CVE-2025-13192 is a critical SQL Injection vulnerability identified in the roxnor WordPress plugin 'Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers.' This plugin, widely used for creating interactive popups with gamification and WooCommerce integration, suffers from improper neutralization of special elements in SQL commands (CWE-89). The vulnerability arises from multiple REST API endpoints that accept user-supplied parameters without adequate escaping or prepared statements, allowing attackers to append arbitrary SQL queries to existing database commands. This flaw enables unauthenticated attackers to extract sensitive information from the backend database, compromising confidentiality. The vulnerability affects all versions up to and including 2.2.0. The vendor released a partial fix in version 2.2.1 addressing unauthenticated access and a comprehensive fix in 2.2.3 that also protects administrator-level endpoints. The CVSS 3.1 base score is 8.2, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact with limited integrity impact. No known exploits have been reported in the wild yet, but the ease of exploitation and potential data exposure make this a significant threat to WordPress sites using this plugin.

The primary impact of CVE-2025-13192 is unauthorized disclosure of sensitive data stored in the WordPress database, which may include user credentials, personal information, or business-critical data. Since the vulnerability is exploitable remotely without authentication or user interaction, attackers can automate attacks at scale, potentially compromising large numbers of websites. Data confidentiality is severely impacted, while integrity and availability impacts are limited. Organizations relying on this plugin for marketing, customer engagement, or e-commerce functions risk data breaches that could lead to regulatory penalties, reputational damage, and financial loss. Additionally, attackers could leverage extracted data for further attacks such as credential stuffing or phishing. The vulnerability also undermines trust in the affected websites and could disrupt business operations if sensitive customer or transactional data is exposed.

To mitigate CVE-2025-13192, organizations should immediately update the roxnor Popup builder plugin to version 2.2.3 or later, which fully patches the vulnerability for all user levels. Until updates are applied, administrators should consider disabling the plugin or restricting access to the vulnerable REST API endpoints via web application firewalls (WAFs) or network controls. Implementing strict input validation and employing prepared statements or parameterized queries in custom code can reduce SQL Injection risks. Monitoring logs for unusual API requests and database query anomalies can help detect exploitation attempts. Additionally, organizations should review database permissions to limit exposure and ensure regular backups are maintained to recover from potential data corruption or loss. Security teams should also verify that WordPress core and other plugins are up to date to minimize attack surface.