Headline
CVE-2022-1281: Diff [2587758:2706797] for photo-gallery/trunk/frontend/models/BWGModelGalleryBox.php – WordPress Plugin Repository
The Photo Gallery WordPress plugin through 1.6.3 does not properly escape the $_POST[‘filter_tag’] parameter, which is appended to an SQL query, making SQL Injection attacks possible.
File:
- photo-gallery/trunk/frontend/models/BWGModelGalleryBox.php (2 diffs)
Legend:
Unmodified
Added
Removed
photo-gallery/trunk/frontend/models/BWGModelGalleryBox.php
r2587758
r2706797
43
43
$bwg\_filter\_tag\_temp = WDWLibrary::get('filter\_tag\_' . $bwg, 0);
44
44
if ( !empty($bwg\_filter\_tag\_temp) ) {
45
$filter\_tags = explode(",", $bwg\_filter\_tag\_temp);
45
$filter\_tags = array\_map('intval', explode(",", $bwg\_filter\_tag\_temp));
46
46
}
47
47
}
48
48
else {
49
$filter\_tags = explode(",", $bwg\_filter\_tag\_temp);
49
$filter\_tags = array\_map('intval', explode(",", $bwg\_filter\_tag\_temp));
50
50
}
51
51
…
…
111
111
$join .= ' LEFT JOIN (SELECT GROUP\_CONCAT(tag\_id order by tag\_id SEPARATOR ",") AS tags\_combined, image\_id FROM ' . $wpdb->prefix . 'bwg\_image\_tag GROUP BY image\_id) AS tags ON image.id=tags.image\_id';
112
112
}
113
$where .= ' AND CONCAT(",", tags.tags\_combined, ",") REGEXP ",(' . implode($compare\_sign, $filter\_tags) . ')," ';
113
$where .= ' AND CONCAT(",", tags.tags\_combined, ",") REGEXP ",( %s )," ';
114
$prepareArgs\[\] = implode($compare\_sign, $filter\_tags);
114
115
}
115
116
Note: See TracChangeset for help on using the changeset viewer.