CVE-2023-5429 - Understanding the SQL Injection Vulnerability in the Information Reel WordPress Plugin

On September 28, 2023, security researchers discovered a critical SQL Injection vulnerability in the popular Information Reel plugin for WordPress. Listed as CVE-2023-5429, this flaw affects versions up to and including 10., leaving countless WordPress sites exposed. In this post, we’ll break down what the vulnerability means, how attackers can exploit it, and what you should do if you use this plugin.

What Is the Vulnerability?

The Information Reel plugin allows WordPress site owners to showcase information feed reels using shortcodes. However, due to insufficient escaping and improper query preparation, it lets authenticated users (with at least subscriber status) inject SQL code through the plugin’s shortcode handler.

This means that if someone is logged into your WordPress site as a subscriber or above, they could manipulate the database by providing malicious input.

Let's look at a simplified version of the vulnerable code inside the plugin

// Vulnerable code (for illustration)
function info_reel_shortcode( $atts ) {
    global $wpdb;

    // Suppose 'category' is a user-supplied shortcode parameter
    $category = isset( $atts['category'] ) ? $atts['category'] : '';

    // Unsafe SQL query — no escaping or preparation!
    $results = $wpdb->get_results( "SELECT * FROM {$wpdb->prefix}info_reels WHERE category = '$category'" );

    // ... process $results ...
}
add_shortcode('info_reel', 'info_reel_shortcode');

What’s wrong here?
The $category value comes directly from user input (via the shortcode), and it is not sanitized or prepared. This allows an attacker to add extra SQL code.

Let's say a user with "subscriber" role enters the following shortcode

[info_reel category="News' OR 1=1 -- "]

The SQL query becomes

SELECT * FROM wp_info_reels WHERE category = 'News' OR 1=1 -- '

The -- comments out the rest of the query (so errors are avoided).

Attackers could do even more damage — extracting usernames, emails, password hashes, etc.

Information Disclosure: Attackers can read sensitive data from your WordPress database.

- Privilege Escalation: With additional SQL tricks, attackers can even promote their account to higher privileges.

Who Is Affected?

Any WordPress site running Information Reel plugin version 10. or earlier is vulnerable. The exploit requires a user account (like a subscriber), so sites allowing user registration (e.g., open blogs, membership sites) are especially at risk.

Update the Plugin:

The plugin authors have released a patched version. Update to the latest version immediately from WordPress.org or your admin dashboard.

`php

// Safe, prepared SQL

)

);

Security Plugins:

Use a plugin like Wordfence to monitor suspicious activity and block SQL injection attempts.

References

- Wordfence Advisory on CVE-2023-5429
- Official Plugin Page: Information Reel
- Common SQL Injection Attacks

Conclusion

SQL Injection vulnerabilities are serious and can lead to devastating consequences. CVE-2023-5429 in the Information Reel plugin is a perfect example of why secure coding practices are so important. If you use this plugin, update immediately, and always keep your plugins and WordPress installation up to date.

Stay safe and secure!

*This post was created to educate WordPress users and developers about CVE-2023-5429. For further technical advice, consult the links above.*

Timeline

Published on: 10/31/2023 09:15:00 UTC
Last modified on: 11/07/2023 04:23:00 UTC