Local File Inclusion and Remote Code Execution Vulnerability in Popup Builder WordPress Plugin

Local File Inclusion and Remote Code Execution Vulnerability in Popup Builder WordPress Plugin

CVE-2021-25082 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR

Learn more about our Wordpress Pen Testing.