CVE-2020-9006: 
WordPress vulnerability analysis and mitigation

The Popup Builder WordPress plugin versions 2.2.8 through 2.6.7.6 contained a critical vulnerability (CVE-2020-9006) that allowed SQL injection via PHP Deserialization. The vulnerability was discovered in February 2020 and affected the sgImportPopups function in sg_popup_ajax.php file. The issue allowed attackers to create arbitrary WordPress Administrator accounts, potentially leading to Remote Code Execution since administrators can execute PHP code on WordPress instances (NVD).

The vulnerability exists in the sgImportPopups function within sg_popup_ajax.php, where attacker-controlled data could be passed through the attachmentUrl POST variable. This vulnerability combines both SQL injection and PHP deserialization issues, receiving a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue has been fixed in version 3.x branch of the plugin (NVD).

The vulnerability's impact was severe as it allowed attackers to create arbitrary WordPress Administrator accounts. With administrator access, attackers could execute PHP code on WordPress instances, effectively gaining complete control over the affected websites. This level of access could lead to website defacement, data theft, or using the compromised site for malicious purposes (NVD).

The vulnerability was patched in the 3.x branch of popup-builder. Users were advised to upgrade their Popup Builder plugin to version 3.0 or later to protect against this vulnerability. The fix addressed both the SQL injection and PHP deserialization issues (NVD).