Security Vulnerability in Responsive Image Slider Plugin Could Lead to SQL Injection
CVE-2024-7150

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Slider By 10web – Responsive Image Slider
Vendor: CVE Published:; 8 August 2024

Summary

The Slider by 10Web – Responsive Image Slider plugin for WordPress is exposed to a time-based SQL Injection vulnerability that affects all versions up to and including 1.2.57. This flaw stems from insufficient escaping of user-supplied parameters within the SQL query. Authenticated attackers with Contributor-level access or higher can exploit this vulnerability, allowing them to inject additional SQL queries into existing ones. Such an attack could lead to the unauthorized extraction of sensitive information from the database, posing significant risks to the integrity and confidentiality of the data stored.

Affected Version(s)

Slider by 10Web – Responsive Image Slider * <= 1.2.57

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/slider-wd/tags...

https://wordpress.org/plugins/slider-wd/#developers

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 8, 2024
Vulnerability Reserved
Jul 26, 2024

Credit

Arkadiusz Hydzik