CVSS: 7.2EPSS: 2%CPEs: 2EXPL: 2CVE-2015-2062 – Responsive Slider – Image Slider – Slideshow for WordPress < 2.7.0 - Authenticated (Admin+) SQL Injection
https://notcve.org/view.php?id=CVE-2015-2062
Multiple SQL injection vulnerabilities in the Huge-IT Slider (slider-image) plugin before 2.7.0 for WordPress allow remote administrators to execute arbitrary SQL commands via the removeslide parameter in a popup_posts or edit_cat action in the sliders_huge_it_slider page to wp-admin/admin.php. Múltiples vulnerabilidades de inyección SQL en el plugin Huge-IT Slider (slider-image) versiones anteriores a 2.7.0 para WordPress, permiten a administradores remotos ejecutar comandos SQL arbitrarios por medio del parámetro removeslide en una acción popup_posts o edit_cat en la página sliders_huge_it_slider en el archivo wp-admin/admin.php. The Responsive Slider – Image Slider – Slideshow for WordPress plugin for WordPress is vulnerable to multiple SQL Injection attacks via the ‘removeslide’ parameter in versions before 2.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for administrator-level attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. WordPress Huge IT Slider plugin version 2.6.8 suffers from multiple remote SQL injection vulnerabilities. • http://packetstormsecurity.com/files/130796/WordPress-Huge-IT-Slider-2.6.8-SQL-Injection.html http://www.securityfocus.com/archive/1/archive/1/534852/100/0/threaded https://wordpress.org/support/topic/huge-it-slider-security-vulnerability-notification-sql-injection https://www.htbridge.com/advisory/HTB23250 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2014-7153 – Image Gallery - Responsive Photo Gallery <= 1.0.7 - SQL Injection
https://notcve.org/view.php?id=CVE-2014-7153
SQL injection vulnerability in the editgallery function in admin/gallery_func.php in the Huge-IT Image Gallery plugin 1.0.1 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the removeslide parameter to wp-admin/admin.php. Vulnerabilidad de inyección SQL en la función editgallery en admin/gallery_func.php en el plugin Huge-IT Image Gallery 1.0.1 para WordPress permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro removeslide en wp-admin/admin.php. SQL injection vulnerability in the editgallery function in admin/gallery_func.php in the Huge-IT Image Gallery plugin <= 1.0.7 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the removeslide parameter to wp-admin/admin.php. • https://www.exploit-db.com/exploits/34524 http://packetstormsecurity.com/files/128118/WordPress-Huge-IT-Image-Gallery-1.0.0-SQL-Injection.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •