SQL Injection Vulnerability in WP Image Slideshow Plugin for WordPress
CVE-2023-5438

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: wp image slideshow
Vendor: CVE Published:; 31 October 2023

Summary

The WP Image Slideshow plugin for WordPress is susceptible to SQL Injection through its shortcode, affecting versions up to and including 12.0. This vulnerability arises from inadequate escaping of user-supplied parameters and insufficient preparation of existing SQL queries. Authenticated attackers with subscriber-level permissions and above can exploit this flaw to inject additional SQL queries, potentially gaining unauthorized access to sensitive information stored in the database.

Affected Version(s)

wp image slideshow * <= 12.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-image-slide...

https://plugins.trac.wordpress.org/changeset/2985394/wp-i...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 31, 2023
Vulnerability Reserved
Oct 5, 2023

Credit

Lana Codes