A critical SQL Injection vulnerability in the Popup builder with Gamification WordPress plugin allows attackers to compromise the site's database through various REST API endpoints.

This vulnerability is a generic SQL Injection flaw located within multiple REST API endpoints. An attacker can manipulate input parameters to execute unauthorized queries against the WordPress database, likely without requiring high-level authentication.

A successful SQL injection attack can lead to the full disclosure of sensitive database records, including user credentials, customer data, and site configurations. The CVSS score of 8.2 indicates a high severity, as this could result in a complete site takeover and significant data privacy violations.

Immediate Action: Update the "Popup builder with Gamification" plugin to the latest version immediately. If no update is available, deactivate and remove the plugin.

Proactive Monitoring: Review database logs for unusual queries containing SQL keywords like UNION, SELECT, or SLEEP, and monitor for unauthorized administrative user creation.

Compensating Controls: Deploy a Web Application Firewall (WAF) with generic SQL injection protection rules to filter malicious REST API requests.

Public Exploit Available: false

The severity of this SQL injection flaw cannot be overstated, as it provides a direct path to database compromise. Immediate application of the vendor's patch is the only effective way to mitigate this risk and protect sensitive organizational data.