FISA

  Published: May 6, 2025 Discovered by: Wordfence CVE ID: CVE-2025-2011 Affected Plugin: Slider & Popup Builder by Depicter (WordPress) Affected Versions: Up to and including 3.6.1 Severity: High (CVSS 3.1 Score: 7.5) Exploitability: Unauthenticated, Remote Overview A critical SQL Injection vulnerability has been identified in the Slider & Popup Builder by Depicter plugin for WordPress. This flaw allows unauthenticated attackers to inject arbitrary SQL queries via the s parameter, potentially leading to unauthorized access to sensitive database information. Technical Details Vulnerability Type: Generic SQL Injection CWE ID: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: None Availability Impact: None The vulnerability arises due to in...