SQL Injection Vulnerability in Piwigo Web Application by Piwigo
CVE-2024-43018

6.4MEDIUM

Key Information:

Vendor: Piwigo
Status: Piwigo
Vendor: CVE Published:; 29 July 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-43018?

Piwigo versions up to 13.8.0 are susceptible to an SQL Injection attack via the 'max_level' and 'min_register' parameters. These parameters are leveraged within the ws_user_gerList function located in the 'include/ws_functions/pwg.users.php' file. The function is also invoked by the ws.php file and can be manipulated to perform unauthorized database queries when searching for users through the '/admin.php?page=user_list' interface, potentially exposing sensitive user data.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-43018
Created by joaosilva21

References

https://github.com/Piwigo/Piwigo/issues/2197

https://github.com/joaosilva21/CVE-2024-43018

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 29, 2025
🟡
Public PoC available
Jul 28, 2025
👾
Exploit known to exist
Jul 28, 2025
Vulnerability Reserved
Aug 5, 2024

JSON