CVE-2022-0169

CRITICAL EXPLOITED NUCLEI

WordPress Photo Gallery Plugin SQL Injection (CVE-2022-0169)

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2022-0169 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including X3RX3SSec, Krzysztof Zając, Valentin Lobstein, X3RX3S, including a Metasploit module auxiliary/gather/wp_photo_gallery_sqli. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a functional Python PoC for CVE-2022-0169, an SQL injection vulnerability in the WordPress Photo Gallery plugin. It exploits the vulnerable `admin-ajax.php` endpoint to dump `wp_users` credentials and optionally cracks them using hashcat.

Description

The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection

Exploits (2)

nomisec WORKING POC 2 stars
by X3RX3SSec · infoleak
https://github.com/X3RX3SSec/CVE-2022-0169

This is a functional Python PoC for CVE-2022-0169, an SQL injection vulnerability in the WordPress Photo Gallery plugin. It exploits the vulnerable `admin-ajax.php` endpoint to dump `wp_users` credentials and optionally cracks them using hashcat.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: WordPress Photo Gallery plugin
No auth needed
Prerequisites: Target running vulnerable WordPress Photo Gallery plugin
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Krzysztof Zając, Valentin Lobstein, X3RX3S · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/wp_photo_gallery_sqli.rb

This Metasploit module exploits an unauthenticated SQL injection vulnerability in the WordPress Photo Gallery plugin via the 'bwg_tag_id_bwg_thumbnails_0[]' parameter. It retrieves user credentials by injecting a malicious SQL query through the admin-ajax.php endpoint.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Photo Gallery by 10Web <= 1.6.0
No auth needed
Prerequisites: Target running WordPress with vulnerable Photo Gallery plugin · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Photo Gallery by 10Web < 1.6.0 - SQL Injection
CRITICALVERIFIEDby ritikchaddha,princechaddha
Shodan: http.html:/wp-content/plugins/photo-gallery
FOFA: body=/wp-content/plugins/photo-gallery

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/0b4d870f-eab8-4544-91f8-9c5f0538709c
Patch, Release Notes, Third Party Advisory x_refsource_confirm
https://plugins.trac.wordpress.org/changeset/2672822/photo-gallery#file9

Scores

CVSS v3 9.8
EPSS 0.7461
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2025-09-11
CWE
CWE-89
Status published
Products (1)
10web/photo_gallery < 1.6.0
Published Mar 14, 2022
Tracked Since Feb 18, 2026