An authenticated SQL injection vulnerability in the Ays Popup box plugin presents a high risk, allowing an administrator to compromise the site database through malicious query injection.

The plugin fails to sanitize user-supplied input in specific administrative functions, enabling an authenticated administrator to perform SQL injection attacks against the application database.

Exploitation of this flaw could allow an attacker to read or modify sensitive information within the database, potentially leading to data breaches or the injection of malicious content onto the website. With a CVSS score of 7.6, this vulnerability poses a high risk to the overall security posture and data confidentiality of the hosted site.

Immediate Action: Apply the latest security patch released by Ays for the Popup box plugin to address the input sanitization failure.

Proactive Monitoring: Monitor database query logs for unusual or unexpected SQL syntax, especially those originating from the plugin's administrative interface.

Compensating Controls: Utilize a Web Application Firewall (WAF) to detect and block common SQL injection patterns before they reach the application layer.

Public Exploit Available: false

Security teams should prioritize updating the Popup box plugin to the latest version to remediate this vulnerability. Restricting administrative access and regularly auditing plugin configurations will further reduce the attack surface and prevent unauthorized database manipulation.