Introduction
Sensitive data exposure, credential leaks, and unauthorized access to WordPress databases are real consequences when SQL injection flaws are left unpatched in widely deployed plugins. The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress, used for marketing popups and customer engagement, is affected by a critical SQL injection vulnerability (CVE-2025-10862) that allows unauthenticated attackers to extract sensitive information from the database.
Technical Information
CVE-2025-10862 is a SQL injection vulnerability caused by improper handling of the id
parameter in the plugin's database query logic. The vulnerability is present in all versions up to and including 2.1.3 of the Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress.
The root cause is insufficient escaping and lack of parameterized queries when incorporating user input into SQL statements. Specifically, the following files and lines are implicated:
includes/Helpers/DataBase.php
at line 374includes/Routes/Popup.php
at line 232
The vulnerable code paths process the id
parameter from HTTP requests and directly concatenate it into SQL queries. This allows an unauthenticated attacker to craft requests with malicious SQL code in the id
parameter, resulting in arbitrary SQL execution. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
No code snippets are included here, but the vulnerable lines can be reviewed in the public plugin repository (see references).
Affected Systems and Versions
- Product: Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress
- Affected versions: All versions up to and including 2.1.3
- Vulnerable files:
includes/Helpers/DataBase.php
(line 374),includes/Routes/Popup.php
(line 232)
Vendor Security History
Previous security reviews and advisories have identified recurring vulnerabilities in popup builder plugins for WordPress, including this product. Prior issues include:
- SQL injection vulnerabilities in earlier versions and similar plugins (Wordfence 2019)
- Cross-site scripting (XSS) and authorization flaws
- Patchstack and Plugin Vulnerabilities have documented multiple issues in the plugin's security posture
The vendor has released patches in response to disclosures, but the frequency of issues suggests ongoing challenges with secure coding and review processes.