cleantalk
Vulnerabilities and Security Researches

Popup Builder – Create highly converting, mobile friendly marketing popups., CVE-2020-9006

CVE, Research URL

CVE-2020-9006

Home page URL

Security reports for Popup Builder – Create highly converting, mobile friendly marketing popups.

Application

Popup Builder – Create highly converting, mobile friendly marketing popups.

Published on
Feb 17, 2020
Research Description
The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on Wordpress instances. (This issue has been fixed in the 3.x branch of popup-builder.)
Affected versions
max 3.0.2.
Status
vulnerable
Previous vulnerability researches
Pretty Simple Popup Builder (CVE-2024-56298) , Jan 07, 2025
Pretty Simple Popup Builder (151dd12759a625ce194d0174ccb42453eeaa1d0a) , Jun 07, 2024
Pretty Simple Popup Builder (CVE-2024-39626) , Jul 27, 2024
Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer (CVE-2024-3602) , Jun 21, 2024
WP Popup Builder – Popup Forms and Marketing Lead Generation (CVE-2024-9061) , Oct 17, 2024
New vulnerability
ElementsKit Elementor addons (CVE-2026-23693) , Feb 27, 2026
Stop Spammers Security | Block Spam Users, Comments, Forms (CVE-2025-14795) , Feb 27, 2026
Slider Responsive Slideshow – Image slider, Gallery slideshow (CVE-2026-22346) , Feb 27, 2026
Endless Posts Navigation (CVE-2026-25332) , Feb 27, 2026
Eleblog – Elementor Blog And Magazine Addons (CVE-2025-69374) , Feb 27, 2026