Skip to main content

Popup Box EUVDEUVD-2026-39747

| CVE-2026-57631 HIGH
SQL Injection (CWE-89)
2026-06-26 audit@patchstack.com GHSA-mjrq-9cj9-fhhq
7.6
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
5.5 MEDIUM

Network-reachable wp-admin endpoint (AV:N/AC:L) but requires administrator privileges (PR:H); SQLi exposes the database (C:H) with at least limited write potential (I:L); I treat scope as unchanged since impact stays within the WordPress DB trust boundary.

3.1 AV:N/AC:L/PR:H/UI:N/S:N/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:50 vuln.today

DescriptionCVE.org

Administrator SQL Injection in Popup box <= 6.0.1 versions.

AnalysisAI

SQL injection in the AYS Popup Box WordPress plugin (versions 6.0.1 and earlier) lets an authenticated administrator inject arbitrary SQL into the WordPress database through an unsanitized plugin parameter (CWE-89). Because exploitation requires existing high-privilege administrator access per the CVSS PR:H metric, this is primarily a data-exposure/privilege-abuse issue rather than a remote-takeover flaw, and no public exploit has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress administrator access
Delivery
Reach Popup Box admin endpoint
Exploit
Submit crafted SQL in plugin parameter
Execution
Injected query executes against WP database
Impact
Exfiltrate credentials and sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress administrator session (CVSS PR:H), so the attacker must already possess admin credentials or have hijacked an admin session/account - this is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly low-to-moderate and broadly consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user who already holds - or has compromised via phishing of a legitimate admin - a WordPress administrator account submits a crafted value to a vulnerable Popup Box admin parameter, causing injected SQL to execute against the WordPress database and exfiltrate sensitive data such as password hashes or secrets stored by other plugins. No public proof-of-concept was identified at time of analysis, and the low attack complexity (AC:L) means that once admin access is obtained, triggering the injection is straightforward.
Remediation No vendor-released patch version is identified in the available data; the advisory only specifies the affected range '<= 6.0.1', which implies a fixed release exists but the exact patched version is not confirmed from the input. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit active installations of AYS Popup Box and disable or uninstall the plugin if not critical to business operations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39747 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy