Shi Chen

**Name of the Vulnerable Software and Affected Versions** amtyThumb WordPress plugin versions through 4.2.0 **Description** The issue is related to the amtyThumb WordPress plugin, which does not properly sanitise and escape a parameter before using it in a SQL statement via its shortcode. This leads to an SQL injection and can be exploited by any authenticated user, as they can execute shortcodes via an AJAX action. **Recommendations** For versions through 4.2.0, update to a version that includes the necessary sanitisation and escaping of parameters in SQL statements to prevent SQL injection. As a temporary workaround, consider restricting access to the shortcode execution via AJAX actions to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** The Cube Slider WordPress plugin versions 1.2 and earlier **Description** The issue concerns a lack of sanitization and escaping of the `idslider` parameter, which is used in various SQL queries. This leads to SQL injections that can be exploited by high-privileged users, such as administrators. **Recommendations** For The Cube Slider WordPress plugin versions 1.2 and earlier, update to a version that properly sanitizes and escapes the `idslider` parameter to prevent SQL injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Five Minute Webshop WordPress plugin versions prior to 1.3.3 **Description** The issue arises from improper validation and sanitization of the `orderby` parameter in SQL statements via the Manage Products admin page, leading to SQL Injection. **Recommendations** For versions prior to 1.3.3, update to version 1.3.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Five Minute Webshop WordPress plugin versions prior to 1.3.3 **Description** The issue arises from the lack of sanitization and escaping of the `id` parameter in SQL statements when editing products via the admin dashboard, leading to SQL injection. **Recommendations** For versions prior to 1.3.3, update to version 1.3.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Logo Slider WordPress plugin versions 1.4.8 and earlier **Description** The issue concerns an SQL Injection problem. It occurs because the `lsp slider id` parameter is not properly sanitised and escaped before being used in a SQL statement via the Manage Slider Images admin page. This allows for potential SQL injection attacks. **Recommendations** For Logo Slider WordPress plugin versions 1.4.8 and earlier, as a temporary workaround, consider restricting access to the Manage Slider Images admin page until a patch is available. Avoid using the `lsp slider id` parameter in the affected SQL statement until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Note Press WordPress plugin versions 0.1.10 and earlier **Description** The issue concerns a lack of sanitization and escaping of the `id` parameter, which is used in SQL statements via the admin dashboard. This leads to SQL injections. **Recommendations** For The Note Press WordPress plugin versions 0.1.10 and earlier, update to a version that properly sanitizes and escapes the `id` parameter to prevent SQL injections. As a temporary workaround, consider restricting access to the admin dashboard to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Note Press WordPress plugin versions 0.1.10 and earlier **Description** The issue arises from the lack of sanitization and escaping of the `Update` parameter in SQL statements when updating notes via the admin dashboard, leading to an SQL injection. This allows for potential manipulation of database queries. **Recommendations** For versions 0.1.10 and earlier, as a temporary workaround, consider restricting access to the admin dashboard to minimize the risk of exploitation. Avoid using the `Update` parameter in the affected SQL statements until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Note Press WordPress plugin versions 0.1.10 and earlier **Description** The issue is related to an SQL injection problem. The Note Press WordPress plugin does not properly sanitise and escape the `ids` from the bulk actions before using them in a SQL statement in an admin page. This leads to an SQL injection. **Recommendations** For The Note Press WordPress plugin versions 0.1.10 and earlier, update to a version that addresses this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Realty Workstation WordPress plugin versions prior to 1.0.15 **Description** The issue arises from the lack of sanitization and escaping of the `trans edit` parameter before its use in a SQL statement when an agent edits a transaction, leading to an SQL injection. **Recommendations** For versions prior to 1.0.15, update to version 1.0.15 or later to resolve the issue. As a temporary workaround, consider restricting access to the transaction editing feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CP Image Store with Slideshow WordPress plugin versions prior to 1.0.68 **Description** The issue allows unauthenticated users to perform an SQL injection attack due to the lack of sanitization and escaping of the `ordering by` query parameter in SQL statements. This occurs in pages where the `[codepeople-image-store]` is embedded. **Recommendations** For versions prior to 1.0.68, update to version 1.0.68 or later to resolve the issue. As a temporary workaround, consider restricting access to pages where the `[codepeople-image-store]` is embedded to minimize the risk of exploitation. Avoid using the `ordering by` query parameter in affected pages until the issue is resolved.