CVE-2017-12977

Vulnerability

The Web-Dorado "Photo Gallery by WD - Responsive Photo Gallery" plugin for WordPress versions before 1.3.51 contains a SQL injection vulnerability in the bwg_edit_tag() function in photo-gallery.php and the edit_tag() function in admin/controllers/BWGControllerTags_bwg.php. The vulnerability is triggered via the tag_id parameter, which is not properly sanitized before being used in SQL queries. This issue affects all installations using plugin versions prior to 1.3.51 [2].

Exploitation

An attacker with administrator-level access to the WordPress admin panel can exploit this vulnerability by sending a crafted HTTP request to the tag editing functionality with a malicious tag_id parameter. The attacker does not need any special privileges beyond admin, but must be authenticated. The injection occurs when the plugin processes the tag_id value without proper escaping, allowing the attacker to append arbitrary SQL commands [2].

Impact

Successful exploitation allows an authenticated administrator to execute arbitrary SQL commands against the WordPress database. This can lead to unauthorized reading or modification of sensitive data, including user credentials, posts, and configuration settings. In some scenarios, the attacker may be able to escalate privileges or gain further access to the server [2].

Mitigation

The vulnerability is fixed in version 1.3.51 of the plugin, released on or before August 21, 2017. Users should update to this version or later immediately. No workarounds are available for older versions. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][2].