CVE-2025-2011
📋 TL;DR
This SQL injection vulnerability in the Slider & Popup Builder by Depicter WordPress plugin allows unauthenticated attackers to inject malicious SQL queries through the 's' parameter. This can lead to unauthorized access to sensitive database information. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Slider & Popup Builder by Depicter WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including extraction of user credentials, personal data, and potential privilege escalation to full site takeover.
Likely Case
Data exfiltration of sensitive information from WordPress database tables including user data, plugin-specific data, and potentially other site content.
If Mitigated
Limited impact with proper input validation and WAF rules blocking SQL injection patterns.
🎯 Exploit Status
SQL injection via GET/POST parameters is well-understood and easily weaponized by attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.2 or later
Vendor Advisory: https://wordpress.org/plugins/depicter/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Slider & Popup Builder by Depicter'. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.6.2+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Depicter plugin until patched
wp plugin deactivate depicter
WAF rule blocking
allImplement web application firewall rules to block SQL injection patterns in 's' parameter
🧯 If You Can't Patch
- Implement strict input validation to sanitize the 's' parameter before processing
- Apply principle of least privilege to database user accounts used by WordPress
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed PluginsCheck Version:
wp plugin get depicter --field=versionVerify Fix Applied:
Verify plugin version is 3.6.2 or higher after update📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in WordPress debug logs
- Multiple requests with SQL-like patterns in 's' parameter
- Database error messages containing user input
Network Indicators:
- HTTP requests with SQL injection payloads in GET/POST parameters
- Unusual database connection patterns from web server
SIEM Query:
web.url:*s=* AND (web.url:*UNION* OR web.url:*SELECT* OR web.url:*INSERT* OR web.url:*UPDATE* OR web.url:*DELETE*)🔗 References
- https://plugins.trac.wordpress.org/browser/depicter/trunk/app/src/Controllers/Ajax/LeadsAjaxController.php?rev=3156664#L179
- https://plugins.trac.wordpress.org/browser/depicter/trunk/app/src/Controllers/Ajax/LeadsAjaxController.php?rev=3156664#L23
- https://plugins.trac.wordpress.org/browser/depicter/trunk/app/src/Controllers/Ajax/LeadsAjaxController.php?rev=3156664#L49
- https://plugins.trac.wordpress.org/browser/depicter/trunk/app/src/Database/Repository/LeadRepository.php?rev=3156664#L224
- https://plugins.trac.wordpress.org/browser/depicter/trunk/app/src/Services/LeadService.php?rev=3156664#L82
- https://plugins.trac.wordpress.org/changeset/3287525/
- https://wordpress.org/plugins/depicter/#description
- https://www.wordfence.com/threat-intel/vulnerabilities/id/49b36cde-39d8-4a69-8d7c-7b850b76a7cd?source=cve
- https://github.com/datagoboom/CVE-2025-2011
