cbcvebase.
CVE-2021-24139
published 2021-03-18

CVE-2021-24139: Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.42%
91.7th percentile
Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
10webphoto_gallery< 1.5.551.5.55

Detection & IOCsextracted from sources · hover to see the quote

pathfrontend/models/model.php
  • Monitor HTTP requests containing the `bwg_search_x` parameter for SQL injection payloads (e.g., quotes, UNION, boolean/time-based blind SQLi patterns) targeting the 10Web Photo Gallery plugin endpoint.
  • Target installations running 10Web Photo Gallery (WordPress plugin) versions before 1.5.55 are vulnerable; flag or block requests to affected plugin paths on unpatched sites.
  • ·The nuclei-style digest/signature fragment in DOC 2 references a status_code==200 match condition, suggesting exploitation attempts may return HTTP 200 responses and should not be filtered out solely on HTTP error codes.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.