CVE-2025-13192 Overview
CVE-2025-13192 is a SQL Injection vulnerability affecting the Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress. The vulnerability exists in multiple REST API endpoints across all versions up to and including 2.2.0. Due to insufficient escaping of user-supplied parameters and a lack of proper preparation on existing SQL queries, unauthenticated attackers can append additional SQL queries to extract sensitive information from the database.
Critical Impact
Unauthenticated attackers can exploit this SQL Injection vulnerability to extract sensitive data from WordPress databases, potentially compromising user credentials, personal information, and site configuration data without any authentication requirements.
Affected Products
- Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress versions up to and including 2.2.0
- WordPress sites utilizing the popup-builder-block plugin
- WooCommerce installations with the vulnerable popup plugin enabled
Discovery Timeline
- 2026-02-05 - CVE-2025-13192 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2025-13192
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) allows unauthenticated remote attackers to manipulate database queries through multiple REST API endpoints. The vulnerability stems from the plugin's failure to properly sanitize user input before incorporating it into SQL queries. Attackers can leverage this flaw to append malicious SQL statements to legitimate queries, enabling unauthorized data extraction from the WordPress database.
The vulnerable code paths are located in several plugin files, including DataBase.php, Popup.php, and Subscribers.php within the plugin's includes directory. These files handle REST API requests without adequate input validation, creating multiple attack surfaces for SQL injection attacks.
Root Cause
The root cause of this vulnerability lies in insufficient input escaping and the absence of prepared statements when handling user-supplied parameters in REST API endpoints. The plugin directly incorporates user input into SQL query strings without proper sanitization or parameterized queries. This programming oversight allows attackers to break out of intended query contexts and inject arbitrary SQL commands.
The vulnerable code patterns appear in multiple locations:
- includes/Helpers/DataBase.php (lines 382 and 413)
- includes/Routes/Popup.php (lines 50 and 133)
- includes/Routes/Subscribers.php (lines 99 and 133)
Attack Vector
The attack vector is network-based and requires no authentication, making it particularly dangerous for public-facing WordPress installations. Attackers can craft malicious HTTP requests to the vulnerable REST API endpoints, embedding SQL injection payloads within request parameters. Since the endpoints are accessible without authentication, any remote attacker can exploit this vulnerability.
The exploitation mechanism involves sending specially crafted requests to REST API endpoints where user-controlled data is concatenated directly into SQL queries. The lack of proper escaping allows attackers to close the original query context and append their own SQL statements, typically using UNION-based or error-based injection techniques to exfiltrate data.
For detailed technical analysis of the vulnerable code patterns, refer to the Wordfence Vulnerability Report and the WordPress Plugin Trac repository.
Detection Methods for CVE-2025-13192
Indicators of Compromise
- Unusual or malformed REST API requests to popup-builder-block plugin endpoints containing SQL syntax patterns
- Database logs showing unexpected query structures with UNION, SELECT, or information_schema references
- Web server logs with encoded SQL characters (%27, %22, %3D) in requests to /wp-json/ endpoints related to popup functionality
- Unexplained database access patterns or data extraction activity
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in REST API requests
- Monitor access logs for requests to vulnerable endpoints (/wp-json/ routes containing popup or subscriber-related paths)
- Deploy intrusion detection signatures to identify common SQL injection payloads targeting WordPress REST APIs
- Review database query logs for anomalous queries originating from the popup-builder-block plugin
Monitoring Recommendations
- Enable detailed logging for WordPress REST API requests and monitor for suspicious parameter values
- Set up alerts for database queries containing unusual patterns such as UNION SELECT, information_schema, or multiple stacked queries
- Monitor plugin directory for unauthorized file modifications that might indicate post-exploitation activity
- Implement real-time alerting for elevated database error rates which may indicate injection attempts
How to Mitigate CVE-2025-13192
Immediate Actions Required
- Update the Popup builder plugin to version 2.2.1 or later immediately to address unauthenticated SQL injection vectors
- For complete protection including Administrator+ level fixes, upgrade to version 2.2.3 or newer
- If immediate patching is not possible, consider temporarily disabling the plugin until updates can be applied
- Review database access logs for signs of exploitation prior to patching
Patch Information
The vulnerability was partially patched in version 2.2.1, which addresses the unauthenticated attack vector. A complete fix for all user levels, including Administrator+ users, was released in version 2.2.3. Site administrators should update to the latest available version to ensure full protection. The patch implements proper input escaping and prepared statements for all affected REST API endpoints.
For additional details, consult the Wordfence Vulnerability Report.
Workarounds
- Implement a Web Application Firewall (WAF) with SQL injection detection rules to filter malicious requests
- Restrict access to WordPress REST API endpoints using server-level access controls or security plugins
- Temporarily disable the popup-builder-block plugin if updates cannot be applied immediately
- Apply database user principle of least privilege to limit potential damage from successful injection attacks
# Example: Block access to vulnerable REST API endpoints via .htaccess
# Add to WordPress root .htaccess file as temporary mitigation
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/popup-builder-block/ [NC]
RewriteCond %{QUERY_STRING} (union|select|insert|update|delete|drop|information_schema) [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
