Login Sign Up

CVE-2015-10146

4.9 MEDIUM
SQL Injection

📋 TL;DR

This SQL injection vulnerability in the WordPress Thumbnail Slider With Lightbox plugin allows authenticated attackers with Administrator privileges to execute arbitrary SQL queries. Attackers can extract sensitive information from the database, including user credentials and other confidential data. Only WordPress sites using vulnerable versions of this specific plugin are affected.

💻 Affected Systems

Products:
  • WordPress Thumbnail Slider With Lightbox plugin
Versions: All versions up to and including 1.0.4
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with vulnerable plugin version and attacker must have Administrator-level access

📦 What is this software?

Thumbnail Slider With Lightbox by I13websolution

View all CVEs affecting Thumbnail Slider With Lightbox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to credential theft, data exfiltration, and potential privilege escalation to full WordPress site control.

🟠

Likely Case

Extraction of sensitive data including user credentials, personal information, and plugin-specific configuration data.

🟢

If Mitigated

Limited impact due to administrator-only access requirement and proper input validation preventing SQL injection.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated administrator access and knowledge of SQL injection techniques

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.0.4

Vendor Advisory: https://wordpress.org/plugins/wp-responsive-slider-with-lightbox

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Thumbnail Slider With Lightbox'. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete the plugin.

🔧 Temporary Workarounds

Remove vulnerable plugin

WordPress

Deactivate and delete the vulnerable plugin version

wp plugin deactivate wp-responsive-slider-with-lightbox
wp plugin delete wp-responsive-slider-with-lightbox

🧯 If You Can't Patch

  • Remove administrator access from untrusted users
  • Implement web application firewall with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Thumbnail Slider With Lightbox version number

Check Version:

wp plugin get wp-responsive-slider-with-lightbox --field=version

Verify Fix Applied:

Verify plugin version is greater than 1.0.4 or plugin is removed

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in WordPress or database logs
  • Multiple failed login attempts followed by administrator access

Network Indicators:

  • SQL injection patterns in HTTP requests to WordPress admin endpoints

SIEM Query:

source="wordpress.log" AND "wp-responsive-slider-with-lightbox" AND ("SELECT" OR "UNION" OR "INSERT" OR "DELETE")

📊 Metadata

CVE ID: CVE-2015-10146
CVSS v3 Score: 4.9 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-89
EPSS Score: 0.04% exploit probability (10.2th percentile)
Published: October 29, 2025
Last Updated: December 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-10146, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)