PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7048 10web CVE debrief

A time-based blind SQL injection vulnerability exists in the Photo Gallery by 10Web WordPress plugin. The flaw resides in the 'order_by' parameter where insufficient escaping and lack of query preparation allow authenticated attackers with contributor-level access or higher to inject malicious SQL. Attackers can exploit this by embedding a crafted shortcode in posts or drafts, which executes injected SQL when rendered. The vulnerability affects all versions up to and including 1.8.40. The CVSS 3.1 score of 6.5 (Medium) reflects network attack vector, low attack complexity, low privileges required, no user interaction, and high confidentiality impact with no integrity or availability impact. The CWE-89 classification confirms this as an SQL injection weakness. Multiple source code references point to affected files in both the 1.8.39 tagged release and trunk versions, including WDWLibrary.php, controller.php, and photo-gallery.php. The CVE was published and modified on May 28, 2026, with NVD status currently marked as Deferred. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
10web
Product
Photo Gallery by 10Web – Mobile-Friendly Image Gallery
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

WordPress site administrators using Photo Gallery by 10Web plugin; security teams managing WordPress content management systems; organizations with contributor-level user access on WordPress installations; web application security professionals monitoring plugin vulnerabilities

Technical summary

The Photo Gallery by 10Web plugin fails to properly sanitize and prepare the 'order_by' parameter in SQL queries. Authenticated users with contributor or higher privileges can inject time-based blind SQL payloads through malicious shortcodes embedded in posts. When the shortcode renders, the injected SQL executes against the database, enabling sensitive information extraction. The vulnerability spans the plugin's query handling in WDWLibrary.php, frontend controller logic, and main plugin file.

Defensive priority

medium

Recommended defensive actions

  • Update Photo Gallery by 10Web plugin to version 1.8.41 or later when available
  • Review and restrict contributor-level and above user accounts to trusted personnel
  • Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in shortcode parameters
  • Audit existing posts and drafts for suspicious shortcode usage containing order_by parameters
  • Enable database query logging to detect anomalous SQL execution patterns
  • Apply principle of least privilege for WordPress user roles
  • Monitor for unauthorized database access attempts through application logs

Evidence notes

Vulnerability confirmed through Wordfence security advisory and WordPress plugin repository source code analysis. Multiple file locations identified in both tagged release (1.8.39) and trunk versions. CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N sourced from official Wordfence submission. CWE-89 (SQL Injection) weakness classification provided by [email protected].

Official resources

2026-05-28