Quick Featured Images WordPress Plugin SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Quick Featured Images plugin for WordPress, affecting all versions up to and including 13.7.3. The issue arises in the 'delete_orphaned' function, where insufficient escaping of user-supplied parameters allows authenticated attackers with Editor-level access and above to append additional SQL queries. This exploitation could lead to the extraction of sensitive information from the database, provided the attacker can persuade an author-level user or higher to add a malicious custom field value.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, where attackers can manipulate SQL queries to extract sensitive information from the database.

Reproduction

To reproduce this vulnerability, an authenticated user with Editor-level access or higher can use the Quick Featured Images plugin. The 'delete_orphaned' function can be triggered, which will execute the injected SQL commands. The injection can be done by convincing an author-level user or higher to add a malicious value to a custom field, which will then be processed by the vulnerable function.

Remediation

Users are advised to update the Quick Featured Images plugin to version 13.7.4 or later, where this vulnerability has been patched.