The vulnerability arises from improper neutralization of special elements used in an SQL command, a classic SQL injection issue denoted by CWE-89. An attacker can exploit the Photo Gallery by 10Web plugin to trigger a blind SQL injection, which means the attacker can indirectly infer data or modify database contents without direct feedback. The lack of input validation allows attackers to craft malicious queries that can read sensitive application data, modify or delete records, and potentially gain further access to the underlying database. Such an attack compromises confidentiality and integrity of stored data and could serve as a stepping stone to more extensive system exploitation if database credentials are exposed.

WordPress users running the Photo Gallery by 10Web plugin, version 1.8.41 and earlier, are affected. The vulnerability exists in all earlier releases of the plugin and affects any WordPress site that has the plugin installed.

This issue carries a CVSS score of 7.6, indicating high severity. The EPSS score is not available, so the precise likelihood of exploitation remains uncertain. The vulnerability is not listed in CISA's KEV catalog, suggesting there is no confirmed exploitation in the wild as of the data snapshot. Attackers would likely exploit the weakness via web requests to the gallery functionality, which makes the attack vector remote and publicly accessible. The combination of high severity and minimal mitigation steps except for an update means the risk to any vulnerable deployment is significant.