Description
The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-05-06
Score: 7.5 High
EPSS: 46.4% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Depicter – Popup & Slider Builder plugin for WordPress is vulnerable to a generic SQL Injection through the ‘s’ parameter in all versions up to and including 3.6.1. The flaw arises from insufficient escaping of user input and the absence of prepared statements, which permits an attacker to append additional SQL clauses to existing queries. If exploited, unauthorized parties can read or manipulate sensitive data stored in the WordPress database.

Affected Systems

WordPress installations that use the Depicter – Popup & Slider Builder plugin version 3.6.1 or earlier. The vendor is Averta, and the product is the Depicter plugin. No specific sub‑versions are listed beyond the inclusive upper bound of 3.6.1.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5, indicating high severity, and an EPSS score of 47%, signalling a substantial likelihood of exploitation. The flaw is remote, requires no authentication, and can be triggered via the plugin’s Ajax endpoint. It is not currently listed in CISA’s KEV catalog, but the high probability of discovery and the ease of exploitation make it a significant risk for exposed WordPress sites.

Generated by OpenCVE AI on June 26, 2026 at 14:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Depicter plugin to the latest release from Averta; if no patch exists, disable the plugin until a fix is issued.
  • Restrict unauthenticated access to the plugin’s Ajax endpoint by configuring your web server or firewall rules.
  • Deploy a security plugin or custom rule set to sanitize the ‘s’ parameter or block SQL injection patterns until a permanent fix is available.

Generated by OpenCVE AI on June 26, 2026 at 14:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.60876}

epss

{'score': 0.617}


Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 06 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 06 May 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Slider & Popup Builder by Depicter <= 3.6.1 - Unauthenticated SQL Injection via 's' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:34.799Z

Reserved: 2025-03-05T22:04:20.390Z

Link: CVE-2025-2011

cve-icon Vulnrichment

Updated: 2025-05-07T13:35:13.884Z

cve-icon NVD

Status : Deferred

Published: 2025-05-06T10:15:15.060

Modified: 2026-06-17T09:06:04.427

Link: CVE-2025-2011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T14:45:06Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')