An SQL Injection vulnerability has been identified in the WordPress Demon image annotation Plugin. This vulnerability allows an attacker to inject malicious code into the affected website’s database, potentially compromising the security of the website and its visitors.

The discovery of this vulnerability and its responsible reporting is attributed to LEE SE HYOUNG (hackintoanetwork), underlining the importance of immediate attention.


The vulnerability has a CVSS 3.1 score of 7.6, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.

Affected Versions:

The vulnerability affects all versions of the Demon image annotation Plugin prior to 1.7.2.


An attacker who successfully exploits this vulnerability could:

  • Steal sensitive information from the database, such as user passwords, credit card numbers, and other personally identifiable information.
  • Modify the database, such as adding or deleting records.
  • Take control of the website.


Given the gravity of this situation, Swift and effective action is taken to secure the website and user data:

  • Monitor and Disable Plugin: Until an official patch is released, consider disabling the Demon Image Annotation Plugin on your website.
  • Implement Enhanced Security Measures: Secure the website’s security posture by implementing robust authentication mechanisms, access controls, and frequent security audits. Taking comprehensive security measures is pivotal to thwart potential exploitation.

In conclusion, The vulnerability has not been patched in any version of the Demon image annotation Plugin as of yet. Users are advised to uninstall the plugin until a patched version is available.