CVE-2022-0479

Name of the Vulnerable Software and Affected Versions Popup Builder WordPress plugin versions prior to 4.1.1

Description The issue arises from the lack of sanitization and escaping of the sgpb-subscription-popup-id parameter before its use in a SQL statement within the All Subscribers admin dashboard. This oversight leads to a SQL injection vulnerability, which can also facilitate a Reflected Cross-Site Scripting attack against a logged-in admin who opens a malicious link.

Recommendations For versions prior to 4.1.1, update to version 4.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the All Subscribers admin dashboard to minimize the risk of exploitation. Avoid using the sgpb-subscription-popup-id parameter in the affected SQL statement until the issue is resolved.