The Up Down Image Slideshow Gallery plugin for WordPress is a popular tool for creating beautiful galleries with sliding images. But in late 2023, a critical security bug was discovered: CVE-2023-5435, a SQL Injection vulnerability that can lead to database data leaks. Let’s break it all down: what went wrong, how it can be exploited, and what you must do to keep your site safe.
What’s CVE-2023-5435?
CVE-2023-5435 is a vulnerability found in all versions up to and including 12. of the Up Down Image Slideshow Gallery plugin. The bug is an authenticated SQL Injection in the plugin’s shortcode handler. It lets a user with subscriber rights or higher inject raw SQL into a database query. This can expose usernames, emails, and password hashes—making your WordPress site a big target.
Where’s the Problem?
The main problem is in how the plugin processes its shortcode attributes. When you add a slideshow to a page, you usually see something like:
[up-down-gallery id="4"]
Internally, this id value is used in an SQL query. But the plugin does not properly sanitize or prepare this user-supplied value before stuffing it into the SQL statement.
Here’s an example (simplified) of what the vulnerable PHP code might look like
// Vulnerable code snippet
function udg_shortcode_handler($atts) {
global $wpdb;
$gallery_id = $atts['id']; // No sanitization!
// Vulnerable SQL query!
$query = "SELECT * FROM {$wpdb->prefix}up_down_gallery WHERE id = $gallery_id";
$results = $wpdb->get_results($query); // Directly executes user input!
// ... display images ...
}
How Does an Attacker Exploit It?
Because any logged-in user (even a subscriber) can submit a crafted shortcode, an attacker could supply malicious input in the id parameter that appends extra SQL.
For example, if an attacker creates a post with
[up-down-gallery id="1 UNION SELECT user_login, user_pass, user_email, 1 FROM wp_users-- -"]
The constructed SQL becomes
SELECT * FROM wp_up_down_gallery WHERE id = 1 UNION SELECT user_login, user_pass, user_email, 1 FROM wp_users-- -
This would return usernames, hashed passwords, and emails instead of images—which could then be revealed on the front-end or picked out from the response data.
Step-by-Step: Example Exploit
Let’s say you have a WordPress subscriber-level account on a vulnerable site. Here’s how you might exploit this flaw:
Preview, publish, or otherwise get the plugin to process your post.
5. The page may now show the WordPress user data instead of images—or you could capture the response from the page source.
Notably, this attack only works if you have at least subscriber permissions—but on many sites, signups are open or easy to obtain.
How to Fix It
If you use this plugin, update immediately to a version after 12. or check the plugin changelog for any applied security patches.
For plugin developers, the correct way to write this SQL would be
// Patched code snippet
$query = $wpdb->prepare(
"SELECT * FROM {$wpdb->prefix}up_down_gallery WHERE id = %d",
$gallery_id
);
$results = $wpdb->get_results($query);
This ensures gallery_id is always treated as a number, blocking injection.
Official Plugin Page:
WordPress Up Down Image Slideshow Gallery
CVE Record:
Vulnerability Disclosure:
Conclusion
CVE-2023-5435 is a textbook example of why all user input must be sanitized and queries properly prepared—even if they come from authenticated users. If you run WordPress with this plugin, patch now. Never underestimate what a determined subscriber can do!
Stay safe! And if you found this tutorial helpful, share it with other WordPress admins so we can all keep our sites secure.
Timeline
Published on: 10/31/2023 09:15:08 UTC
Last modified on: 11/07/2023 04:24:00 UTC