MEDIUM 6.5

CVE-2026-7048: Photo Gallery by 10Web SQL Injection Vulnerability – Database Extraction Risk

The Photo Gallery by 10Web WordPress plugin contains a SQL injection vulnerability in its gallery ordering feature. An attacker with contributor-level WordPress access or higher can craft a malicious gallery shortcode that executes arbitrary SQL queries against the site database when the shortcode renders. This allows unauthorized extraction of sensitive data like user credentials, email addresses, and other database contents. The vulnerability affects all versions up to 1.8.40.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order_by' parameter in all versions up to, and including, 1.8.40 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is exploitable by embedding a malicious shortcode in a post or draft, allowing the injected SQL to execute when the shortcode is rendered.

10 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-7048 is a time-based blind SQL injection vulnerability in the Photo Gallery by 10Web plugin's 'order_by' parameter. The plugin fails to properly escape and prepare the 'order_by' parameter before incorporating it into SQL queries. An authenticated attacker with contributor-level permissions can embed a malicious shortcode in WordPress posts or drafts. When the shortcode is processed and rendered on the front-end, the injected SQL executes within the database query context, enabling blind SQL injection attacks through time-delay techniques. The vulnerability is classified as CWE-89 (SQL Injection).

Business impact

Compromise of a WordPress site running this plugin exposes all database contents to extraction by any contributor-level user, including site administrators' credentials, subscriber personal information, and any custom data stored in the database. An attacker could incrementally exfiltrate sensitive information without leaving obvious traces. For multi-site WordPress installations or sites handling regulated data (PII, health records, payment information), this creates a significant data breach risk. The vulnerability also enables lateral movement—extracted admin credentials could be leveraged to compromise other WordPress installations or connected systems.

Affected systems

Photo Gallery by 10Web plugin versions up to and including 1.8.40 are affected. The plugin requires WordPress and is dependent on contributor-level or higher user access to exploit. Any WordPress site with this plugin installed and users granted contributor permissions or above is at risk. This includes sites where contributors are external authors, content partners, or client accounts.

Exploitability

This vulnerability requires authenticated access with at least contributor-level permissions in WordPress. An attacker cannot exploit this remotely as an unauthenticated user. However, the barrier to exploitation is relatively low once access is obtained: embedding a shortcode in a post or draft requires minimal technical skill beyond basic SQL injection knowledge. Time-based blind SQL injection is reliable and does not depend on error messages. No user interaction beyond normal content rendering is needed. Organizations should consider both internal threats (disgruntled contributors) and compromised contributor accounts (via password reuse or phishing) as realistic attack vectors.

Remediation

Update the Photo Gallery by 10Web plugin to a patched version released after 1.8.40. Verify the exact patched version number in the official WordPress plugin repository or 10Web's security advisory. As an interim measure, restrict contributor role assignments to trusted users only, and implement database monitoring to detect anomalous query patterns. Consider disabling the plugin entirely if it is not actively used for critical gallery functionality.

Patch guidance

Check the WordPress plugin repository (plugins.wordpress.org) and 10Web's official channels for the patched version number. Update immediately once a fix is confirmed available. Site administrators should test the update in a staging environment before deployment to production. Confirm that galleries continue to render correctly after patching, particularly those using the 'order_by' sorting feature.

Detection guidance

Monitor for contributor or higher-level users creating or editing posts with unusually complex gallery shortcodes. Watch database logs for unusual query patterns, time delays in query execution (indicative of time-based blind SQL injection), or queries attempting UNION-based data extraction. Audit contributor account activity, particularly post and draft modifications, during or after suspected compromise windows. Use WordPress security plugins with database activity logging if available. Check for posts in draft status that were never published but contain Photo Gallery shortcodes—these are common staging grounds for SQL injection testing.

Why prioritize this

Although this vulnerability requires authenticated access, the ease of exploitation once access is granted and the sensitivity of data at risk (full database access) warrant prompt remediation. The CVSS score of 6.5 reflects high confidentiality impact with no integrity or availability concerns. Organizations with strict least-privilege policies and strong contributor management may assess risk lower; those with permissive contributor access or external content partnerships should treat this as high priority.

Risk score, explained

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N results in a score of 6.5 (MEDIUM). The score reflects: Network accessibility (AV:N), low attack complexity (AC:L), and requirement for low privilege level (PR:L—contributor access). No user interaction is required (UI:N). High confidentiality impact (C:H) from unrestricted database read access is the primary concern. Integrity and availability are not affected. The MEDIUM severity is contextual; in high-trust environments with strict access controls, actual risk may be lower; in permissive environments, the practical risk approaches HIGH.

Frequently asked questions

Does this vulnerability allow attackers to modify or delete data in my database?

No. This SQL injection vulnerability enables only unauthorized *reading* (SELECT queries) of database contents. It does not allow modification (UPDATE) or deletion (DELETE) of data. However, extracted data such as admin credentials could be used in follow-up attacks to gain write access.

Can unauthenticated users on the internet exploit this vulnerability?

No. The vulnerability requires at least contributor-level WordPress user access. An attacker cannot exploit this remotely without a valid WordPress account with appropriate permissions. However, compromised or misused contributor accounts are a realistic threat vector.

Do I need to restore my database if this plugin was installed on my site?

Not necessarily. This vulnerability enables extraction of existing data but does not inject malicious data into your database. Verify your database for any unauthorized administrative user accounts or suspicious data modifications using your hosting provider's tools or a WordPress security plugin. Update and test the plugin, then monitor access logs for evidence of exploitation.

What is 'time-based blind SQL injection' and why is it harder to detect than regular SQL injection?

Blind SQL injection returns no error messages; instead, attackers infer database structure and content by observing response times. A true condition causes a query delay; a false condition executes normally. This makes it harder to detect via error log inspection alone, as no SQL errors are logged. This is why database query pattern monitoring and contributor account auditing are important detection methods.

This analysis is provided for informational purposes and reflects the published CVE description and CVSS assessment as of the modification date. Actual risk and exploitability depend on your deployment, access control policies, and use of the affected plugin. No working exploit code or proof-of-concept is provided here. Organizations should independently verify the availability of patched versions before deployment and consult official vendor advisories for definitive patch guidance. SEC.co makes no guarantee of the completeness or accuracy of vulnerability remediation advice and recommends validation in a test environment before production changes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).