CVE-2019-16119 in photo-gallery Plugin
Summary
by MITRE
SQL injection in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via the admin/controllers/Albumsgalleries.php album_id parameter.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/25/2025
The vulnerability CVE-2019-16119 represents a critical sql injection flaw within the 10Web Photo Gallery WordPress plugin affecting versions prior to 1.5.35. This vulnerability specifically targets the admin controllers component of the plugin where user input is not properly sanitized before being incorporated into sql queries. The attack vector occurs through the album_id parameter in the file admin/controllers/Albumsgalleries.php which allows malicious actors to inject arbitrary sql commands into the database layer. This vulnerability falls under the common weakness enumeration CWE-89 which categorizes sql injection as a persistent security flaw that enables unauthorized data access and manipulation. The flaw exists due to insufficient input validation and improper parameter handling within the plugin's administrative interface.
The operational impact of this vulnerability is severe as it provides attackers with the ability to execute arbitrary sql commands on the affected WordPress installation's database. An attacker with access to the administrative panel or the ability to exploit this vulnerability through a crafted request can potentially extract sensitive user data, modify database contents, escalate privileges, or even gain complete control over the affected WordPress site. The vulnerability affects the plugin's album management functionality where administrators can view and manage photo galleries, making it particularly dangerous for sites that rely heavily on user-generated content management. This type of vulnerability aligns with ATT&CK technique T1071.004 which describes application layer protocol manipulation, specifically targeting web application vulnerabilities through sql injection attacks.
Successful exploitation of CVE-2019-16119 requires an attacker to craft malicious requests targeting the vulnerable album_id parameter within the plugin's administrative controllers. The vulnerability can be exploited either through direct manipulation of the parameter in the url or through more sophisticated attack vectors that leverage the plugin's administrative interface. Organizations running vulnerable versions of the 10Web Photo Gallery plugin are at risk of data breaches, unauthorized access to user accounts, and potential complete system compromise. The vulnerability demonstrates poor security practices in input sanitization and parameter handling, which are fundamental requirements for secure web application development. This flaw highlights the importance of implementing proper input validation and parameterized queries to prevent sql injection attacks. The vulnerability affects not only the immediate data stored within the plugin's database tables but also potentially impacts the broader WordPress installation's security posture, as successful exploitation could lead to further privilege escalation and lateral movement within the compromised environment. The recommended mitigation involves updating to version 1.5.35 or later of the 10Web Photo Gallery plugin, which includes proper input validation and sanitization measures to prevent sql injection attacks. Additionally, implementing web application firewalls and regular security audits can provide additional layers of protection against similar vulnerabilities in other components of the WordPress ecosystem.