Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Vertical scroll slideshow gallery v2 allows Blind SQL Injection. This issue affects Vertical scroll slideshow gallery v2: from n/a through 9.1.
Published: 2025-08-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an SQL Injection flaw that allows attackers to inject SQL commands into the plugin’s queries, resulting in a blind SQL injection attack. This weakness can lead to unauthorized retrieval or modification of database contents, thereby compromising the confidentiality and integrity of data stored by the WordPress site.

Affected Systems

The flaw exists in the gopiplus Vertical scroll slideshow gallery v2 plugin, affecting all releases from the initial version through 9.1. Characters such as the plugin name and version range are explicitly listed as impacted.

Risk and Exploitability

The CVSS score of 8.8 signals a high severity level, while the EPSS score of less than 1% indicates that known exploitation attempts are currently rare. The vulnerability is not listed in CISA’s KEV, which suggests it has not yet been documented as actively exploited in the field. Exploitation is possible from a web request targeting the plugin’s endpoints, and the attack does not require privileged user access—making it a plausible threat for remote attackers.

Generated by OpenCVE AI on May 1, 2026 at 06:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the gopiplus Vertical scroll slideshow gallery v2 plugin to a version newer than 9.1.
  • If an update is not yet available, disable or remove the plugin entirely from the site to eliminate the attack surface.
  • Deploy a Web Application Firewall with SQL injection protection rules to block malicious requests targeting the plugin’s endpoints.
  • Restrict the database user privileges to read‑only where feasible, limiting potential damage from exploitation.
  • Monitor web and database logs for signs of SQL injection attempts and respond promptly to anomalies.

Generated by OpenCVE AI on May 1, 2026 at 06:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25028 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Vertical scroll slideshow gallery v2 allows Blind SQL Injection. This issue affects Vertical scroll slideshow gallery v2: from n/a through 9.1.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-266
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in gopiplus School Management school-management allows Privilege Escalation.This issue affects School Management: from n/a through <= 93.2.0. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Vertical scroll slideshow gallery v2 allows Blind SQL Injection. This issue affects Vertical scroll slideshow gallery v2: from n/a through 9.1.
Title WordPress School Management Plugin <= 93.2.0 - Privilege Escalation Vulnerability WordPress Vertical scroll slideshow gallery v2 plugin <= 9.1 - SQL Injection vulnerability
Weaknesses CWE-89
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Vertical scroll slideshow gallery v2 allows Blind SQL Injection. This issue affects Vertical scroll slideshow gallery v2: from n/a through 9.1. Incorrect Privilege Assignment vulnerability in gopiplus School Management school-management allows Privilege Escalation.This issue affects School Management: from n/a through <= 93.2.0.
Title WordPress Vertical scroll slideshow gallery v2 plugin <= 9.1 - SQL Injection vulnerability WordPress School Management Plugin <= 93.2.0 - Privilege Escalation Vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Gopiplus
Gopiplus vertical Scroll Slideshow Gallery V2
Wordpress
Wordpress wordpress
Vendors & Products Gopiplus
Gopiplus vertical Scroll Slideshow Gallery V2
Wordpress
Wordpress wordpress

Fri, 15 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 Aug 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Vertical scroll slideshow gallery v2 allows Blind SQL Injection. This issue affects Vertical scroll slideshow gallery v2: from n/a through 9.1.
Title WordPress Vertical scroll slideshow gallery v2 plugin <= 9.1 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Gopiplus Vertical Scroll Slideshow Gallery V2
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:07.336Z

Reserved: 2025-06-11T16:06:34.446Z

Link: CVE-2025-49897

cve-icon Vulnrichment

Updated: 2025-08-15T19:10:58.942Z

cve-icon NVD

Status : Deferred

Published: 2025-08-15T16:15:29.770

Modified: 2026-04-28T19:33:11.503

Link: CVE-2025-49897

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:45:11Z

Weaknesses