CVE-2025-68056
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LBG Zoominoutslider lbg_zoominoutslider allows SQL Injection.This issue affects LBG Zoominoutslider: from n/a through <= 5.4.4.
Analysis
SQL injection in LambertGroup LBG Zoominoutslider WordPress plugin versions ≤5.4.4 enables authenticated attackers with low privileges to execute arbitrary SQL commands with potential for cross-site impact. The vulnerability carries an 8.5 CVSS score but shows low real-world exploitation probability (EPSS 0.04%, 14th percentile) with no confirmed active exploitation or public proof-of-concept code identified at time of analysis.
Technical Context
This vulnerability stems from CWE-89 (SQL Injection), where the LBG Zoominoutslider WordPress plugin fails to properly sanitize user-supplied input before incorporating it into SQL queries. The plugin appears to be a WordPress slider/image gallery component developed by LambertGroup. SQL injection vulnerabilities occur when applications concatenate untrusted data directly into SQL statements without parameterized queries or proper input validation, allowing attackers to break out of the intended query context and inject malicious SQL commands. The CVSS vector indicates network-based exploitation with high attack complexity, requiring low-privileged authentication, suggesting the vulnerable functionality is accessible to authenticated WordPress users (likely contributors or above) rather than anonymous visitors.
Affected Products
The vulnerability affects LambertGroup LBG Zoominoutslider (lbg_zoominoutslider) WordPress plugin in all versions up to and including version 5.4.4. The Patchstack advisory indicates version 5.4.5 addresses this vulnerability, suggesting versions 5.4.4 and earlier are vulnerable. This appears to be a niche WordPress slider/gallery plugin rather than a widely-deployed enterprise product. Organizations should audit their WordPress installations for the presence of this plugin, particularly in multi-author environments where contributors, authors, or editors have access. The vendor advisory and complete technical details are available at https://patchstack.com/database/Wordpress/Plugin/lbg_zoominoutslider/vulnerability/wordpress-lbg-zoominoutslider-plugin-5-4-5-sql-injection-vulnerability?_s_id=cve.
Remediation
Upgrade LBG Zoominoutslider to version 5.4.5 or later, which according to the Patchstack advisory URL structure addresses this SQL injection vulnerability. Administrator should access the WordPress admin dashboard, navigate to Plugins, locate LBG Zoominoutslider, and update to the latest available version. If immediate patching is not feasible, temporary risk reduction measures include restricting plugin access to only highly-trusted administrator accounts, implementing web application firewall rules to detect SQL injection patterns targeting this plugin, conducting database activity monitoring for anomalous queries, or temporarily disabling the plugin if slider functionality is non-critical to operations. Complete vulnerability details and remediation guidance are available from Patchstack at https://patchstack.com/database/Wordpress/Plugin/lbg_zoominoutslider/vulnerability/wordpress-lbg-zoominoutslider-plugin-5-4-5-sql-injection-vulnerability?_s_id=cve. Organizations should verify the installed version before and after patching to ensure successful remediation.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today