CVE-2024-12157
📋 TL;DR
This SQL injection vulnerability in the Popup plugin for WordPress allows unauthenticated attackers to execute arbitrary SQL queries through the 'id' parameter. Attackers can extract sensitive database information like user credentials, email lists, and plugin data. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Popup – MailChimp, GetResponse and ActiveCampaign Intergrations plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to credential theft, data exfiltration, privilege escalation, and potential site takeover.
Likely Case
Extraction of sensitive plugin data, email lists, and potentially WordPress user information from the database.
If Mitigated
Limited information disclosure if database permissions are properly restricted and input validation is implemented.
🎯 Exploit Status
Exploitation requires sending crafted AJAX requests to the vulnerable endpoint without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.2.7 or later
Vendor Advisory: https://wordpress.org/plugins/ultimate-popup-creator/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Popup – MailChimp, GetResponse and ActiveCampaign Intergrations'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
WordPressRemove or restrict access to the vulnerable 'upc_delete_db_record' AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_upc_delete_db_record', 'upc_delete_db_record'); remove_action('wp_ajax_nopriv_upc_delete_db_record', 'upc_delete_db_record');
🧯 If You Can't Patch
- Deactivate the Popup plugin immediately
- Implement web application firewall (WAF) rules to block SQL injection patterns targeting the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Popup – MailChimp, GetResponse and ActiveCampaign Intergrations' version 3.2.6 or earlierCheck Version:
wp plugin list --name='Popup – MailChimp, GetResponse and ActiveCampaign Intergrations' --field=versionVerify Fix Applied:
Confirm plugin version is 3.2.7 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=upc_delete_db_record containing SQL syntax
- Database error logs showing SQL syntax errors from the popup plugin
Network Indicators:
- HTTP requests with SQL injection payloads in 'id' parameter sent to admin-ajax.php endpoint
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND (action="upc_delete_db_record" OR parameters CONTAINS "upc_delete_db_record") AND (parameters CONTAINS "UNION" OR parameters CONTAINS "SELECT" OR parameters CONTAINS "--" OR parameters CONTAINS "' OR '")