CVE-2023-5435: 
WordPress vulnerability analysis and mitigation

The Up down image slideshow gallery plugin for WordPress contains a SQL Injection vulnerability (CVE-2023-5435) in versions up to and including 12.0. The vulnerability was discovered in the plugin's shortcode functionality and was publicly disclosed on October 31, 2023. This security issue affects WordPress installations using the affected versions of the Up down image slideshow gallery plugin (NVD).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries in the plugin's shortcode functionality. The CVSS v3.1 base score is rated as 6.5 (MEDIUM) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, while Wordfence assessed it at 8.8 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows authenticated attackers with subscriber-level permissions or higher to append additional SQL queries to existing queries. This capability can be exploited to extract sensitive information from the database (NVD).

Users are advised to upgrade to version 12.1 or later of the Up down image slideshow gallery plugin, which contains the fix for this vulnerability (NVD).