SQL Injection Vulnerability in Video Carousel Slider with Lightbox Plugin for WordPress
CVE-2019-25212

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Video Carousel Slider With Lightbox
Vendor: CVE Published:; 11 September 2024

Summary

The WP Responsive Video Gallery with Lightbox plugin for WordPress is susceptible to SQL Injection via the 'id' parameter, affecting all versions up to and including 1.0.6. This vulnerability arises from inadequate escaping of user-supplied data and insufficient preparation of SQL queries. Authenticated users with administrator-level access or higher can exploit this flaw to insert additional SQL queries into existing ones. This exploitation can lead to unauthorized extraction of sensitive information from the database, posing significant risks to the integrity and confidentiality of user data.

Affected Version(s)

video carousel slider with lightbox * <= 1.0.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/wp-responsive-video-gallery...

https://plugins.trac.wordpress.org/changeset?old_path=/wp...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 11, 2024
Vulnerability Reserved
Sep 10, 2024

Credit

Ala Arfaoui