CVE-2025-2011: 
WordPress vulnerability analysis and mitigation

The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in all versions up to, and including, 3.6.1. The vulnerability was discovered and fixed in version 3.6.2, released on May 5, 2025. The vulnerability affects the plugin's search functionality in the leads management feature (NVD, GitHub).

The vulnerability exists due to insufficient escaping on the user-supplied 's' parameter and lack of sufficient preparation on the existing SQL query in the LeadsAjaxController. The vulnerable code uses Sanitize::textfield() instead of Sanitize::sql() for the 's' parameter, allowing attackers to append additional SQL queries. This makes it possible for unauthenticated attackers to manipulate the SQL query and extract sensitive information from the database. The vulnerability has a CVSS v3.1 Base Score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) (NVD).

A successful exploitation could allow unauthenticated attackers to extract sensitive information from the database through SQL injection. The vulnerability primarily affects the confidentiality of the system, with potential access to stored data (NVD).

Users should immediately upgrade to version 3.6.2 or later of the Depicter plugin, which includes the security fix. The update changes the sanitization method from Sanitize::textfield() to Sanitize::sql() for the 's' parameter (WordPress).