CVE-2019-25745

Vulnerability

WordPress Plugin Google Review Slider version 6.1 contains a time-based blind SQL injection vulnerability. This vulnerability exists in the tid parameter, which is accessible via GET requests to the admin interface. The plugin is designed to store Google reviews locally in the WordPress database [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending crafted GET requests to the admin interface of the affected WordPress site. By manipulating the tid parameter with malicious SQL code, an attacker can trigger time delays in the database responses, enabling them to extract sensitive information through time-based blind SQL injection techniques [2].

Impact

Successful exploitation allows an unauthenticated attacker to extract sensitive database information. This is achieved by manipulating database queries and observing time-based differences in the server's responses, effectively performing a blind SQL injection to exfiltrate data [2].

Mitigation

Version 6.1 is affected by this vulnerability [2]. No specific patched version or release date is mentioned in the available references. Users are advised to update to a version that addresses this vulnerability once it becomes available. As of the current information, no workarounds or official patches have been disclosed [1, 2].