Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LBG Zoominoutslider lbg_zoominoutslider allows SQL Injection.This issue affects LBG Zoominoutslider: from n/a through <= 5.4.4.
Published: 2025-12-16
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

This vulnerability stems from improper neutralization of special characters in an SQL statement within the LBG Zoominoutslider plugin. An attacker can craft input that injects arbitrary SQL commands, potentially gaining unauthorized read or write access to a WordPress site’s database. This could lead to data exposure, corruption, or a full compromise of the site.

Affected Systems

WordPress installations that use the LBG Zoominoutslider plugin from LambertGroup and run any version up to and including 5.4.4 are vulnerable. The flaw is removed in later releases such as 5.4.5; no other affected versions are noted.

Risk and Exploitability

The CVSS score of 8.5 signals a critical level of severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, suggesting limited or no known exploitation activity. Based on the description, the likely attack vector is a remote unauthenticated HTTP request that targets the plugin’s input handling routine, allowing the injection of arbitrary SQL statements. Successful exploitation would grant attackers full read/write control over the site’s database.

Generated by OpenCVE AI on April 27, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LBG Zoominoutslider plugin to the latest version (5.4.5 or newer) to remove the vulnerability
  • Restrict administrative access to the plugin’s settings to trusted users only, limiting the surface for injection attempts
  • Deploy web application firewall rules that block common SQL injection patterns against the plugin’s input points

Generated by OpenCVE AI on April 27, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LBG Zoominoutslider lbg_zoominoutslider allows SQL Injection.This issue affects LBG Zoominoutslider: from n/a through <= 5.4.5. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LBG Zoominoutslider lbg_zoominoutslider allows SQL Injection.This issue affects LBG Zoominoutslider: from n/a through <= 5.4.4.
Title WordPress LBG Zoominoutslider plugin <= 5.4.5 - SQL Injection vulnerability WordPress LBG Zoominoutslider plugin <= 5.4.4 - SQL Injection vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 16 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LBG Zoominoutslider lbg_zoominoutslider allows SQL Injection.This issue affects LBG Zoominoutslider: from n/a through <= 5.4.5.
Title WordPress LBG Zoominoutslider plugin <= 5.4.5 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:27.744Z

Reserved: 2025-12-15T10:01:11.954Z

Link: CVE-2025-68056

cve-icon Vulnrichment

Updated: 2025-12-16T20:07:07.873Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:16:01.347

Modified: 2026-06-17T09:58:29.800

Link: CVE-2025-68056

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:30:14Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')