VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 28, 2026

CVE-2026-7048

CVE-2026-7048

Description

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order_by' parameter in all versions up to, and including, 1.8.40 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is exploitable by embedding a malicious shortcode in a post or draft, allowing the injected SQL to execute when the shortcode is rendered.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Photo Gallery by 10Web plugin for WordPress (<=1.8.40) is vulnerable to time-based blind SQL injection via the 'order_by' shortcode parameter, allowing authenticated attackers with contributor-level access to extract database information.

Vulnerability

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress versions up to and including 1.8.40 is vulnerable to time-based blind SQL injection in the order_by parameter of the gallery shortcode. The plugin fails to properly escape user-supplied input and does not prepare the SQL query adequately, allowing an attacker to inject arbitrary SQL fragments. The vulnerable code is present in the frontend controller's execute method, where the sort_by parameter is processed without sufficient sanitization [1][3]. The parameter is directly used in an SQL query, as seen in the handling of WDWLibrary::get('sortImagesByValue_' . $bwg) [3][4].

Exploitation

An authenticated attacker with at least contributor-level access to WordPress can exploit this vulnerability by embedding a malicious shortcode in a post or draft. When the shortcode is rendered, the attacker-controlled order_by parameter is processed, and the unsanitized input is appended to an existing SQL query. By using time-based payloads, the attacker can infer the contents of the database through blind SQL injection techniques. No additional privileges beyond contributor are required, and the attack does not require user interaction beyond the rendering of the crafted content.

Impact

Successful exploitation allows the attacker to extract sensitive information from the WordPress database, such as user credentials, session tokens, or other confidential data. The injection is limited to appending SQL queries within the existing query context, but this is sufficient for time-based data extraction. The attacker does not gain direct remote code execution or file write access, but the confidentiality of the database is compromised.

Mitigation

The vendor has released version 1.8.41, which addresses this vulnerability by fixing the insufficient escaping and lack of prepared statements [1][2]. Users should update the plugin to version 1.8.41 or later immediately. There are no known workarounds for sites that cannot update, and the plugin is not known to be listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.

References
  1. https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/photo-gallery.php#L789
  2. https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.39/photo-gallery.php#L789
  3. https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.39/frontend/controllers/controller.php#L354
  4. https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/frontend/controllers/controller.php#L354

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Insufficient escaping of the 'order_by' user-supplied parameter and lack of prepared statement preparation in the SQL query allow time-based blind SQL injection."

Attack vector

An authenticated attacker with contributor-level access or above embeds a malicious Photo Gallery shortcode in a post or draft. When the shortcode is rendered, the plugin processes the 'order_by' parameter without proper escaping or parameterized queries, allowing the attacker to append arbitrary SQL. Because the injection is time-based and blind, the attacker extracts sensitive information by observing response delays. The attack requires no special network position beyond the ability to publish or save a post containing the crafted shortcode [ref_id=1].

Affected code

The bundle does not identify the specific function or file where the vulnerable SQL query resides. The reference write-up only points to the main plugin file (photo-gallery.php) for context but does not pinpoint the exact code path handling the 'order_by' parameter [ref_id=1].

What the fix does

The patch is not included in the bundle; however, the advisory indicates the vulnerability exists in all versions up to and including 1.8.40. The fix would need to properly escape the 'order_by' parameter and use prepared statements for the SQL query. The reference write-up does not show a specific patch diff, so no further detail on the remediation is available [ref_id=1].

Preconditions

  • authAttacker must have contributor-level access or above to the WordPress site.
  • inputAttacker must embed a malicious Photo Gallery shortcode with a crafted 'order_by' parameter in a post or draft.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.