Zero-Day Advisory
Fortinet Discovers WordPress Popup Builder SQL Injection Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered a SQL injection vulnerability in Sygnoos Popup Builder plugin for WordPress.
Sygnoos Popup Builder help poping up anything , create and manage powerful promotion modal popups for your WordPress blog or website. Powerful, and yet, easy to use this plugin that will help you to grab your visitors' attention to introduce them your offers, discounts or other kind of promotional notices.
A SQL injection vulnerability exists in the Sygnoos Popup Builder plugin through 3.44 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via com/libs/Table.php.
Solutions
FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:WordPress.Sygnoos.PopupBuilder.SQL.Injection
Users should apply patch provided by Sygnoos
Timeline
Fortinet reported the vulnerability to Sygnoos on 26 July, 2019
Sygnoos confirmed the vulnerability on 29 July, 2019
Sygnoos released patch for the vulnerability on 06 August, 2019
Acknowledgement
This vulnerability was discovered by Tin Duong of Fortinet's FortiGuard Labs