PatchSiren cyber security CVE debrief
CVE-2026-9829 10web CVE debrief
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compact_album_order_by' Shortcode Parameter in all versions up to, and including, 1.8.41. This vulnerability is due to insufficient escaping on the user-supplied parameter and a lack of sufficient preparation on the existing SQL query. Authenticated attackers with contributor-level access and above can exploit this vulnerability to append additional SQL queries into existing queries, which can be used to extract sensitive information from the database. The malicious payload is stored via the 'shortcode_bwg' AJAX handler, accessible to Contributor-level users and exploitable without a valid nonce by omitting the 'page' parameter. The payload is subsequently triggered by the unauthenticated 'bwg_frontend_data' AJAX handler. Successful exploitation requires only that an attacker has Contributor-level access to save the shortcode.
- Vendor
- 10web
- Product
- Photo Gallery by 10Web – Mobile-Friendly Image Gallery
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-06
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-06
- Advisory updated
- 2026-06-08
Who should care
Users of the Photo Gallery by 10Web plugin for WordPress, particularly those with contributor-level access and above, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability exists in the 'compact_album_order_by' Shortcode Parameter of the Photo Gallery by 10Web plugin. The CVSS score for this vulnerability is 6.5, with a severity rating of MEDIUM. The vulnerability allows for time-based SQL Injection attacks, enabling attackers to extract sensitive information from the database.
Defensive priority
High
Recommended defensive actions
- Update the Photo Gallery by 10Web plugin to a version beyond 1.8.41.
- Restrict access to the 'shortcode_bwg' AJAX handler to prevent unauthorized users from saving malicious shortcodes.
- Monitor database activity for suspicious queries that may indicate exploitation attempts.
Evidence notes
Evidence for this vulnerability comes from the National Vulnerability Database (NVD) and Wordfence security research.
Official resources
CVE-2026-9829 was published on 2026-06-06T05:16:29.917Z and modified on 2026-06-08T14:57:14.757Z.