CVE-2021-24139— Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection

EPSS 48.38% · P98 Updated Feb 24, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2021-24139

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection

Source: NVD (National Vulnerability Database)

Vulnerability Description

Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

Source: NVD (National Vulnerability Database)

Vulnerability Title

Wordpress Photo Gallery SQL注入漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Wordpress Photo Gallery是（Wordpress）开源的一个应用插件。提供一个将响应式画廊和相册添加到的网站功能。 WordPress Photo Gallery plugin 存在SQL注入漏洞，该漏洞源于frontend/models/model.php bwg_search_x参数。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Unknown	Photo Gallery by 10Web	1.5.55 ~ 1.5.55	-

II. Public POCs for CVE-2021-24139

#	POC Description	Source Link	Shenlong Link
1	WordPress plugin 10Web Photo Gallery versions before 1.5.55 contains a SQL injection caused by unvalidated input in the 'bwg_search_x' parameter in frontend/models/model.php, letting attackers execute arbitrary SQL commands, exploit requires attacker to control the 'bwg_search_x' parameter.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-24139.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2021-24139

请登录查看更多情报信息。

Same Patch Batch · Unknown · 2021-03-18 · 27 CVEs total

CVE-2021-24136		Testimonials Widget < 4.0.0 - Multiple Authenticated Stored XSS
CVE-2021-24149		Modern Events Calendar Lite < 5.16.6 - Authenticated SQL Injection
CVE-2021-24148		MStore API < 3.2.0 - Authentication Bypass With Sign In With Apple
CVE-2021-24147		Modern Events Calendar Lite < 5.16.5 - Authenticated Stored Cross-Site Scripting (XSS)
CVE-2021-24146		Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export
CVE-2021-24145		Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE
CVE-2021-24144		Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection
CVE-2021-24143		AccessPress Social Icons < 1.8.1 - Authenticated SQL Injection
CVE-2021-24142		301 Redirects - Easy Redirect Manager < 2.51 - Authenticated SQL Injection
CVE-2021-24141		Advanced Database Cleaner < 3.0.2 - Authenticated SQL injection
CVE-2021-24140		Ajax Load More < 5.3.2 - Authenticated SQL Injection
CVE-2021-24138		AdRotate < 5.8.4 - Authenticated SQL Injection
CVE-2021-24137		Blog2Social: Social Media Auto Post & Scheduler < 6.3.1 - Authenticated SQL Injection
CVE-2021-24123		PowerPress < 8.3.8 - Authenticated Arbitrary File Upload leading to RCE
CVE-2021-24135		WP Customer Reviews < 3.4.3 - Multiple Unauthenticated and Low Priv Authenticated Stored X
CVE-2021-24134		Constant Contact Forms < 1.8.8 - Multiple Authenticated Stored XSS
CVE-2021-24133		ActiveCampaign < 8.0.2 - Cross-Site Request Forgery in Settings
CVE-2021-24132		Slider by 10Web < 1.2.36 - Multiple Authenticated SQL Injection
CVE-2021-24131		Anti-Spam by CleanTalk < 5.149 - Multiple Authenticated SQL Injections
CVE-2021-24130		WP Google Map Plugin < 4.1.5 - Authenticated SQL Injection

Showing top 20 of 27 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Photo Gallery by 10Web

Same vendor: Unknown

Same weakness: CWE-89

V. Comments for CVE-2021-24139

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2021-24139— Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection

I. Basic Information for CVE-2021-24139

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2021-24139

III. Intelligence Information for CVE-2021-24139

Same Patch Batch · Unknown · 2021-03-18 · 27 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2021-24139

Leave a comment