CVE-2015-2062 – Responsive Slider – Image Slider – Slideshow for WordPress < 2.7.0 - Authenticated (Admin+) SQL Injection
https://notcve.org/view.php?id=CVE-2015-2062
Multiple SQL injection vulnerabilities in the Huge-IT Slider (slider-image) plugin before 2.7.0 for WordPress allow remote administrators to execute arbitrary SQL commands via the removeslide parameter in a popup_posts or edit_cat action in the sliders_huge_it_slider page to wp-admin/admin.php. Múltiples vulnerabilidades de inyección SQL en el plugin Huge-IT Slider (slider-image) versiones anteriores a 2.7.0 para WordPress, permiten a administradores remotos ejecutar comandos SQL arbitrarios por medio del parámetro removeslide en una acción popup_posts o edit_cat en la página sliders_huge_it_slider en el archivo wp-admin/admin.php. The Responsive Slider – Image Slider – Slideshow for WordPress plugin for WordPress is vulnerable to multiple SQL Injection attacks via the ‘removeslide’ parameter in versions before 2.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for administrator-level attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. WordPress Huge IT Slider plugin version 2.6.8 suffers from multiple remote SQL injection vulnerabilities. • http://packetstormsecurity.com/files/130796/WordPress-Huge-IT-Slider-2.6.8-SQL-Injection.html http://www.securityfocus.com/archive/1/archive/1/534852/100/0/threaded https://wordpress.org/support/topic/huge-it-slider-security-vulnerability-notification-sql-injection https://www.htbridge.com/advisory/HTB23250 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •