CVE-2020-9006 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2020-9006?

CVE-2020-9006 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to perform SQL injection via PHP deserialization in the Popup Builder WordPress plugin. Successful exploitation enables creation of WordPress administrator accounts, leading to potential remote code execution. WordPress sites using vulnerable versions of the Popup Builder plugin are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to perform SQL injection via PHP deserialization in the Popup Builder WordPress plugin. Successful exploitation enables creation of WordPress administrator accounts, leading to potential remote code execution. WordPress sites using vulnerable versions of the Popup Builder plugin are affected.

💻 Affected Systems

Products:

Popup Builder WordPress Plugin

Versions: 2.2.8 through 2.6.7.6

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Popup Builder plugin enabled. No special configuration needed for exploitation.

📦 What is this software?

Popup Builder by Sygnoos

View all CVEs affecting Popup Builder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the WordPress site including remote code execution, data theft, defacement, and potential lateral movement to other systems.

🟠

Likely Case

Attacker creates administrator account, gains full control of WordPress site, installs backdoors, steals sensitive data, and uses site for further attacks.

🟢

If Mitigated

Attack prevented through patching or workarounds, with minimal impact limited to failed exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires sending crafted POST requests to sg_popup_ajax.php with malicious attachmentUrl parameter. Public exploit code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.x branch (specifically versions 3.0 and above)

Vendor Advisory: https://wordpress.org/plugins/popup-builder/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Popup Builder plugin. 4. Click 'Update Now' if update available. 5. If no update available, manually download version 3.x from WordPress repository. 6. Deactivate and delete old plugin. 7. Upload and activate new version.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Popup Builder plugin until patched

wp plugin deactivate popup-builder

Web Application Firewall rule

all

Block requests to sg_popup_ajax.php with suspicious attachmentUrl parameters

🧯 If You Can't Patch

Remove Popup Builder plugin completely and use alternative popup solution
Implement strict network segmentation and limit access to WordPress admin interface

🔍 How to Verify

Check if Vulnerable:

Check WordPress plugin directory for Popup Builder version. Versions 2.2.8 through 2.6.7.6 are vulnerable.

Check Version:

wp plugin get popup-builder --field=version

Verify Fix Applied:

Verify Popup Builder plugin version is 3.0 or higher. Test by attempting to access sg_popup_ajax.php with test payloads.

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-content/plugins/popup-builder/files/sg_popup_ajax.php with attachmentUrl parameter
Unusual administrator account creation in WordPress logs
SQL error messages in web server logs

Network Indicators:

HTTP POST requests containing serialized PHP objects in attachmentUrl parameter
Traffic patterns showing exploitation attempts

SIEM Query:

source="web_server" AND uri="*sg_popup_ajax.php*" AND method="POST" AND (attachmentUrl="*O:*" OR attachmentUrl="*s:*")

📊 Metadata

CVE ID: CVE-2020-9006

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 17, 2020

Last Updated: November 21, 2024

🔗 References

https://plugins.trac.wordpress.org/browser/popup-builder/tags/2.2.8/files/sg_popup_ajax.php#L69 Exploit,Third Party Advisory
https://wordpress.org/plugins/popup-builder/#developers Release Notes
https://wpvulndb.com/vulnerabilities/10073 Third Party Advisory
https://zeroauth.ltd/blog/2020/02/16/cve-2020-9006-popup-builder-wp-plugin-sql-injection-via-php-deserialization/ Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/browser/popup-builder/tags/2.2.8/files/sg_popup_ajax.php#L69 Exploit,Third Party Advisory
https://wordpress.org/plugins/popup-builder/#developers Release Notes
https://wpvulndb.com/vulnerabilities/10073 Third Party Advisory
https://zeroauth.ltd/blog/2020/02/16/cve-2020-9006-popup-builder-wp-plugin-sql-injection-via-php-deserialization/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9006, you might also want to check these: