CVE-2025-14153
Time-Based SQL Injection in WordPress Page Expire Popup Plugin
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | page_expire_popup | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability is a time-based SQL Injection in the Page Expire Popup/Redirection WordPress plugin. It occurs via the 'id' shortcode attribute due to insufficient escaping and lack of proper preparation of the SQL query. Authenticated users with Author-level access or higher can append additional SQL queries to extract sensitive information from the database. [3]
How can this vulnerability impact me? :
This vulnerability allows attackers with Author-level access or above to perform SQL Injection attacks, potentially extracting sensitive information from the database. This could lead to unauthorized data disclosure without affecting data integrity or availability directly.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the WordPress site is running the Page Expire Popup plugin version 1.0 or earlier and if the 'id' shortcode attribute is being used in a way that allows SQL injection. Since the vulnerability involves time-based SQL Injection via the 'id' parameter, detection could involve monitoring for unusual or malformed SQL queries targeting the plugin's database table `${wpdb->prefix}pexpirep`. However, no specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Page Expire Popup plugin to version 1.1.0 or later, where the plugin code was modified to properly query the database using the WordPress database object `$wpdb` with parameterized queries to prevent SQL injection. Additionally, restrict Author-level and above users from untrusted sources to reduce risk, and monitor for suspicious activity related to the 'id' shortcode attribute usage. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated attackers with Author-level access and above to perform time-based SQL Injection, potentially extracting sensitive information from the database. Such unauthorized access and data extraction could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding sensitive personal and health information. Therefore, exploitation of this vulnerability may result in non-compliance with these standards due to unauthorized disclosure of sensitive data.