HIGH 8.2

CVE-2019-25745: WordPress Google Review Slider SQL Injection Vulnerability – Exploitation, Patching & Detection

The Google Review Slider WordPress plugin version 6.1 contains a SQL injection flaw that allows attackers to execute unauthorized database queries without needing to log in. By crafting malicious requests targeting the 'tid' parameter, an attacker can gradually extract sensitive data from a WordPress site's database using time-based blind SQL injection—a technique where database response delays confirm whether injected queries are true or false. This vulnerability poses a direct risk to any WordPress installation running the affected plugin version.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

WordPress Plugin Google Review Slider 6.1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'tid' parameter. Attackers can send GET requests to the admin interface with malicious 'tid' values to extract sensitive database information using time-based blind SQL injection techniques.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2019-25745 is a time-based blind SQL injection vulnerability (CWE-89) in Google Review Slider version 6.1. The vulnerability exists in the admin interface endpoint where the 'tid' parameter is processed without proper input sanitization or parameterized query protection. Attackers send crafted GET requests with SQL metacharacters embedded in the 'tid' value. The database backend processes these requests, and attackers infer query logic by measuring response times—genuine SQL conditions execute faster or slower than invalid ones, allowing systematic database enumeration. No authentication is required to exploit this vulnerability, making the attack surface extensive for any publicly accessible WordPress installation.

Business impact

Successful exploitation enables attackers to access confidential database records including user credentials, customer information, posts, and plugin configuration data. The extraction process, while time-consuming due to its blind nature, is reliable and difficult to detect with basic monitoring. Compromised data could be leveraged for further attacks, credential stuffing, or sold on criminal forums. For WordPress sites managing e-commerce, subscriber data, or client information, the confidentiality breach carries regulatory implications (GDPR, PCI-DSS) and reputational damage. The vulnerability's high CVSS score (8.2) reflects the ease of exploitation and severity of information disclosure, even though direct data modification or denial-of-service impact is limited.

Affected systems

WordPress installations running Google Review Slider plugin version 6.1 are vulnerable. The plugin is freely distributed through WordPress.org plugin repository, making it a wide-reaching target. Any site with this specific version installed is at risk regardless of access controls, firewall rules, or WAF policies—the vulnerability is in the application layer. Sites using older or newer versions of the plugin may or may not be affected; administrators should verify their installed version against vendor advisories and patch documentation.

Exploitability

The vulnerability is highly exploitable. No special privileges or user interaction are required; attackers need only network access to send HTTP GET requests to the plugin's endpoint. The time-based blind SQL injection technique is well-established in offensive security, with numerous automated tools and proof-of-concept scripts publicly available. However, practical exploitation requires patience—extracting even modest amounts of data through time delays can take minutes to hours depending on database size and network conditions. This does not eliminate risk; determined attackers or automated botnets can still conduct successful attacks. The absence from the CISA Known Exploited Vulnerabilities (KEV) catalog does not indicate a lack of real-world exploitation; it reflects KEV's specific criteria and timing.

Remediation

Immediately update Google Review Slider to a patched version released by the plugin maintainer. Verify the specific version numbers in the official plugin advisory or WordPress.org plugin page—do not rely on version numbering assumptions. If no patch is available, disable or remove the plugin until an update is released. As a temporary mitigation, restrict access to the WordPress admin interface (wp-admin) via network-level controls (IP whitelisting, WAF rules blocking requests to the vulnerable endpoint), though this does not address the underlying flaw and is not a substitute for patching.

Patch guidance

Check the official Google Review Slider plugin page on WordPress.org or the maintainer's website for available updates. Apply the latest version that addresses CVE-2019-25745. Test the update in a staging environment before deploying to production to ensure compatibility with other plugins and themes. After patching, verify that the plugin remains functional and that no database anomalies are evident. Document the patching date and version for compliance records.

Detection guidance

Monitor access logs and WAF logs for suspicious patterns in requests to wp-admin endpoints associated with the Google Review Slider plugin, especially GET requests with unusual characters (SQL metacharacters like single quotes, semicolons, UNION keywords) in the 'tid' parameter. Time-based blind SQL injection may manifest as clusters of requests with varying delays or repeated failed database queries. Implement database activity monitoring (DAM) to alert on unexpected query patterns, particularly SELECT statements from user tables or attempts to access sensitive columns. Regular WordPress security scanning tools and plugin audits can identify if the vulnerable plugin version is active.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH severity rating, unauthenticated exploitability, and direct impact on database confidentiality. The combination of high CVSS score (8.2), ease of exploitation, and wide plugin user base makes it a priority for any organization running WordPress. Time-based blind SQL injection is operationally feasible for attackers despite being slower than other injection types. Organizations should prioritize patching or disabling this plugin within days, not weeks.

Risk score, explained

The CVSS 3.1 score of 8.2 (HIGH) reflects: (1) Network-accessible attack vector (AV:N); (2) Low attack complexity requiring only standard HTTP requests (AC:L); (3) No authentication prerequisite (PR:N); (4) No user interaction needed (UI:N); (5) High confidentiality impact from unrestricted database access (C:H); (6) Limited integrity impact—the attacker cannot modify or delete data directly, only extract it (I:L); (7) No availability impact (A:N). The score appropriately penalizes the exploitability and information disclosure while acknowledging that this is not a remote code execution or denial-of-service vulnerability.

Frequently asked questions

How can I quickly determine if my WordPress site is running the vulnerable plugin?

Log into your WordPress admin dashboard, navigate to Plugins, and search for 'Google Review Slider.' If it is installed, note the version number displayed. Compare it against the vendor's advisory and security notices. Alternatively, use WordPress security scanning plugins (e.g., Wordfence, Sucuri) that can identify known vulnerable versions.

Is updating the plugin sufficient, or do I need to check for database compromise?

Patching stops future exploitation but does not undo past breaches. If the plugin has been running unpatched for an extended period, assume attackers may have extracted data. Conduct a database audit to identify any suspicious user accounts, check access logs for anomalous query patterns, and monitor for unauthorized data access. Consider credential resets for high-privilege accounts and implement enhanced monitoring going forward.

Can a Web Application Firewall (WAF) fully protect me from this vulnerability?

A WAF can reduce attack surface by blocking requests containing obvious SQL injection patterns (e.g., UNION, OR 1=1), but sophisticated time-based blind SQL injection can evade basic WAF signatures. WAF protection is a useful layer but is not a substitute for patching. Combine WAF rules with network-level access controls and application-level patches for defense in depth.

What if the plugin developer has not released a patch yet?

If no patch is available, disable or remove the plugin immediately to eliminate the attack vector. If the plugin is critical for your site's functionality, contact the developer for an estimated patch timeline. Implement strict access controls to wp-admin, use a WAF to block suspicious requests to the plugin endpoint, and monitor database activity closely. This is temporary risk mitigation only; patching must remain your primary objective.

This analysis is provided for informational purposes and represents a point-in-time assessment based on available source data as of the publication date. SEC.co does not guarantee the accuracy, completeness, or currency of vendor patch information or version numbers; administrators must verify patch availability and version numbers directly with the plugin maintainer or WordPress.org. This document does not constitute legal advice, compliance guidance, or a substitute for professional security assessment. Organizations should conduct their own risk analysis and testing before deploying patches or implementing mitigations in production environments. References to specific products, versions, or patch numbers should be validated against official vendor advisories before reliance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).