CVE Alert: CVE-2025-10862 - roxnor - Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers

CVE-2025-10862

HIGHNo exploitation known

The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.1.3. This is due to insufficient escaping on the ‘id’ parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS v3.1 (7.5)

Vendor

roxnor

Product

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers

Versions

* lte 2.1.3

CWE

CWE-89, CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Published

2025-10-09T08:23:17.221Z

Updated

2025-10-09T15:06:58.535Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/93e0a1a1-fba6-4209-b679-e66d77870be2?source=cve

https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.2/includes/Routes/Popup.php#L232

https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.2/includes/Helpers/DataBase.php#L374

https://plugins.trac.wordpress.org/changeset/3369146/

AI Summary Analysis

Risk verdict

High-risk unauthenticated SQL injection in the Popup Builder plugin; remote exploitation is possible without credentials, though no active exploitation is currently reported.

Why this matters

Attackers can potentially extract sensitive database contents (customer data, orders, WooCommerce details) with minimal preconditions, risking data breach and regulatory exposure. For online stores, this can enable theft of payment data or customer records and erode trust, with potential financial impact and downtime during remediation.

Most likely attack path

An attacker remotely targets sites running the affected plugin, supplying crafted id parameters to trigger the injection. With no authentication and no user interaction required, a single probe can yield data via the database, subject to the plugin’s query scope. Lateral movement is limited by the scope of the compromised query, but data exfiltration remains feasible if access exists to the vulnerable database.

Who is most exposed

WordPress sites using the vulnerable popup-builder plugin, especially those tied to WooCommerce or handling customer data on shared or SME hosting.

Detection ideas

Monitor for unusual SQL errors or database syntax in requests containing id parameters.
Detect high-volume or automated scans targeting the plugin’s endpoints.
Flag anomalous data access patterns or large data dumps from the WordPress database.
Inspect application logs for failed/blocked queries linked to the plugin.

Mitigation and prioritisation

Apply the vendor patch or upgrade to a non-vulnerable version immediately; if unavailable, disable the plugin until fixed.
Implement a WAF rule to block suspicious id parameter inputs and known SQLi payloads.
Enforce strict input validation and parameterised queries at the application layer where feasible.
Restrict database permissions used by the plugin; monitor for unusual DB access.
Plan patch adoption in the next change window; test in staging before production.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-10862, OSINT, popup-builder-with-gamification-multi-step-popups-page-level-targeting-and-woocommerce-triggers, roxnor, threatintel