Information security company High-Tech Bridge has uncovered an SQL injection vulnerability in Huge IT Slider WordPress Plugin. This vulnerability can be exploited by website administrators as well as anonymous attackers to inject and execute arbitrary SQL queries within the application’s database.
The official WP plugin has 50,000+ users and the vulnerability still exists, despite High-Tech Bridge notifying WordPress on 19th February.
The vulnerability exists due to insufficient filtration of input data passed via the “removeslide” HTTP GET parameter. This means that even a remote authenticated attacker with administrative privileges can execute arbitrary SQL queries within the application’s database.
Ilia Kolocheno, CEO of High-Tech Bridge and Chief Architect of ImmuniWeb, comments:
“We have mentioned many times that various plugins are the Achilles heel of almost all popular CMSs.
A vulnerability in a third-party plugin, theme or module is almost always as risky as the same vulnerability in the core code. However, third-party components are not audited as much, so are pretty simple to compromise.
This particular case is a good example of where a software vendor needs to react quickly to provide a security patch.”