CVE-2023-5429 in Information Reel Plugin
Summary
by MITRE • 10/31/2023
The Information Reel plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The CVE-2023-5429 vulnerability affects the Information Reel plugin for WordPress, specifically targeting versions up to and including 10.0. This represents a critical security flaw that exploits SQL injection techniques through the plugin's shortcode functionality. The vulnerability stems from inadequate input sanitization and improper query preparation mechanisms within the plugin's codebase, creating a pathway for malicious actors to manipulate database queries through user-supplied parameters.
The technical flaw manifests when authenticated users with subscriber-level permissions or higher attempt to utilize the plugin's shortcode feature. These attackers can manipulate the input parameters to inject additional SQL commands into existing database queries. The vulnerability's root cause lies in insufficient escaping of user-supplied data and the absence of proper parameterized query preparation, allowing attackers to concatenate malicious SQL code with legitimate database operations. This weakness enables attackers to execute unauthorized database operations that would normally be restricted.
The operational impact of this vulnerability is significant as it provides attackers with the capability to extract sensitive information from the WordPress database. Authorized users with minimal privileges can leverage this vulnerability to gain unauthorized access to confidential data including user credentials, personal information, and other sensitive database content. The vulnerability's exploitation potential extends beyond simple data extraction to potentially enabling further attack vectors such as privilege escalation or data manipulation within the compromised WordPress environment.
Security professionals should note that this vulnerability aligns with CWE-89 which specifically addresses SQL injection flaws in software applications. The attack pattern follows typical SQL injection methodologies documented in the MITRE ATT&CK framework under the technique of command and control through database access. Organizations should prioritize immediate patching of affected WordPress installations and implement additional security measures including input validation, query parameterization, and monitoring for suspicious database access patterns. The vulnerability demonstrates the critical importance of proper input sanitization and prepared statement usage in preventing database injection attacks that can compromise entire application environments.