CVE-2022-0169
published 2022-03-14CVE-2022-0169: The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
74.61%
99.4th percentile
The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 10web | photo_gallery | < 1.6.0 | 1.6.0 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-ajax.php?action=bwg_frontend_data&shortcode_id=1&bwg_tag_id_bwg_thumbnails_0[]=)%22%20union%20select%201,2,3,4,5,6,7,concat(md5({{num}}),%200x2c,%208),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20--%20g↗
- →Detect exploitation attempts by monitoring GET requests to wp-admin/admin-ajax.php with action=bwg_frontend_data and a UNION-based SQL injection payload in the bwg_tag_id_bwg_thumbnails_0[] parameter. ↗
- →Flag HTTP requests to admin-ajax.php where the 'action' parameter equals 'bwg_frontend_data' and 'bwg_tag_id_bwg_thumbnails_0[]' contains SQL metacharacters such as closing parentheses, quotes, or UNION SELECT keywords. ↗
- →Presence of the path /wp-content/plugins/photo-gallery in HTTP responses can be used to fingerprint vulnerable WordPress installations for targeted scanning (Shodan: http.html:/wp-content/plugins/photo-gallery; FOFA: body=/wp-content/plugins/photo-gallery). ↗
- →A successful blind/UNION SQLi probe returns an HTTP 200 response whose body contains the MD5 hash of the injected canary value — match on md5(999999999) = 'ee99333ef95e6f3f4b1e1b54e4b9f745' in the response body. ↗
- ·The vulnerability affects Photo Gallery by 10Web plugin versions strictly before 1.6.0; the Metasploit module description states '<= 1.6.0', which is slightly broader — verify the exact boundary against the patched changeset before tuning version-based suppression rules. ↗
- ·The AJAX endpoint is accessible to both unauthenticated and authenticated users, meaning authentication-based WAF bypass rules will not reduce exposure — block at the parameter/payload level regardless of session state. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3hxm-xw7j-7rgj: The Photo Gallery by 10Web WordPress plugin before 1
ghsa_unreviewed·2022-03-15
CVE-2022-0169 [CRITICAL] CWE-89 GHSA-3hxm-xw7j-7rgj: The Photo Gallery by 10Web WordPress plugin before 1
The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection
VulnCheck
10web photo_gallery Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-0169 [CRITICAL] 10web photo_gallery Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
10web photo_gallery Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection
Affected: 10web photo_gallery
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2022-0169
Exploit PoC: https://vulncheck.com/xdb/c23f138a5eb3
No detection rules found.
Nuclei
Photo Gallery by 10Web < 1.6.0 - SQL Injection
nuclei·CVSS 9.8
CVE-2022-0169 [CRITICAL] Photo Gallery by 10Web < 1.6.0 - SQL Injection
Photo Gallery by 10Web < 1.6.0 - SQL Injection
The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection
Template:
id: CVE-2022-0169
info:
name: Photo Gallery by 10Web < 1.6.0 - SQL Injection
author: ritikchaddha,princechaddha
severity: critical
description: |
The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL i
Metasploit
WordPress Photo Gallery Plugin SQL Injection (CVE-2022-0169)
metasploit·CVSS 9.8
CVE-2022-0169 [CRITICAL] WordPress Photo Gallery Plugin SQL Injection (CVE-2022-0169)
WordPress Photo Gallery Plugin SQL Injection (CVE-2022-0169)
The Photo Gallery by 10Web WordPress plugin <= 1.6.0 is vulnerable to unauthenticated SQL injection via the 'bwg_tag_id_bwg_thumbnails_0[]' parameter in admin-ajax.php (action=bwg_frontend_data).
2022-03-14
Published
Exploited in the wild