Unlimited PopUps <= 4.5.3 - Author+ SQL Injection

An attacker with Editor-level access sends a crafted GET request to `/wp-admin/admin.php?page=popup&info=del&did=` with a malicious SQL payload appended to the `did` parameter. The plugin passes this unsanitized value directly into a `DELETE` query, allowing time-based blind SQL injection (e.g., using `SLEEP(5)`) [ref_id=1]. The attack is authenticated and requires the Editor role, but no other special network conditions are needed.

The vulnerability resides in `popuplist.php` at line 16, where the `did` GET parameter is taken directly from `$_GET["did"]` and concatenated into a DELETE SQL query without any sanitization, validation, or escaping [ref_id=1].

The advisory does not include a patch diff, but the fix would require sanitizing or escaping the `did` parameter before using it in the SQL query, such as casting it to an integer or using `$wpdb->prepare()` with a placeholder [ref_id=1]. Without this change, any Editor or Administrator can inject arbitrary SQL commands via the `did` parameter.