CVE-2026-9829

Vulnerability

The Photo Gallery by 10Web WordPress plugin versions up to and including 1.8.41 are vulnerable to time-based SQL Injection. This vulnerability exists due to insufficient escaping of the compact_album_order_by shortcode parameter and inadequate preparation of the SQL query. The vulnerability is triggered via the bwg_frontend_data AJAX handler, which can be called by unauthenticated users, but requires an attacker to first save a malicious shortcode using the shortcode_bwg AJAX handler, which is accessible to authenticated users with Contributor-level access or higher.

Exploitation

An attacker with Contributor-level access or higher can exploit this vulnerability. The attacker first crafts a malicious shortcode containing a time-based SQL injection payload in the compact_album_order_by parameter. This shortcode is then saved via the shortcode_bwg AJAX handler. Subsequently, an unauthenticated user can trigger the malicious payload by accessing the bwg_frontend_data AJAX handler, which processes the saved shortcode and executes the injected SQL query.

Impact

Successful exploitation allows an authenticated attacker with Contributor-level access to extract sensitive information from the WordPress database. The time-based nature of the SQL injection means that the attacker can infer data by measuring the time it takes for the database to respond, potentially leading to the disclosure of user credentials, personal information, or other sensitive site data.

Mitigation

The vulnerability was fixed in version 1.8.42 of the Photo Gallery by 10Web plugin, released on 2026-05-29. Users are strongly advised to update to version 1.8.42 or later to mitigate this vulnerability. No workarounds are available for older versions. [3]