CVE-2023-5429: SQL Injection
First published: Tue Oct 31 2023(Updated: )
The Information Reel plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| <10.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-5429?
CVE-2023-5429 is a vulnerability in the Information Reel plugin for WordPress that allows SQL Injection via the plugin's shortcode.
What is the severity of CVE-2023-5429?
The severity of CVE-2023-5429 is high with a severity value of 8.8.
Which software is affected by CVE-2023-5429?
The Information Reel plugin for WordPress versions up to and including 10.1 are affected.
How does CVE-2023-5429 work?
CVE-2023-5429 works by exploiting insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
How can I fix CVE-2023-5429?
To fix CVE-2023-5429, you should update to a version of the Information Reel plugin for WordPress that is later than 10.1.
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- vendor/gopiplus
- canonical/gopiplus information reel