CVE-2026-9829: Photo Gallery by 10Web SQL Injection Vulnerability in WordPress
Photo Gallery by 10Web, a popular WordPress plugin for creating mobile-friendly image galleries, contains a SQL injection vulnerability in versions up to 1.8.41. An attacker with contributor-level WordPress access (a lower-privileged account type) can inject malicious SQL commands through a shortcode parameter called 'compact_album_order_by'. The attacker stores this payload via an unprotected AJAX function, and it executes when the gallery is viewed on the front end, allowing the attacker to extract sensitive database information. This is a stored vulnerability—once the malicious shortcode is saved, it affects all site visitors.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compact_album_order_by' Shortcode Parameter in all versions up to, and including, 1.8.41 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The malicious payload is stored via the 'shortcode_bwg' AJAX handler — accessible to Contributor-level users and exploitable without a valid nonce by omitting the 'page' parameter — and is subsequently triggered by the unauthenticated 'bwg_frontend_data' AJAX handler, meaning successful exploitation requires only that an attacker has Contributor-level access to save the shortcode.
12 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient input escaping and improper SQL query preparation of the 'compact_album_order_by' parameter within the photo gallery shortcode. The vulnerable code path involves two AJAX handlers: 'shortcode_bwg' (which accepts and stores the shortcode without adequate CSRF protection or nonce validation when the 'page' parameter is omitted) and 'bwg_frontend_data' (a public-facing handler that triggers stored payloads). Time-based SQL injection techniques allow an attacker to exfiltrate data byte-by-byte by crafting conditional SQL statements that delay database responses. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Business impact
Compromise of database confidentiality is the primary risk. Attackers can extract user accounts, email addresses, post content, plugin settings, and any custom data stored in the WordPress database. While integrity and availability are not directly impacted, stolen data can fuel further attacks, including account takeovers, phishing campaigns, or targeted social engineering. For multi-site WordPress installations or sites handling sensitive content (e-commerce, membership sites, client portfolios), data exposure poses legal and reputational harm. The low barrier to entry—only contributor-level access is required—makes this a concern for sites with many authors, freelancers, or temporary users.
Affected systems
All versions of the Photo Gallery by 10Web plugin up to and including version 1.8.41 are vulnerable. The plugin is installed on thousands of WordPress sites. Any WordPress site running this plugin with contributor-level (or higher) users is at risk. Sites with open user registration, guest author programs, or agencies managing client sites with distributed access are especially exposed.
Exploitability
Exploitability is moderate to high. An attacker needs valid WordPress contributor credentials, which are easier to obtain than admin access and may be legitimately held by many users. No valid nonce token is required if the attacker omits the 'page' parameter in the AJAX request, simplifying the attack. The stored nature of the payload means the attacker does not need to be present when the data is exfiltrated—any site visitor triggers the malicious shortcode. Time-based SQL injection is reliable but slower than union-based techniques; extracting large datasets may take considerable time, though it remains undetectable by signature-based monitoring. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, but proof-of-concept material is likely to surface once the advisory gains visibility.
Remediation
Update the Photo Gallery by 10Web plugin to a patched version released after version 1.8.41. Vendors typically issue security patches within days of public disclosure. Additionally, audit WordPress contributor and author roles—remove inactive or untrusted accounts to reduce the attack surface. Review recent shortcode activity and database changes via database logs or WordPress security plugins to identify any stored malicious payloads. Consider implementing Web Application Firewall (WAF) rules to detect SQL injection attempts in AJAX handlers or shortcode parameters as a temporary compensating control.
Patch guidance
Monitor the official 10Web plugin repository and security advisories for version 1.8.42 or later (verify exact version numbers against the vendor advisory). Apply updates through the WordPress dashboard or via automated update mechanisms. Before updating, backup the database and test in a staging environment to ensure compatibility with custom shortcodes or themes that may depend on gallery functionality. If auto-updates are not enabled, prioritize this plugin in your patch schedule given the low privilege requirement and direct database exposure.
Detection guidance
Search WordPress database logs and server access logs for suspicious AJAX requests to 'shortcode_bwg' and 'bwg_frontend_data' handlers, especially those lacking the 'page' parameter or containing SQL keywords (UNION, SELECT, SLEEP, IF, CHAR, etc.) in POST parameters. Review the wp_posts or custom options tables for shortcode content containing encoded or obfuscated SQL. Use WordPress security plugins (e.g., Wordfence, Sucuri) configured to monitor AJAX activity and log database queries. Enable WordPress debug logging to wp-content/debug.log to capture suspicious queries. Endpoint detection and response (EDR) tools should flag processes executing unusual database queries from the web server process. Network-based intrusion detection signatures for time-based SQL injection may generate high false positives, so pair detection with behavioral analysis of database connections.
Why prioritize this
Despite a CVSS score of 6.5 (Medium), this vulnerability warrants high priority because: (1) the attack requires only contributor-level access, a common role in multi-user and agency environments; (2) successful exploitation directly exposes sensitive database records without user interaction; (3) the plugin is widely distributed and likely installed on many production WordPress sites; (4) no active mitigation is currently tracked in the KEV catalog, meaning security teams may not flag this immediately; and (5) once a payload is stored, it affects all site visitors, creating a persistent risk. Organizations with contributor-heavy WordPress installations or those handling sensitive data should patch within 48–72 hours.
Risk score, explained
The CVSS 3.1 score of 6.5 reflects a network-accessible vulnerability requiring low-privilege authentication, with no user interaction needed and high confidentiality impact but no integrity or availability impact. The score does not fully capture contextual risk: the low barrier to entry (contributor access) and widespread plugin adoption elevate practical risk beyond the numeric score. In environments with strict access controls and few contributors, the risk is lower; in multi-user or agency environments, it approaches a 7.5–8.0 practical severity.
Frequently asked questions
Can attackers exploit this if they don't have WordPress login credentials?
No. The vulnerability requires at least contributor-level access to WordPress. However, obtaining such credentials is often easier than obtaining admin access—contributors may be external authors, freelancers, or users registered via public signup forms. Once inside, the attacker does not need admin privileges to inject the malicious shortcode.
Does updating the plugin immediately stop active exploitation?
Updating stops new payloads from being stored, but it does not automatically remove existing malicious shortcodes already saved in the database. After patching, audit the wp_posts table and any options/meta storing shortcodes, and manually remove suspicious content. Verify database integrity and review logs for signs of exfiltration.
How long does it take to steal a large amount of data using time-based SQL injection?
Time-based exfiltration is slow—typically 1-2 seconds per byte using conditional delays. Extracting a single 100-character password hash might take 2–3 minutes; extracting thousands of user records could require hours of background activity. However, once the payload is stored, it executes silently on every page load, making extended attacks feasible without detection.
What if our site doesn't allow user registration or contributors?
Sites with only authors and admins have significantly lower risk. However, verify this assumption: check the WordPress user list and role configuration, and audit any theme or plugin that may create additional users dynamically. Disable user registration in WordPress settings if not needed.
This analysis is based on the CVE record and published advisory as of the date of writing. Patch version numbers and remediation steps should be verified against the official 10Web advisory and WordPress plugin repository. Exploit code and proof-of-concept details are not provided in this document. Organizations should validate their inventory against confirmed affected versions and test patches in non-production environments before deployment. This document is for informational purposes and does not constitute security advice specific to any individual organization's infrastructure or risk posture. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-0075MEDIUMAndroid SQL Injection in Contacts Database – Privilege Escalation Risk
- CVE-2026-10039MEDIUMFrontend Admin WordPress Plugin SQL Injection Vulnerability
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0
- CVE-2026-10171MEDIUMSQL Injection in code-projects Online Music Site 1.0 AdminUpdateAlbum.php
- CVE-2026-10176MEDIUMSQL Injection in Aider-AI Aider 0.86.3 Code Generation
- CVE-2026-10193MEDIUMSQL Injection in OFCMS ComnController – Authentication Required
- CVE-2026-10202MEDIUMOFCMS 1.1.3 SQL Injection in SystemDictController