Lucene search
Dc11WPEX-ID:2699CEFA-1CAE-4EF3-AD81-7F3DB3FCCE25HistoryMar 27, 2023 - 12:00 a.m.
Gallery by BestWebSoft < 4.7.0 - Author+ SQL Injection
2023-03-2700:00:00
dc11
59
wordpress
sql injection
bestwebsoft
security
blind sqli
plugin
image gallery
0.001 Low
EPSS
Percentile
28.6%
The plugin does not properly escape values used in SQL queries, leading to an Blind SQL Injection vulnerability. The attacker must have at least the privileges of an Author, and the vendor’s Slider plugin (https://wordpress.org/plugins/slider-bws/) must also be installed for this vulnerability to be exploitable.
1. Ensure the "Slider by BestWebSoft" plugin is also installed (https://wordpress.org/plugins/slider-bws/)
2. Go to Galleries > Add New.
3. Click "Add Media" and choose or upload an image.
4. When publishing (or updating) the Gallery, intercept the request and change the POST parameter with name `_gallery_order_12%5B13%5D` (note the `12` and `13` are ID's and will be different in each case). Change the inner ID (the `13` in this example) to the following: `%27%20UNION%20%28SELECT%20IF%281%3D1%2CSLEEP%2810%29%2CSLEEP%285%29%29%29%23`
5. Click on the Settings tab, and click the "Create New Slider" button.
6. Note the request takes 10 seconds, demonstrating the blind SQLi.Related
cve
cve
CVE-2023-0765
2023-04-17 13:15:37
wpvulndb
wpvulndb
Gallery by BestWebSoft < 4.7.0 - Author+ SQL Injection
2023-03-27 00:00:00
prion
prion
Sql injection
2023-04-17 13:15:00
cvelist
cvelist
CVE-2023-0765 Gallery by BestWebSoft < 4.7.0 - Author+ SQL Injection
2023-04-17 12:17:39
nvd
nvd
CVE-2023-0765
2023-04-17 13:15:37
wordfence
wordfence