Page Expire Popup/Redirection for WordPress

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Basic Information

ID CVE-2025-14153

Source Wordfence

Published Jan 6, 2026 at 03:21

Affected Product

Vendor vikasratudi

Product Page Expire Popup/Redirection for WordPress

Version *

Affected Versions vikasratudi Page Expire Popup/Redirection for WordPress *

CWE Classification

CWE-89

References

{
    "lastseen": "",
    "description": "The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.",
    "published": "2026-01-06T03:21:39.811Z",
    "modified": "2026-01-06T03:21:39.811Z",
    "type": "cve",
    "title": "Page Expire Popup/Redirection for WordPress <= 1.0 - Authenticated (Author+) SQL Injection via 'id' Shortcode Attribute",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0c232b2-f7c8-4a8d-b282-72f61ecfc5da?source=cve\nhttps://plugins.trac.wordpress.org/browser/page-expire-popup/trunk/inc/vfpageexpirepopupstructure.php#L8\nhttps://plugins.trac.wordpress.org/browser/page-expire-popup/tags/1.0/inc/vfpageexpirepopupstructure.php#L8\nhttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3427583%40page-expire-popup&new=3427583%40page-expire-popup&sfp_email=&sfph_mail=",
    "id": "CVE-2025-14153",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "vikasratudi Page Expire Popup/Redirection for WordPress *",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Page Expire Popup/Redirection for WordPress",
    "version": "*",
    "vendor": "vikasratudi",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Page Expire Popup/Redirection for WordPress <= 1.0 - Authenticated (Author+) SQL Injection via 'id' Shortcode Attribute_CVE-2025-14153