CVE-2019-25212: 
WordPress vulnerability analysis and mitigation

The video carousel slider with lightbox plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.6. This vulnerability was discovered and disclosed on September 11, 2024. The issue affects the WordPress plugin that allows users to create responsive video carousels with lightbox functionality (WordPress Plugin).

The vulnerability stems from insufficient escaping on the user-supplied 'id' parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrator-level access to append additional SQL queries into already existing queries. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 HIGH (NIST) and 9.1 CRITICAL (Wordfence) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows authenticated attackers with administrator-level access to extract sensitive information from the database. The high severity ratings indicate that successful exploitation could lead to significant data exposure and potential system compromise (Wordfence).

Users should update to version 1.0.7 or later of the video carousel slider with lightbox plugin, which contains the fix for this vulnerability. The patch is available through the WordPress plugin repository (WordPress Plugin).