CVE-2022-0169
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on WordPress sites using the Photo Gallery by 10Web plugin. Attackers can potentially steal sensitive data, modify database content, or gain administrative access. All WordPress sites with vulnerable plugin versions are affected.
💻 Affected Systems
- Photo Gallery by 10Web WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the WordPress database including credential theft, data exfiltration, privilege escalation to administrator, and potential server takeover via SQL injection to RCE chaining.
Likely Case
Data theft from WordPress database including user credentials, sensitive content, and plugin data, potentially leading to site defacement or unauthorized access.
If Mitigated
Limited impact if proper WAF rules block SQL injection patterns and database user has minimal privileges.
🎯 Exploit Status
SQL injection via bwg_tag_id_bwg_thumbnails_0 parameter in bwg_frontend_data AJAX endpoint requires minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.0
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2672822/photo-gallery#file9
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Photo Gallery by 10Web'. 4. Click 'Update Now' if update available. 5. If no update available, download version 1.6.0+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allBlock access to the vulnerable bwg_frontend_data AJAX action using .htaccess or web application firewall
# Add to .htaccess: RewriteCond %{QUERY_STRING} action=bwg_frontend_data [NC] RewriteRule ^.*$ - [F,L]
Temporary plugin deactivation
linuxDeactivate Photo Gallery plugin until patched
wp plugin deactivate photo-gallery
🧯 If You Can't Patch
- Implement WAF rules to block SQL injection patterns targeting the bwg_frontend_data endpoint
- Restrict database user permissions to SELECT only for the plugin's database tables
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Photo Gallery by 10Web version number. If version is below 1.6.0, system is vulnerable.Check Version:
wp plugin get photo-gallery --field=versionVerify Fix Applied:
Confirm plugin version is 1.6.0 or higher in WordPress admin panel and test AJAX endpoint with SQL injection payloads to ensure they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in WordPress debug logs
- Multiple requests to /wp-admin/admin-ajax.php with action=bwg_frontend_data and SQL injection patterns
- Database query errors containing bwg_tag_id_bwg_thumbnails_0 parameter
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with SQL injection payloads in parameters
- Unusual database connection patterns from web server
SIEM Query:
source="wordpress.log" AND "bwg_frontend_data" AND ("UNION" OR "SELECT" OR "INSERT" OR "UPDATE" OR "DELETE" OR "' OR '" OR "--" OR ";")