SB2025031842 - SQL injection in Thumbnail carousel slider plugin for WordPress

Description

This security bulletin contains information about 1 security vulnerability.

1) SQL injection (CVE-ID: CVE-2019-25222)

The vulnerability allows a remote user to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the 'id' parameter. A remote administrator can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Remediation

Install update from vendor's website.

References

• https://plugins.trac.wordpress.org/browser/wp-responsive-thumbnail-slider/tags/1.0.4/wp-responsive-images-thumbnail-slider.php#L1326
• https://plugins.trac.wordpress.org/browser/wp-responsive-thumbnail-slider/tags/1.0.5/wp-responsive-images-thumbnail-slider.php
• https://wordpress.org/plugins/wp-responsive-thumbnail-slider
• https://www.wordfence.com/threat-intel/vulnerabilities/id/f6023483-3fa5-4b85-9422-7d395abcfbd8?source=cve