SQL Injection Vulnerability in Up Down Image Slideshow Gallery for WordPress
CVE-2023-5435

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Up down image slideshow gallery
Vendor: CVE Published:; 31 October 2023

Summary

The Up Down Image Slideshow Gallery plugin for WordPress has an SQL Injection vulnerability, affecting versions up to 12.0. This flaw arises from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries. Authenticated attackers with subscriber-level and higher permissions can exploit this vulnerability by injecting additional SQL commands into the existing queries, enabling them to retrieve sensitive data from the database.

Affected Version(s)

Up down image slideshow gallery * <= 12.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/up-down-image-...

https://plugins.trac.wordpress.org/changeset/2985497/up-d...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 31, 2023
Vulnerability Reserved
Oct 5, 2023

Credit

Lana Codes