{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13192", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-14T14:17:55.307Z", "datePublished": "2026-02-04T23:22:57.192Z", "dateUpdated": "2026-04-08T17:11:37.632Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:37.632Z"}, "affected": [{"vendor": "roxnor", "product": "Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to generic SQL Injection via the multiple REST API endpoints in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\r\nVulnerability was patched in version 2.2.1 for unauthenticated users, and fully patched in version 2.2.3 for Administrator+ level users."}], "title": "Popup builder with Gamification <= 2.2.0 - Unauthenticated SQL Injection via Multiple REST API Endpoints", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9db1dfde-0cba-41b2-ab7a-a1640e5fd96b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Popup.php#L50"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Popup.php#L133"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Helpers/DataBase.php#L382"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Helpers/DataBase.php#L413"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Subscribers.php#L99"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Subscribers.php#L133"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "JEONG YU CHAN"}], "timeline": [{"time": "2025-11-06T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-11-14T14:33:50.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-04T11:20:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T16:57:45.751777Z", "id": "CVE-2025-13192", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T16:57:53.921Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13192", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T16:57:45.751777Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T16:57:49.736Z"}}], "cna": {"title": "Popup builder with Gamification <= 2.2.0 - Unauthenticated SQL Injection via Multiple REST API Endpoints", "credits": [{"lang": "en", "type": "finder", "value": "JEONG YU CHAN"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"}}], "affected": [{"vendor": "roxnor", "product": "Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-06T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-11-14T14:33:50.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-04T11:20:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9db1dfde-0cba-41b2-ab7a-a1640e5fd96b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Popup.php#L50"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Popup.php#L133"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Helpers/DataBase.php#L382"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Helpers/DataBase.php#L413"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Subscribers.php#L99"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Subscribers.php#L133"}], "descriptions": [{"lang": "en", "value": "The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to generic SQL Injection via the multiple REST API endpoints in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\r\nVulnerability was patched in version 2.2.1 for unauthenticated users, and fully patched in version 2.2.3 for Administrator+ level users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:37.632Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13192", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:11:37.632Z", "dateReserved": "2025-11-14T14:17:55.307Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-04T23:22:57.192Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to generic SQL Injection via the multiple REST API endpoints in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.\r\nVulnerability was patched in version 2.2.1 for unauthenticated users, and fully patched in version 2.2.3 for Administrator+ level users."}, {"lang": "es", "value": "El plugin Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers para WordPress es vulnerable a inyecci\u00f3n SQL gen\u00e9rica a trav\u00e9s de los m\u00faltiples endpoints de la API REST en todas las versiones hasta la 2.2.0, inclusive, debido a un escape insuficiente en el par\u00e1metro proporcionado por el usuario y la falta de preparaci\u00f3n suficiente en la consulta SQL existente. Esto hace posible que atacantes no autenticados a\u00f1adan consultas SQL adicionales a consultas ya existentes que pueden usarse para extraer informaci\u00f3n sensible de la base de datos. La vulnerabilidad fue parcheada en la versi\u00f3n 2.2.1 para usuarios no autenticados, y completamente parcheada en la versi\u00f3n 2.2.3 para usuarios de nivel Administrador+."}], "id": "CVE-2025-13192", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-05T00:15:53.567", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Helpers/DataBase.php#L382"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Helpers/DataBase.php#L413"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Popup.php#L133"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Popup.php#L50"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Subscribers.php#L133"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Subscribers.php#L99"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9db1dfde-0cba-41b2-ab7a-a1640e5fd96b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:05:22.554790+00:00", "value": {"mitigation_remediation": ["Upgrade the Popup builder plugin to version 2.2.3 to fully patch the SQL injection flaw for both unauthenticated and administrative users.", "If an upgrade cannot be performed immediately, block or limit access to the plugin\u2019s REST API endpoints so that only authenticated users can invoke them.", "Apply input validation or rewrite the affected queries to use prepared statements to mitigate injection risk until the official patch is deployed."], "summary": {"action": "Patch Immediately", "impact": "Unauthenticated SQL Injection via REST API endpoints leading to data exposure"}, "threat_synthesis": {"affected_systems": "Vulnerable versions are all releases up to and including 2.2.0 of the Popup builder with Gamification, Multi\u2011Step Popups, Page\u2011Level Targeting, and WooCommerce Triggers plugin. Administrators can be affected in earlier releases; the issue was fully resolved in version 2.2.3, while unauthenticated users received an initial fix in 2.2.1.", "description_and_impact": "The Popup builder with Gamification plugin for WordPress is vulnerable to generic SQL Injection due to insufficient escaping on user supplied parameters in numerous REST API endpoints. The flaw permits unauthenticated attackers to append malicious SQL statements to existing queries, enabling extraction of sensitive database content. This weakness is a classic SQL Injection scenario (CWE-89).", "risk_and_exploitability": "The CVSS score of 8.2 indicates a high severity, but the EPSS score of less than 1% suggests a low likelihood of exploitation as of the latest data. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be via any unauthenticated user who can access the plugin\u2019s REST API; no additional prerequisites are stated explicitly in the CVE description. Because the flaw allows arbitrary SQL to be injected and executed, the impact could range from data confidentiality loss to broader compromise if database credentials are exposed."}}}}, "created": "2026-02-05T11:39:48.762599+00:00", "updated": "2026-04-21T16:15:40.497501+00:00", "vendors": ["roxnor", "roxnor$PRODUCT$popup_builder", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}