Slimstat Analytics < 4.9.3.3 - Subscriber+ SQL Injection
Description
The Slimstat Analytics WordPress plugin before 4.9.3.3 does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Slimstat Analytics WordPress plugin before 4.9.3.3 allows subscribers to inject SQL via shortcode attributes, leading to potential data exposure.
Vulnerability
The Slimstat Analytics plugin for WordPress versions before 4.9.3.3 fails to restrict subscribers from using shortcodes that directly concatenate user-supplied attributes into an SQL query. This allows authenticated users with subscriber-level access or higher to perform SQL injection attacks. The vulnerability is classified as CWE-89 (SQL Injection) and has a CVSS score of 7.7 (high) [1].
Exploitation
An attacker needs a WordPress account with subscriber privileges or higher. By crafting a malicious shortcode attribute, the attacker can inject arbitrary SQL commands into the query executed by the plugin. The WPScan advisory notes that the vulnerability is exploitable via the shortcode rendering mechanism [1].
Impact
Successful exploitation allows an attacker to extract sensitive data from the WordPress database, such as user credentials, session tokens, or other private information. The impact is primarily confidentiality, with potential for further compromise depending on the database contents.
Mitigation
The vulnerability is fixed in version 4.9.3.3 of the Slimstat Analytics plugin. Users should update to this version or later immediately. No workarounds are mentioned in the available reference [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Slimstat Analyticsdescription
- Range: <4.9.3.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/b82bdd02-b699-4527-86cc-d60b56ab0c55mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.