Huge IT Slider WordPress plugin opens SQL injection hole

The 50,000+ active users of the Huge IT Slider WordPress plugin are advised to update to the latest version, as it closes a vulnerability that can be exploited by website administrators and anonymous attackers to inject and execute arbitrary SQL queries within the application’s database.

Huge IT Slider is a relatively popular plugin that adds custom sliders to WordPress websites.

“The vulnerability exists due to insufficient filtration of input data passed via the ‘removeslide’ HTTP GET parameter to ‘/wp-admin/admin.php’ script when ‘task’ parameter is set to ‘popup_posts’ or ‘edit_cat’,” High-Tech Bridge has noted in a security advisory, and provided two exploit codes.

The vulnerability is of medium severity: the remote attacker must be authenticated and have administrative privileges in order to perform an SQL injection.

In addition to this, the vulnerability can also be triggered by non-authenticated attackers using the Cross-Site Request Forgery vector.

The developers have been notified of the flaw, which affects version 2.6.8 and likely all prior versions of the plugin, and have fixed it the latest version (v2.7.0).

“We have mentioned many times that various plugins are the Achilles heel of almost all popular CMSs. A vulnerability in a third-party plugin, theme or module is almost always as risky as the same vulnerability in the core code. However, third-party components are not audited as much, so are pretty simple to compromise,” commented Ilia Kolocheno, CEO of High-Tech Bridge and Chief Architect of ImmuniWeb.

“This particular case is a good example of where a software vendor needs to react quickly to provide a security patch.”