The plugin does not properly escape values used in SQL queries, leading to an Blind SQL Injection vulnerability. The attacker must have at least the privileges of an Author, and the vendor’s Slider plugin (https://wordpress.org/plugins/slider-bws/) must also be installed for this vulnerability to be exploitable.
1. Ensure the “Slider by BestWebSoft” plugin is also installed (https://wordpress.org/plugins/slider-bws/) 2. Go to Galleries > Add New. 3. Click “Add Media” and choose or upload an image. 4. When publishing (or updating) the Gallery, intercept the request and change the POST parameter with name _gallery_order_12%5B13%5D
(note the 12
and 13
are ID’s and will be different in each case). Change the inner ID (the 13
in this example) to the following: %27%20UNION%20%28SELECT%20IF%281%3D1%2CSLEEP%2810%29%2CSLEEP%285%29%29%29%23
5. Click on the Settings tab, and click the “Create New Slider” button. 6. Note the request takes 10 seconds, demonstrating the blind SQLi.
CPE | Name | Operator | Version |
---|---|---|---|
gallery-plugin | lt | 4.7.0 |