Visual Slide Box Builder <= 3.2.9 - Subscriber+ SQLi
Description
The Visual Slide Box Builder WordPress plugin through 3.2.9 does not sanitise and escape various parameters before using them in SQL statements via some of its AJAX actions available to any authenticated users (such as subscriber), leading to SQL Injections
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=3.2.9
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization and escaping of parameters used in SQL statements within AJAX actions."
Attack vector
An authenticated attacker with any role (including subscriber) sends a crafted AJAX request to the plugin. The plugin fails to sanitize and escape various parameters before incorporating them into SQL statements [ref_id=1]. This allows the attacker to inject arbitrary SQL commands, potentially extracting sensitive data from the WordPress database [CWE-89]. The attack requires only a valid WordPress user session and network access to the site's AJAX endpoints.
Affected code
The advisory does not specify the exact files or functions at fault. The plugin is identified as "wp-visual-slidebox-builder" (Visual Slide Box Builder) through version 3.2.9 [ref_id=1]. The vulnerable code resides in AJAX actions that are accessible to any authenticated user, including subscribers [ref_id=1].
What the fix does
No patch or fix has been published for this vulnerability [ref_id=1]. The advisory lists "No known fix" and the plugin version range is described as "through 3.2.9" with no patched version indicated [ref_id=1]. To remediate, site administrators should disable or remove the plugin until a security update is released, or implement a web application firewall rule to block malicious AJAX requests targeting the plugin's endpoints.
Preconditions
- authAttacker must have a valid WordPress user account (any role, including subscriber)
- configThe vulnerable plugin (Visual Slide Box Builder) must be installed and active
- networkAttacker must be able to send HTTP requests to the WordPress site's AJAX endpoints
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/01d108bb-d134-4651-9c74-babcc88da177mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.