CVE-2021-25082

CVE-2021-25082: Popup Builder < 4.0.7 - LFI to RCE

Vendor Unknown
Product Popup Builder – Create highly converting, mobile friendly marketing popups.
Weakness CWE-22 · Path traversal
Published February 21, 2022
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR

Key dates

02Disclosure timeline

February 21, 2022 CVE published
August 3, 2024 Record updated