CVE-2025-2011 in Slider & Popup Builder Plugin
Summary
by MITRE • 05/06/2025
The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/23/2026
The Slider & Popup Builder by Depicter plugin presents a critical security vulnerability classified as generic SQL Injection affecting versions through 3.6.1. This flaw resides in the plugin's handling of the 's' parameter within its WordPress implementation, creating an avenue for malicious actors to manipulate database queries without authentication. The vulnerability stems from inadequate input sanitization where user-supplied data flows directly into SQL execution contexts without proper escaping mechanisms or prepared statement usage.
The technical exploitation occurs when an attacker crafts malicious input targeting the 's' parameter, which then gets incorporated into existing SQL queries without appropriate security measures. This allows for query injection attacks that can be leveraged to extract sensitive information from the underlying database through concatenation of additional SQL commands. The vulnerability demonstrates poor input validation practices and violates fundamental secure coding principles that should prevent such injection scenarios in web applications.
From an operational perspective, this vulnerability poses significant risks to WordPress installations using the affected plugin version. Unauthenticated attackers can potentially access confidential data including user credentials, personal information, and administrative details stored within the database. The impact extends beyond simple data theft as it may enable further attacks including privilege escalation, data manipulation, or complete system compromise depending on the database configuration and access controls in place.
Security professionals should address this vulnerability through immediate patching of the plugin to version 3.6.2 or later, which incorporates proper input sanitization and parameterized query handling. Organizations must also implement network-level monitoring to detect potential exploitation attempts and consider database access controls to limit the impact of successful attacks. The vulnerability aligns with CWE-89 which categorizes SQL injection flaws as critical security weaknesses requiring proper input validation and prepared statement usage.
Mitigation strategies should include implementing web application firewalls to filter malicious SQL patterns, conducting regular security audits of WordPress plugins, and maintaining updated security monitoring tools. Additionally, administrators should review database permissions to ensure that application accounts have minimal necessary privileges. The ATT&CK framework categorizes this as a database access technique where adversaries exploit injection vulnerabilities to extract sensitive information from back-end systems. Organizations must also consider implementing defense-in-depth strategies including regular penetration testing and vulnerability scanning to identify similar issues across their WordPress environments.