Hello, I’m a new member of the community and I’d like to share my experience with you! I would like to introduce to you some vulnerable plugins that allow sql injection in WordPress, mainly those that are used in very large numbers. We strongly recommend that you check your version of each plugin and update it if you are using a version that has not been fixed.
What is sql injection?
Simply put, a sql injection is a method by which the contents of a WordPress database (which contains all settings and post data) can be rewritten in a way not originally intended by the program. If a malicious user takes advantage of this sql injection, he/she can rewrite WordPress posts, take away administrative privileges, and even change most of the settings.
There are many plug-ins and themes that are vulnerable to sql injection, and in many cases, the vulnerability has been fixed by version upgrades, so we recommend updating to the latest version if you are using this plug-in.
sql injection in wordpress itself
It has been reported that WordPress 4.3 or lower has a SQL Injection vulnerability in the core files. It is a sanitization-related bug and has been fixed since 4.3
sql injection in plugins
WP Statistics < 12.0.8 300,000 installed
NextGEN Gallery < < 2.1.57 million installs
Ninja Forms < under 2.9.55.2 600,000 installs
All In One WordPress Security and Firewall < under 3.8 400,000 installs
Facebook < under 1.01 100,000 installations
SEO Plugin by Yoast < under 1.7.3.3 3 million installs
WP-Slimstat < under 3.9.5 million installs
You can also check WordPress vulnerabilities here WordPress Vulnerability Assessment Security Scanner