Description
The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-05-06
Score: 7.5 High
EPSS: 47.5% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Depicter – Popup & Slider Builder plugin for WordPress is vulnerable to generic SQL Injection through the 's' parameter in all versions up to and including 3.6.1. This weakness stems from insufficient escaping of user input and the absence of prepared statements, which permits an attacker to inject additional SQL clauses into existing queries. Untouched, this flaw enables unauthorized parties to read sensitive data from the database.

Affected Systems

Vulnerable systems are WordPress installations running any version of the Depicter plugin up to 3.6.1. The vendor is Averta, and the product is the Depicter — Popup & Slider Builder plugin.

Risk and Exploitability

The exploitability of this flaw is substantial, as the attack requires no authentication and can be triggered remotely via the plugin’s Ajax endpoint. A CVSS score of 7.5 reflects a high severity, while an EPSS score of 48% indicates a notable likelihood of exploitation. As of the latest data, this vulnerability is not listed in CISA’s KEV catalog. Attackers can craft a malicious 's' parameter value to append arbitrary SQL statements, potentially exposing the database contents.

Generated by OpenCVE AI on June 3, 2026 at 14:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Depicter plugin to at least version 3.6.2 or later
  • Ensure the WordPress core and all other plugins are up-to-date to reduce overall attack surface
  • Restrict unauthenticated access to the plugin’s Ajax endpoints by configuring web server rules or firewall settings if an immediate upgrade is not possible

Generated by OpenCVE AI on June 3, 2026 at 14:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.60876}

 epss

{'score': 0.617}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 06 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 May 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Slider & Popup Builder by Depicter <= 3.6.1 - Unauthenticated SQL Injection via 's' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:34.799Z

Reserved: 2025-03-05T22:04:20.390Z

Link: CVE-2025-2011

cve-icon Vulnrichment

Updated: 2025-05-07T13:35:13.884Z

cve-icon NVD

Status : Deferred

Published: 2025-05-06T10:15:15.060

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T14:45:20Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')