CVE-2026-9829 in Photo Gallery Plugin
Summary
by MITRE • 06/06/2026
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compact_album_order_by' Shortcode Parameter in all versions up to, and including, 1.8.41 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The malicious payload is stored via the 'shortcode_bwg' AJAX handler — accessible to Contributor-level users and exploitable without a valid nonce by omitting the 'page' parameter — and is subsequently triggered by the unauthenticated 'bwg_frontend_data' AJAX handler, meaning successful exploitation requires only that an attacker has Contributor-level access to save the shortcode.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/06/2026
This vulnerability exists within the Photo Gallery by 10Web WordPress plugin, specifically affecting versions through 1.8.41, and represents a critical time-based sql injection flaw that undermines database security. The vulnerability stems from insufficient input sanitization and parameter preparation within the plugin's shortcode handling mechanism, creating a pathway for authenticated attackers to manipulate database queries through the 'compact_album_order_by' parameter. The flaw operates through a sophisticated attack vector that leverages the plugin's ajax handlers to execute malicious payloads, making it particularly dangerous as it requires minimal privileges to exploit.
The technical implementation of this vulnerability follows a well-established pattern of sql injection where the attacker crafts a malicious payload that gets processed through the 'shortcode_bwg' ajax endpoint, which lacks proper nonce validation and accepts contributor-level user access. This endpoint serves as the initial infection point where the malicious shortcode is stored, and the subsequent execution occurs through the 'bwg_frontend_data' ajax handler that can be triggered without authentication. The time-based nature of the injection allows attackers to extract data through response timing variations, making detection more challenging while providing extensive information gathering capabilities.
From an operational perspective, the impact of this vulnerability extends beyond simple data theft, as it enables attackers to perform extensive database reconnaissance and potentially escalate privileges within the compromised WordPress environment. The requirement for only contributor-level access significantly broadens the attack surface, as many WordPress installations maintain contributor accounts for various administrative tasks, making this vulnerability particularly attractive to threat actors. The vulnerability's persistence through the ajax handler mechanism means that once the malicious shortcode is saved, it can be triggered repeatedly without additional authentication, creating a sustained threat vector.
The vulnerability aligns with CWE-89, which specifically addresses sql injection flaws, and demonstrates characteristics consistent with ATT&CK technique T1078.004 for valid accounts and T1566.001 for credential access through web applications. The attack chain follows a logical progression from initial access through payload storage to execution, with the attacker leveraging the plugin's legitimate functionality to bypass security controls. This vulnerability type represents a common pattern in web application security where insufficient input validation creates opportunities for attackers to manipulate application behavior through carefully crafted malicious inputs.
Organizations should implement immediate mitigations including plugin updates to versions that address the sql injection vulnerability, along with comprehensive monitoring of ajax endpoint activity for suspicious patterns. Access controls should be reviewed to ensure that only necessary users maintain contributor privileges, and database query logging should be enabled to detect potential exploitation attempts. The vulnerability also highlights the importance of proper input sanitization and parameter preparation practices, which should be enforced throughout the application's codebase to prevent similar issues from occurring in other components. Regular security audits of third-party plugins and maintaining up-to-date security patches form essential defensive measures against this class of vulnerability.