Skip to main content

Photo Gallery by 10Web CVE-2026-49771

| EUVDEUVD-2026-34240 HIGH
SQL Injection (CWE-89)
2026-06-04 Patchstack GHSA-v23c-9h67-3h55
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 10:20 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 10Web Photo Gallery by 10Web allows Blind SQL Injection.

This issue affects Photo Gallery by 10Web: from n/a through 1.8.41.

AnalysisAI

Blind SQL injection in the Photo Gallery by 10Web WordPress plugin (versions up to and including 1.8.41) allows high-privileged authenticated users to inject crafted SQL fragments into a vulnerable query, exfiltrate database contents, and affect availability. CVSS 7.6 (Scope:Changed) reflects the cross-component impact possible from a successful injection within the WordPress database context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

The flaw is a CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) defect in the Photo Gallery by 10Web plugin, identified by CPE cpe:2.3:a:10web:photo_gallery_by_10web. The plugin embeds user-controllable input into a SQL statement without sufficient sanitization or parameterization, and because the response does not directly echo query results, exploitation is 'blind' - attackers infer data through time-based or boolean-based side channels. The vulnerable code path is reachable only after authenticating to WordPress with elevated permissions, indicating the affected endpoint is gated behind an admin-area or capability-restricted handler typical of WordPress plugin AJAX/admin actions.

RemediationAI

Patch status from available data: Patch available per vendor advisory - upgrade Photo Gallery by 10Web to the version released after 1.8.41 as published by the vendor and tracked on the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/photo-gallery/vulnerability/wordpress-photo-gallery-by-10web-plugin-1-8-41-sql-injection-vulnerability; the exact fixed release number was not included in the input data and should be confirmed against the plugin's changelog on wordpress.org before deploying. Until the update is applied, compensating controls include deactivating the Photo Gallery plugin (trade-off: removes gallery functionality from the site), tightly restricting which accounts hold administrator or editor-equivalent roles required to reach the vulnerable endpoint, and placing the WordPress admin area behind a Web Application Firewall ruleset that inspects plugin AJAX/admin requests for SQL metacharacters (trade-off: WAF rules may produce false positives on legitimate gallery management). Enable database query logging or a Patchstack/Wordfence virtual-patch subscription as an interim detection layer.

Share

CVE-2026-49771 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy