Google Review Slider 6.1 Plugin Vulnerability (CVE-2019-25745)

Security Alert Summary

The WordPress Plugin Google Review Slider 6.1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to inject SQL via the tid parameter. An attacker can send specially crafted GET requests to the plugin’s admin interface to extract sensitive database information using time-based blind SQL techniques.

CVE Details

• CVE ID: CVE-2019-25745
• Affected component: WordPress Plugin Google Review Slider 6.1
• Affected versions: 6.1 (as stated in the description)
• Published: June 4, 2026 at 2:16:33 PM UTC
• Last modified: June 4, 2026 at 3:00:40 PM UTC
• CVSS v3.1: Base score 8.2, Severity: HIGH, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
• Authentication / privileges / user interaction: No authentication required (unauthenticated); Privileges required: NONE; User interaction: NONE
• Primary impact: Confidentiality: HIGH; Integrity: LOW; Availability: NONE
• Weakness: CWE-89 (SQL Injection)

Technical Details

The vulnerability is a time-based blind SQL injection in the Google Review Slider plugin. The plugin accepts a tid parameter in requests to its admin interface. Insufficient input validation or improper query parameterization allows an attacker to inject SQL payloads into database queries executed by the plugin.

Attackers can send crafted GET requests containing malicious tid values to induce time delays and infer database contents using blind SQL techniques. The description specifies the tid parameter and the admin interface as the vector; no other functions or endpoints are named in the provided data.

The impact is extraction of sensitive database information. Because this is a blind, time-based technique, an attacker may be able to enumerate data slowly without producing visible database errors.

How This Could Impact Your Website

In a realistic scenario, a site owner maintains the site, internal staff manage content, and external contractors or contributors have varying user roles. An unauthenticated attacker exploiting this vulnerability could extract portions of your database that include user-related data. This may expose internal user email addresses and other sensitive records tied to reviews or user accounts.

Exposed email addresses increase the risk of targeted phishing or social engineering against staff or contributors, and may lead to credential theft if attackers combine leaked data with other sources. The vulnerability does not necessarily allow full site takeover based on the provided impact data, but it does pose a significant confidentiality risk.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially contributor and editor accounts that are not required.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins from your site.
• Monitor site activity and logs for unusual behavior, including unexpected requests to admin endpoints.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team is happy to help.

References

• https://wordpress.org/plugins/wp-google-places-review-slider/
• https://www.exploit-db.com/exploits/47567
• https://www.vulncheck.com/advisories/wordpress-plugin-google-review-slider-sql-injection-via-tid