CVE-2023-28661: 
WordPress vulnerability analysis and mitigation

The WP Popup Banners WordPress Plugin, version <= 1.2.5, is affected by an authenticated SQL injection vulnerability in the 'value' parameter in the get_popup_data action. This vulnerability was discovered and reported by Joshua Martinelle of Tenable Research (Tenable Research).

The vulnerability exists due to improper sanitization of the 'value' parameter in the get_popup_data action before using it in a SQL statement. The vulnerability has been assigned a CVSS v3.1 score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (NVD).

The vulnerability allows authenticated users, including those with low-privilege roles such as subscribers, to perform SQL injection attacks. This could potentially lead to unauthorized access to sensitive data, modification of database contents, and compromise of the website's integrity (WPScan).

As of the latest reports, there is no fix available for this vulnerability as the plugin has been closed since December 19, 2022. Users are advised to consider removing the plugin or implementing additional security controls to restrict access to the vulnerable functionality (Tenable Research).