CVE-2025-2011: Unauthenticated SQL Injection Vulnerability in Slider & Popup Builder by Depicter

-

 

Published: May 6, 2025
Discovered by: Wordfence
CVE ID: CVE-2025-2011
Affected Plugin: Slider & Popup Builder by Depicter (WordPress)
Affected Versions: Up to and including 3.6.1
Severity: High (CVSS 3.1 Score: 7.5)
Exploitability: Unauthenticated, Remote

Overview

A critical SQL Injection vulnerability has been identified in the Slider & Popup Builder by Depicter plugin for WordPress. This flaw allows unauthenticated attackers to inject arbitrary SQL queries via the s parameter, potentially leading to unauthorized access to sensitive database information.

Technical Details

  • Vulnerability Type: Generic SQL Injection

  • CWE ID: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • Attack Vector: Network

  • Attack Complexity: Low

  • Privileges Required: None

  • User Interaction: None

  • Scope: Unchanged

  • Confidentiality Impact: High

  • Integrity Impact: None

  • Availability Impact: None

The vulnerability arises due to insufficient escaping of user-supplied input and lack of proper preparation in existing SQL queries. Specifically, the s parameter is not adequately sanitized, allowing attackers to manipulate SQL statements. This can lead to unauthorized data access, including sensitive user information.

Affected Versions

All versions of the Slider & Popup Builder by Depicter plugin up to and including 3.6.1 are affected by this vulnerability.

Mitigation

As of the latest information available, there is no confirmed patch addressing this vulnerability. Users are strongly advised to:

  1. Disable or remove the plugin until a security update is released.

  2. Monitor official sources such as the WordPress plugin repository for updates.

  3. Implement Web Application Firewalls (WAFs) to detect and block malicious SQL queries.

  4. Regularly back up databases to prevent data loss in case of exploitation.

Conclusion

The CVE-2025-2011 vulnerability poses a significant risk to WordPress sites utilizing the Slider & Popup Builder by Depicter plugin. Given the ease of exploitation and the potential for unauthorized data access, immediate action is recommended. Site administrators should disable the affected plugin and monitor for official updates to mitigate potential threats.

References

 

 

 

 

Comments

Post a Comment

Popular posts from this blog

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more

New Diicot Threat Group Targets SSH Servers with Brute-Force Malware

-
Image
  Diicot, previously known as Mexals, is a relatively new threat group that possesses extensive technical knowledge and has a broad range of objectives. Diicot shares its new name with the Romanian anti-terrorism policing unit and uses the same style of messaging and imagery. Researchers from Cado Labs reported that an emerging Romanian threat actor called Diicot is utilizing unique TTPs (Tactics, Techniques, and Procedures) and an interesting attack pattern to target victims. The researchers noted that the group has been using brute-force malware whose payloads have neither been publicly reported nor appeared in common repositories. About Diicot Threat Group Diicot, previously known as Mexals, is a relatively new threat group that possesses extensive technical knowledge and has a broad range of objectives. Diicot shares its new name with the Romanian anti-terrorism policing unit and uses the same style of messaging and imagery. Previous research by Akamai and Bitdefender reveals ...
Read more