WordPress Plugin Vulnerabilities

ImageLinks Interactive Image Builder < 1.6.0 - Admin+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Affects Plugins

Plugin icon
imagelinks-interactive-image-builder-lite
Fixed in 1.6.0

References

CVE
CVE-2023-46823

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Muhammad Daffa
Verified
No
WPVDB ID
b36d20de-f23a-4da7-b7b7-c5236a3f1e47

Timeline

Publicly Published
2023-10-29 (about 2 years ago)
Added
2023-11-16 (about 2 years ago)
Last Updated
2023-11-16 (about 2 years ago)

Other

Published
Title
Published
2015-04-07
Title
All In One WP Security & Firewall <= 3.9.0 - Blind SQL Injection
Published
2022-05-30
Title
Better Find and Replace < 1.3.6 - Admin+ SQLi
Published
2024-06-24
Title
Quiz Maker < 6.5.8.4 - Unauthenticated SQL Injection via 'ays_questions' Parameter
Published
2026-02-03
Title
SIBS - WooCommerce <= 2.2.0 - Authenticated (Admin+) SQL Injection via 'referencedId' Parameter
Published
2024-02-09
Title
RSS Aggregator by Feedzy < 4.4.3 - Authenticated(Contributor+) SQL Injection