PT-2015-5262 · WordPress · Photo Gallery
Published
2015-02-02
·
Updated
2019-07-08
·
CVE-2015-1393
CVSS v2.0
6.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Photo Gallery plugin versions prior to 1.2.11 for WordPress
Description
The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved via the
asc or desc parameter in a create gallery request in the "galleries bwg" page to "wp-admin/admin.php".Recommendations
For versions prior to 1.2.11, update to version 1.2.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the "galleries bwg" page in "wp-admin/admin.php" to minimize the risk of exploitation. Avoid using the
asc or desc parameter in the affected API endpoint until the issue is resolved.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Photo Gallery