Brief Summary: CVE-2025-10862 SQL Injection in WordPress Popup Builder Plugin

Introduction

Sensitive data exposure, credential leaks, and unauthorized access to WordPress databases are real consequences when SQL injection flaws are left unpatched in widely deployed plugins. The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress, used for marketing popups and customer engagement, is affected by a critical SQL injection vulnerability (CVE-2025-10862) that allows unauthenticated attackers to extract sensitive information from the database.

Technical Information

CVE-2025-10862 is a SQL injection vulnerability caused by improper handling of the id parameter in the plugin's database query logic. The vulnerability is present in all versions up to and including 2.1.3 of the Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress.

The root cause is insufficient escaping and lack of parameterized queries when incorporating user input into SQL statements. Specifically, the following files and lines are implicated:

• includes/Helpers/DataBase.php at line 374
• includes/Routes/Popup.php at line 232

The vulnerable code paths process the id parameter from HTTP requests and directly concatenate it into SQL queries. This allows an unauthenticated attacker to craft requests with malicious SQL code in the id parameter, resulting in arbitrary SQL execution. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

No code snippets are included here, but the vulnerable lines can be reviewed in the public plugin repository (see references).

Affected Systems and Versions

• Product: Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress
• Affected versions: All versions up to and including 2.1.3
• Vulnerable files: includes/Helpers/DataBase.php (line 374), includes/Routes/Popup.php (line 232)

Vendor Security History

Previous security reviews and advisories have identified recurring vulnerabilities in popup builder plugins for WordPress, including this product. Prior issues include:

• SQL injection vulnerabilities in earlier versions and similar plugins (Wordfence 2019)
• Cross-site scripting (XSS) and authorization flaws
• Patchstack and Plugin Vulnerabilities have documented multiple issues in the plugin's security posture

The vendor has released patches in response to disclosures, but the frequency of issues suggests ongoing challenges with secure coding and review processes.

References

• Wordfence advisory for CVE-2025-10862
• Plugin source: DataBase.php#L374
• Plugin source: Popup.php#L232
• Plugin patch: changeset 3369146
• CVE entry at CVETodo
• VulDB entry