CVE-2022-0169: 
WordPress vulnerability analysis and mitigation

The Photo Gallery by 10Web WordPress plugin before version 1.6.0 contains an unauthenticated SQL injection vulnerability identified as CVE-2022-0169. The vulnerability was discovered in early 2022 and affects the plugin's handling of the bwgtagidbwgthumbnails0 parameter in the bwgfrontend_data AJAX action, which is accessible to both unauthenticated and authenticated users (CVE Mitre, WPScan).

The vulnerability stems from improper validation and escaping of the bwgtagidbwgthumbnails0 parameter before its use in SQL statements. The issue is specifically related to the bwgfrontend_data AJAX action. The vulnerability has been assigned a CVSS score of 8.6 (high), indicating its serious nature. It is classified as an SQL Injection vulnerability under OWASP Top 10 category A1: Injection and CWE-89 (WPScan).

This vulnerability allows unauthenticated attackers to perform SQL injection attacks against affected WordPress installations. The potential impact includes unauthorized access to database contents, including sensitive user information such as login credentials (WPScan).

The vulnerability has been patched in version 1.6.0 of the Photo Gallery by 10Web plugin. Users are strongly advised to update to this version or later to protect their installations (WPScan, WordPress Plugin).