Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-24139

CWE-89SQL Injection5 documents5 sources
Severity
9.8CRITICAL
EPSS
48.4%
top 2.26%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Unknown Photo Gallery BY 10web10web Photo Gallery
Timeline
PublishedMar 18
Latest updateMay 24

Description

Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVD10web/photo_gallery< 1.5.55
CVEListV5unknown/photo_gallery_by_10web1.5.551.5.55

🔴Vulnerability Details

3
GHSA
GHSA-4r2x-685x-rf8p: Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 12022-05-24
CVEList
Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection2021-03-18
VulnCheck
10web photo_gallery Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')2021

💥Exploits & PoCs

1
Nuclei
10Web Photo Gallery < 1.5.55 - SQL Injection
CVE-2021-24139 (CRITICAL CVSS 9.8) | Unvalidated input in the Photo Gall | cvebase.io