cbcvebase.
CVE-2022-0169
published 2022-03-14

CVE-2022-0169: The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
74.61%
99.4th percentile
The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection

Affected

1 ranges
VendorProductVersion rangeFixed in
10webphoto_gallery< 1.6.01.6.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=bwg_frontend_data&shortcode_id=1&bwg_tag_id_bwg_thumbnails_0[]=)%22%20union%20select%201,2,3,4,5,6,7,concat(md5({{num}}),%200x2c,%208),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20--%20g
path/wp-content/plugins/photo-gallery
  • Detect exploitation attempts by monitoring GET requests to wp-admin/admin-ajax.php with action=bwg_frontend_data and a UNION-based SQL injection payload in the bwg_tag_id_bwg_thumbnails_0[] parameter.
  • Flag HTTP requests to admin-ajax.php where the 'action' parameter equals 'bwg_frontend_data' and 'bwg_tag_id_bwg_thumbnails_0[]' contains SQL metacharacters such as closing parentheses, quotes, or UNION SELECT keywords.
  • Presence of the path /wp-content/plugins/photo-gallery in HTTP responses can be used to fingerprint vulnerable WordPress installations for targeted scanning (Shodan: http.html:/wp-content/plugins/photo-gallery; FOFA: body=/wp-content/plugins/photo-gallery).
  • A successful blind/UNION SQLi probe returns an HTTP 200 response whose body contains the MD5 hash of the injected canary value — match on md5(999999999) = 'ee99333ef95e6f3f4b1e1b54e4b9f745' in the response body.
  • ·The vulnerability affects Photo Gallery by 10Web plugin versions strictly before 1.6.0; the Metasploit module description states '<= 1.6.0', which is slightly broader — verify the exact boundary against the patched changeset before tuning version-based suppression rules.
  • ·The AJAX endpoint is accessible to both unauthenticated and authenticated users, meaning authentication-based WAF bypass rules will not reduce exposure — block at the parameter/payload level regardless of session state.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.