CVE-2019-25745
Time-Based Blind SQL Injection in Google Review Slider WordPress Plugin
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| review_slider | 6.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25745 is a time-based blind SQL injection vulnerability in the WordPress Plugin Google Review Slider version 6.1 and below. It occurs because the plugin does not properly validate input passed through the 'tid' parameter in GET requests to the admin interface.
An unauthenticated attacker can send specially crafted GET requests with malicious 'tid' values to manipulate database queries. Using time-based blind SQL injection techniques, the attacker can extract sensitive information from the database without direct visibility of the data.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access to sensitive database information. Attackers can exploit the flaw to extract data by sending crafted requests, potentially leading to a full database compromise.
Because the vulnerability allows manipulation of database queries without authentication, it poses a high risk of data leakage or unauthorized data manipulation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'tid' parameter in GET requests to the WordPress admin interface for time-based blind SQL injection.
One effective method is to use sqlmap, an automated SQL injection tool, which can identify the vulnerability by sending crafted payloads and analyzing response times.
- Use sqlmap with a command similar to: sqlmap -u "http://target-site/wp-admin/admin.php?page=wp_google-templates_posts&tid=1" --risk=3 --level=5 --dbs
- Monitor HTTP GET requests to the admin interface for unusual or repeated requests containing the 'tid' parameter with suspicious values.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the WordPress Google Review Slider plugin to version 6.2 or later, where the issue has been fixed.
Until the update can be applied, restrict access to the vulnerable admin interface to trusted users only and monitor for suspicious activity involving the 'tid' parameter.
Additionally, consider implementing web application firewall (WAF) rules to block or alert on suspicious SQL injection attempts targeting the 'tid' parameter.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to perform time-based blind SQL injection attacks to extract sensitive database information. This unauthorized access to sensitive data could lead to violations of data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
Since the exploit can result in full database compromise, organizations using the affected plugin may face compliance risks related to data confidentiality, integrity, and privacy mandated by these standards.