Description
The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.1.3. This is due to insufficient escaping on the 'id' parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-10-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL Injection leading to information disclosure
Action: Immediate Patch
AI Analysis

Impact

The Popup Builder with Gamification, Multi‑Step Popups, Page‑Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to unauthenticated SQL injection through the ‘id’ parameter. The flaw stems from insufficient escaping and the absence of prepared statements in the existing SQL query, allowing an attacker to append arbitrary SQL code. The resulting impact is the extraction of sensitive database information, as the plugin does not restrict or validate the parameter value.

Affected Systems

The vulnerability affects the WordPress plugin developed by roxnor, known as “Popup Builder with Gamification, Multi‑Step Popups, Page‑Level Targeting, and WooCommerce Triggers.” Versions up to and including 2.1.3 are impacted; any deployment running one of these versions is susceptible.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score of less than 1% suggests a low probability of exploitation currently, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote HTTP request to the plugin’s endpoint; by sending a crafted ‘id’ value an unauthenticated attacker can execute arbitrary SQL commands and read database contents.

Generated by OpenCVE AI on April 22, 2026 at 13:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Popup Builder plugin to a version newer than 2.1.3
  • If an immediate upgrade is not possible, restrict access to the plug‑in’s ‘id’ parameter by blocking or validating incoming requests through a web application firewall
  • Ensure that the WordPress installation and all other plugins are kept current to reduce the overall attack surface

Generated by OpenCVE AI on April 22, 2026 at 13:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Oct 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Roxnor
Roxnor popup Builder
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Roxnor
Roxnor popup Builder
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Thu, 09 Oct 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.1.3. This is due to insufficient escaping on the 'id' parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers <= 2.1.3 - Unauthenticated SQL Injection via 'id'
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Roxnor Popup Builder
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:46.727Z

Reserved: 2025-09-22T22:58:28.462Z

Link: CVE-2025-10862

cve-icon Vulnrichment

Updated: 2025-10-09T15:05:09.170Z

cve-icon NVD

Status : Deferred

Published: 2025-10-09T09:15:45.080

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10862

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:15:17Z

Weaknesses