Description
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compact_album_order_by' Shortcode Parameter in all versions up to, and including, 1.8.41 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The malicious payload is stored via the 'shortcode_bwg' AJAX handler — accessible to Contributor-level users and exploitable without a valid nonce by omitting the 'page' parameter — and is subsequently triggered by the unauthenticated 'bwg_frontend_data' AJAX handler, meaning successful exploitation requires only that an attacker has Contributor-level access to save the shortcode.
Published: 2026-06-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in all releases of the Photo Gallery by 10Web plugin up to version 1.8.41. It is caused by insufficient escaping of the compact_album_order_by shortcode parameter and the absence of prepared statements, which allows an authenticated contributor or higher to inject arbitrary SQL. The injection payload is stored via the shortcode_bwg AJAX handler and later executed through the bwg_frontend_data endpoint, enabling the attacker to read or exfiltrate any database information.

Affected Systems

WordPress sites that have installed the 10Web Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin version 1.8.41 or earlier are affected. No other vendors or products are listed in the CNA data for this entry.

Risk and Exploitability

The CVSS score of 6.5 rates the vulnerability as moderate, and the EPSS score is not available, leaving the exact exploitation likelihood uncertain. An attacker must first obtain contributor-level or higher access but can then persist the injected query and trigger it through normal site traffic, making the threat persistent. The vulnerability is not listed in the CISA KEV catalog, yet the lack of mitigation does not diminish the need for prompt action.

Generated by OpenCVE AI on June 6, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Photo Gallery by 10Web plugin to the latest available version (≥ 1.8.42 or newer).
  • Restrict contributor-level and higher WordPress user roles to trusted administrators, or remove contributor permissions from sites that do not require them.
  • Disable or block the shortcode_bwg AJAX endpoint for contributor-level users until a patch is applied.
  • Implement input validation or a web application firewall rule to filter dangerous characters in the compact_album_order_by parameter as a temporary countermeasure.

Generated by OpenCVE AI on June 6, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared 10web
10web photo Gallery By 10web – Mobile-friendly Image Gallery
Wordpress
Wordpress wordpress
Vendors & Products 10web
10web photo Gallery By 10web – Mobile-friendly Image Gallery
Wordpress
Wordpress wordpress

Sat, 06 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compact_album_order_by' Shortcode Parameter in all versions up to, and including, 1.8.41 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The malicious payload is stored via the 'shortcode_bwg' AJAX handler — accessible to Contributor-level users and exploitable without a valid nonce by omitting the 'page' parameter — and is subsequently triggered by the unauthenticated 'bwg_frontend_data' AJAX handler, meaning successful exploitation requires only that an attacker has Contributor-level access to save the shortcode.
Title Photo Gallery by 10Web <= 1.8.41 - Authenticated (Contributor+) SQL Injection via 'compact_album_order_by' Shortcode Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

10web Photo Gallery By 10web – Mobile-friendly Image Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T11:41:25.517Z

Reserved: 2026-05-28T12:02:27.528Z

Link: CVE-2026-9829

cve-icon Vulnrichment

Updated: 2026-06-06T11:41:19.491Z

cve-icon NVD

Status : Received

Published: 2026-06-06T05:16:29.917

Modified: 2026-06-06T05:16:29.917

Link: CVE-2026-9829

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T06:30:14Z

Weaknesses