A SQL Injection vulnerability has been identified in the WordPress Horizontal Scrolling Announcement Plugin. This vulnerability could allow a malicious actor to directly interact with the database, including but not limited to stealing information.
This vulnerability was discovered and responsibly reported by Lana Codes.
The vulnerability is a SQL Injection vulnerability that occurs in the horizontal-scrolling-announcement.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to inject malicious SQL code into the database.
The vulnerability has a CVSS 3.1 score of 8.5, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.
The vulnerability affects all versions of the Horizontal Scrolling Announcement Plugin.
To protect WordPress users, the Horizontal Scrolling Announcement Plugin has been closed and is no longer available for download or activation as of September 18, 2019. This closure is due to a violation of WordPress plugin guidelines. It is essential to comply with this closure and remove the plugin from WordPress installation immediately.
An attacker who successfully exploits this vulnerability could:
- Steal sensitive data from your database, such as user information, credit card numbers, and product details.
- Modify or delete data in your database.
- Take control of your database and website.
Strongly advise WordPress website administrators to take the following actions:
- Deactivate and Delete the Plugin: If anyone currently using the Horizontal Scrolling Announcement Plugin, deactivate and delete it from WordPress installation immediately.
- Scan and Audit: Conduct a thorough security scan and audit of the WordPress website to identify any potential issues or signs of compromise.
- Database Check: Review the WordPress database for any unauthorized or suspicious activity. Change database passwords and credentials if necessary.
- Stay Informed: Stay informed about security updates and vulnerabilities related to WordPress plugins and themes.