cross-site scripting.
An unauthenticated remote attacker can supply a malicious parameter value through a crafted request to the affected dashboard endpoint, enabling execution of arbitrary SQL queries that may result in data exfiltration, modification, or deletion. The reflected XSS vector allows the same payload to target a logged-in administrator who follows a malicious link, potentially leading to session hijacking or administrative account takeover.
The referenced WordPress plugin changeset and WPScan advisory document that the issue is resolved by updating to version 4.1.1 or later, which adds proper input sanitization and escaping for the parameter. The EPSS score has remained at its observed peak of 0.7637 since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15617
Vulnerability details
The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform…
more
Reflected Cross-Site Scripting attack against a logged in admin opening a malicious link
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.