CVE-2026-9829

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compactalbumorderby' Shortcode Parameter in all versions up to, and including, 1.8.41 due to insufficient escaping on the user supplied parameter and lack of sufficient...

CVE-2026-9829 Photo Gallery by 10Web <= 1.8.41 - Authenticated (Contributor+) SQL Injection via 'compact_album_order_by' Shortcode Parameter

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compactalbumorderby' Shortcode Parameter in all versions up to, and including, 1.8.41 due to insufficient escaping on the user supplied parameter and lack of sufficient...

CVE-2026-9829

CVE-2026-9829 affects the WordPress plugin Photo Gallery by 10Web – Mobile-Friendly Image Gallery up to version 1.8.41. The flaw is a time-based SQL Injection in the compact_album_order_by shortcode parameter caused by insufficient escaping and lack of parameterized queries. Exploitation requires...

WordPress 10Web Map Builder < 1.0.73 - Unauthenticated SQL Injection

The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection id: CVE-2023-0037 info: name: WordPress 10Web Map...

10Web Booster < 2.24.18 - Unauthenticated Arbitrary Option Deletion

The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service. id: CVE-2023-5559 info: name: 10Web Booster 2.24.18 - Unauthenticated Arbitra...

10Web Photo Gallery < 1.5.55 - SQL Injection

WordPress plugin 10Web Photo Gallery versions before 1.5.55 contains a SQL injection caused by unvalidated input in the 'bwgsearchx' parameter in frontend/models/model.php, letting attackers execute arbitrary SQL commands, exploit requires attacker to control the 'bwgsearchx' parameter. id:...

CVE-2026-49771

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in 10Web Photo Gallery by 10Web allows Blind SQL Injection. This issue affects Photo Gallery by 10Web: from n/a through 1.8.41...

CVE-2026-49771

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in 10Web Photo Gallery by 10Web allows Blind SQL Injection. This issue affects Photo Gallery by 10Web: from n/a through 1.8.41...

CVE-2026-49771 WordPress Photo Gallery by 10Web plugin <= 1.8.41 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in 10Web Photo Gallery by 10Web allows Blind SQL Injection. This issue affects Photo Gallery by 10Web: from n/a through 1.8.41...

CVE-2026-49771

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in 10Web Photo Gallery by 10Web allows Blind SQL Injection. This issue affects Photo Gallery by 10Web: from n/a through 1.8.41...

CVE-2026-49771 WordPress Photo Gallery by 10Web plugin <= 1.8.41 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in 10Web Photo Gallery by 10Web allows Blind SQL Injection. This issue affects Photo Gallery by 10Web: from n/a through 1.8.41...

EUVD-2026-34240

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in 10Web Photo Gallery by 10Web allows Blind SQL Injection. This issue affects Photo Gallery by 10Web: from n/a through 1.8.41...

CVE-2026-49771

Summary of CVE-2026-49771 : The WordPress Photo Gallery by 10Web plugin (versions up to 1.8.41) is affected by an SQL Injection vulnerability due to improper neutralization of special elements. The issue enables blind SQL injection. Details in connected documents specify the affected product and ...

WordPress Photo Gallery by 10Web plugin <= 1.8.41 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin Photo Gallery by 10Web versions = 1.8.41...

PT-2026-46174

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in 10Web Photo Gallery by 10Web allows Blind SQL Injection. This issue affects Photo Gallery by 10Web: from n/a through 1.8.41...

EUVD-2026-32744

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 1.8.40 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation o...

CVE-2026-7048

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 1.8.40 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation o...

CVE-2026-7048 Photo Gallery by 10Web <= 1.8.40 - Authenticated (Contributor+) SQL Injection via 'order_by' Shortcode Attribute

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 1.8.40 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation o...

CVE-2026-7048 Photo Gallery by 10Web <= 1.8.40 - Authenticated (Contributor+) SQL Injection via 'order_by' Shortcode Attribute

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 1.8.40 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation o...

PT-2026-44217

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order by' parameter in all versions up to, and including, 1.8.40 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation ...