CVE-2023-5465 - SQL Injection in “Popup with fancybox” WordPress Plugin—Details, Exploit, and Protection

In late 2023, security researchers uncovered a critical vulnerability in the popular Popup with fancybox WordPress plugin. Assigned CVE-2023-5465, this flaw allows authenticated users with subscriber-level access or higher to perform SQL Injection attacks, potentially exposing sensitive content from the website’s database.

In this long-read post, let's break down what happened, see the technical details with code samples, explore how attackers can exploit it, and—most importantly—learn how you can protect your WordPress site.

What is CVE-2023-5465?

CVE-2023-5465 was discovered by the security community (see disclosure). The plugin uses shortcodes in WordPress posts and pages to display popups. Unfortunately, it wasn't properly sanitizing and preparing input from these shortcodes before passing them to the database, allowing attackers to manipulate SQL queries.

Plugin Vulnerable Code (Simplified PHP Example)

// Vulnerable code inside the plugin (for illustration)
$popup_id = $_POST['popup_id']; // Comes from shortcode attribute, for example
$query = "SELECT * FROM {$wpdb->prefix}popups WHERE id = $popup_id";
$results = $wpdb->get_results($query);

Here's How a Malicious Shortcode Could Look

[popup_with_fancybox popup_id="1 OR 1=1 -- "]

Resulting SQL Query Sent to Database

SELECT * FROM wp_popups WHERE id = 1 OR 1=1 -- 

- The OR 1=1 always returns true and -- comments out the rest. This exposes all rows in the popups table.

More Dangerous: Extracting Sensitive Data

The attacker could use sub-queries to extract password hashes, emails, or anything else in the same database, depending on what WordPress allows.

Proof-of-Concept Exploit

Assume you’re logged in as a low-level "subscriber" account. Add this shortcode to any post or page:

[popup_with_fancybox popup_id="1 UNION SELECT user_login, user_pass, 1, 1, 1 FROM wp_users -- "]

- This tries to merge user logins and password hashes from the WordPress users table with the plugin’s popup output.

Authenticated Exploit: Even low-privilege users can steal data.

- Database Exposure: Anything the web server can read in the database can be dumped, including user emails, hashed passwords, plugin settings, and more.

Version 3.6 and above fixes this vulnerability.

Download the latest version from the WordPress Plugin Directory.

Limit which user roles can create posts or use shortcodes.

General Advice:

- Use WPScan or Wordfence to scan your plugins for known flaws.

- Always escape shortcode attributes

$popup_id = intval($_POST['popup_id']);   // Forces integer
$query = $wpdb->prepare(
    "SELECT * FROM {$wpdb->prefix}popups WHERE id = %d",
    $popup_id
);
$results = $wpdb->get_results($query);

References

- Official WPScan Advisory
- NVD Entry for CVE-2023-5465
- Plugin Page: Popup with fancybox

Final Thoughts

SQL Injection is one of the oldest and most dangerous bugs on the web. This case with “Popup with fancybox” shows why all user input must be treated as dangerous by default—even if users are logged in.

If you run this plugin on your WordPress site, update immediately and review your user permissions. Stay aware—more plugins than you think may have similar issues!

Timeline

Published on: 11/22/2023 16:15:12 UTC
Last modified on: 11/28/2023 19:29:22 UTC