Gallery by BestWebSoft < 4.7.0 – Author+ SQL Injection | CVE 2023-0765

Description

The plugin does not properly escape values used in SQL queries, leading to an Blind SQL Injection vulnerability. The attacker must have at least the privileges of an Author, and the vendor's Slider plugin (https://wordpress.org/plugins/slider-bws/) must also be installed for this vulnerability to be exploitable.

Proof of Concept

1. Ensure the "Slider by BestWebSoft" plugin is also installed (https://wordpress.org/plugins/slider-bws/)
2. Go to Galleries > Add New.
3. Click "Add Media" and choose or upload an image.
4. When publishing (or updating) the Gallery, intercept the request and change the POST parameter with name `_gallery_order_12%5B13%5D` (note the `12` and `13` are ID's and will be different in each case). Change the inner ID (the `13` in this example) to the following: `%27%20UNION%20%28SELECT%20IF%281%3D1%2CSLEEP%2810%29%2CSLEEP%285%29%29%29%23`
5. Click on the Settings tab, and click the "Create New Slider" button.
6. Note the request takes 10 seconds, demonstrating the blind SQLi.