Unrated severityNVD Advisory· Published Jan 16, 2015· Updated May 6, 2026

CVE-2015-1055

Description

SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Photo Gallery plugin 1.2.7 for WordPress contains an unauthenticated SQL injection in the order_by parameter via the GalleryBox AJAX action.

Vulnerability

The Photo Gallery plugin version 1.2.7 and likely prior versions for WordPress are vulnerable to a blind SQL injection in the order_by parameter when processing a GalleryBox action via wp-admin/admin-ajax.php [1]. The vulnerable endpoint is reachable without authentication. The parameter is not properly sanitized, allowing an attacker to inject malicious SQL commands. The affected plugin has been downloaded nearly 500,000 times [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP GET request to the vulnerable endpoint [1]. The attack requires that at least one gallery exists with at least one image uploaded [1]. The characters < and > are filtered to their HTML entity equivalents, so exploitation typically uses the BETWEEN keyword (e.g., via sqlmap's --tamper=between). The attacker must also determine a valid gallery ID, which can be brute-forced [1]. The injection occurs in the order_by parameter in the request; the full request is sent to /wp-admin/admin-ajax.php with the action=GalleryBox parameter [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the WordPress database backend [1]. This can lead to extraction of sensitive data such as user credentials, posts, and configuration details. The attack is blind (boolean- or time-based), meaning data is retrieved through observable differences in response timing or behavior. The impact is high as it can compromise the entire WordPress instance.

Mitigation

As of the disclosure date (January 2015), the vulnerability has not been patched in the public version 1.2.7 or earlier [1]. Users should upgrade to a fixed version if and when it becomes available. No workaround is provided in the reference. If the plugin is no longer maintained, consider disabling or removing it.

References

Wordpress Photo Gallery 1.2.7 unauthenticated SQL injection

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Photo Galleryinferred2 versions
= 1.2.7+ 1 more
- (no CPE)range: = 1.2.7
- (no CPE)range: =1.2.7
Package: https://wordpress.org/plugins/photo-gallery

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `order_by` parameter is directly concatenated into an SQL query without sanitization or parameterization, enabling SQL injection [CWE-89]."

Attack vector

An unauthenticated remote attacker sends a crafted GET request to `wp-admin/admin-ajax.php` with the `action=GalleryBox` parameter and injects SQL syntax into the `order_by` parameter [ref_id=1]. The attacker must also provide valid `gallery_id` and `image_id` values corresponding to an existing gallery containing at least one image [ref_id=1]. Because the `

Affected code

The vulnerable parameter is `order_by` in the `GalleryBox` AJAX action handled by the Photo Gallery plugin version 1.2.7 for WordPress. The plugin fails to sanitize this parameter before incorporating it into an SQL query, as demonstrated by the researcher's proof-of-concept request targeting `wp-admin/admin-ajax.php` [ref_id=1].

What the fix does

No patch is included in the bundle. The advisory does not specify whether a fix was ever released for version 1.2.7 [ref_id=1]. To remediate, the plugin should properly escape or parameterize the `order_by` input before using it in an SQL query, preventing special characters from altering the query structure [CWE-89].

Preconditions

configThe WordPress site must have the Photo Gallery plugin version 1.2.7 installed and activated.
configAt least one gallery must exist containing at least one image.
authNo authentication is required; the attacker can be unauthenticated.
networkThe attacker must be able to send HTTP GET requests to the WordPress admin-ajax.php endpoint.
inputThe attacker supplies malicious SQL in the order_by parameter.

Reproduction

1. Ensure a WordPress installation has the Photo Gallery plugin v1.2.7 active and contains at least one gallery with an image. 2. Send a GET request to `wp-admin/admin-ajax.php` with parameters including `action=GalleryBox`, `gallery_id=1`, `image_id=1`, and a malicious SQL payload in the `order_by` parameter (e.g., `asc,(SELECT 1 FROM (SELECT SLEEP(5))a) -- -`). 3. Observe a time delay in the response, confirming blind SQL injection [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

seclists.org/fulldisclosure/2015/Jan/36nvdExploit
www.securityfocus.com/bid/72015nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000