Description
The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to generic SQL Injection via the multiple REST API endpoints in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Vulnerability was patched in version 2.2.1 for unauthenticated users, and fully patched in version 2.2.3 for Administrator+ level users.
Published: 2026-02-04
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL Injection via REST API endpoints leading to data exposure
Action: Patch Immediately
AI Analysis

Impact

The Popup builder with Gamification plugin for WordPress is vulnerable to generic SQL Injection due to insufficient escaping on user supplied parameters in numerous REST API endpoints. The flaw permits unauthenticated attackers to append malicious SQL statements to existing queries, enabling extraction of sensitive database content. This weakness is a classic SQL Injection scenario (CWE-89).

Affected Systems

Vulnerable versions are all releases up to and including 2.2.0 of the Popup builder with Gamification, Multi‑Step Popups, Page‑Level Targeting, and WooCommerce Triggers plugin. Administrators can be affected in earlier releases; the issue was fully resolved in version 2.2.3, while unauthenticated users received an initial fix in 2.2.1.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity, but the EPSS score of less than 1% suggests a low likelihood of exploitation as of the latest data. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be via any unauthenticated user who can access the plugin’s REST API; no additional prerequisites are stated explicitly in the CVE description. Because the flaw allows arbitrary SQL to be injected and executed, the impact could range from data confidentiality loss to broader compromise if database credentials are exposed.

Generated by OpenCVE AI on April 21, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Popup builder plugin to version 2.2.3 to fully patch the SQL injection flaw for both unauthenticated and administrative users.
  • If an upgrade cannot be performed immediately, block or limit access to the plugin’s REST API endpoints so that only authenticated users can invoke them.
  • Apply input validation or rewrite the affected queries to use prepared statements to mitigate injection risk until the official patch is deployed.

Generated by OpenCVE AI on April 21, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Roxnor
Roxnor popup Builder
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Roxnor
Roxnor popup Builder
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Wed, 04 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
Description The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to generic SQL Injection via the multiple REST API endpoints in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Vulnerability was patched in version 2.2.1 for unauthenticated users, and fully patched in version 2.2.3 for Administrator+ level users.
Title Popup builder with Gamification <= 2.2.0 - Unauthenticated SQL Injection via Multiple REST API Endpoints
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Roxnor Popup Builder
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:37.632Z

Reserved: 2025-11-14T14:17:55.307Z

Link: CVE-2025-13192

cve-icon Vulnrichment

Updated: 2026-02-05T16:57:49.736Z

cve-icon NVD

Status : Deferred

Published: 2026-02-05T00:15:53.567

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13192

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:15:40Z

Weaknesses