CVE-2023-5438: 
WordPress vulnerability analysis and mitigation

The wp image slideshow plugin for WordPress contains a SQL Injection vulnerability (CVE-2023-5438) in versions up to and including 12.0. The vulnerability exists in the plugin's shortcode functionality due to insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries (NVD).

The vulnerability allows authenticated attackers with subscriber-level permissions or higher to append additional SQL queries to existing queries. This can be exploited to extract sensitive information from the database. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) by NIST with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, while Wordfence assessed it at 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

When exploited, this vulnerability enables authenticated attackers to extract sensitive information from the WordPress database. The high confidentiality impact rating suggests that attackers could potentially access significant amounts of protected data (NVD).

A patch has been released in version 12.1 of the wp image slideshow plugin. Users are advised to update to this version or later to address the vulnerability (NVD).