Headline
CVE-2023-5439: Changeset 2985502 for wp-photo-text-slider-50 – WordPress Plugin Repository
The Wp photo text slider 50 plugin for WordPress is vulnerable to SQL Injection via the plugin’s shortcode in versions up to, and including, 8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Timestamp:
10/29/2023 04:09:35 AM (2 days ago)
gopiplus
Message:
Tested up to 6.4
Location:
wp-photo-text-slider-50/trunk
Files:
- readme.txt (3 diffs)
- wp-photo-text-slider-50.php (5 diffs)
Legend:
Unmodified
Added
Removed
wp-photo-text-slider-50/trunk/readme.txt
r2827206
r2985502
6
6
Tags: wordpress, plugin, photo, slider
7
7
Requires at least: 3.4
8
Tested up to: 6.1
9
Stable tag: 8.0
8
Tested up to: 6.4
9
Stable tag: 8.1
10
10
License: GPLv2 or later
11
11
License URI: http://www.gnu.org/licenses/gpl-2.0.html
…
…
209
209
1\. Tested up to 5.9
210
210
211
\= 8.1 =
212
213
1\. Tested up to 6.4
214
211
215
\== Changelog ==
212
216
…
…
332
336
333
337
1\. Tested up to 5.9
338
339
\= 8.1 =
340
341
1\. Tested up to 6.4
wp-photo-text-slider-50/trunk/wp-photo-text-slider-50.php
r2651658
r2985502
5
5
Description: Wordpress plugin Wp photo text slider 50 create a photo (photo + heading + description) slider on the wordpress website.
6
6
Author: Gopi Ramasamy
7
Version: 8.0
7
Version: 8.1
8
8
Author URI: http://www.gopiplus.com/work/2011/06/02/wordpress-plugin-wp-photo-slider-50/
9
9
Donate link: http://www.gopiplus.com/work/2011/06/02/wordpress-plugin-wp-photo-slider-50/
…
…
42
42
$wp\_50\_type = stripslashes(get\_option('wp\_50\_type'));
43
43
44
$sSql = "select \* from ".WP\_PHOTO\_50\_TABLE." where wp\_50\_status='YES' and wp\_50\_type\='$wp\_50\_type'";
44
$sSql = "select \* from ".WP\_PHOTO\_50\_TABLE." where wp\_50\_status='YES' and wp\_50\_type = %s ";
45
45
if($wp\_50\_random == "YES")
46
46
{
…
…
51
51
$sSql = $sSql . " ORDER BY wp\_50\_order";
52
52
}
53
54
$sSql = $wpdb->prepare($sSql, $wp\_50\_type);
53
55
54
56
$data = $wpdb->get\_results($sSql);
…
…
183
185
$wp\_50 = $wp\_50 .'<div id="wp\_50\_photo1">';
184
186
185
$sSql = "select \* from ".WP\_PHOTO\_50\_TABLE." where wp\_50\_status='YES' and wp\_50\_type\='$wp\_50\_type'";
187
$sSql = "select \* from ".WP\_PHOTO\_50\_TABLE." where wp\_50\_status='YES' and wp\_50\_type = %s ";
186
188
187
189
if($wp\_50\_random == "YES")
…
…
193
195
$sSql = $sSql . " ORDER BY wp\_50\_order";
194
196
}
195
//echo $sSql;
197
198
$sSql = $wpdb->prepare($sSql, $wp\_50\_type);
199
196
200
$data = $wpdb->get\_results($sSql);
197
201
Note: See TracChangeset for help on using the changeset viewer.