Impact
The Depicter – Popup & Slider Builder plugin for WordPress is vulnerable to a generic SQL Injection through the ‘s’ parameter in all versions up to and including 3.6.1. The flaw arises from insufficient escaping of user input and the absence of prepared statements, which permits an attacker to append additional SQL clauses to existing queries. If exploited, unauthorized parties can read or manipulate sensitive data stored in the WordPress database.
Affected Systems
WordPress installations that use the Depicter – Popup & Slider Builder plugin version 3.6.1 or earlier. The vendor is Averta, and the product is the Depicter plugin. No specific sub‑versions are listed beyond the inclusive upper bound of 3.6.1.
Risk and Exploitability
The vulnerability has a CVSS score of 7.5, indicating high severity, and an EPSS score of 47%, signalling a substantial likelihood of exploitation. The flaw is remote, requires no authentication, and can be triggered via the plugin’s Ajax endpoint. It is not currently listed in CISA’s KEV catalog, but the high probability of discovery and the ease of exploitation make it a significant risk for exposed WordPress sites.
OpenCVE Enrichment