Time-Based Blind SQL Injection in 10Web Photo Gallery Plugin for WordPress
CVE-2026-7048

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Photo Gallery By 10web – Mobile-friendly Image Gallery
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-7048?

The Photo Gallery by 10Web plugin for WordPress has a vulnerability that enables authenticated users with contributor-level access or higher to perform time-based blind SQL injection attacks. This occurs through an insufficiently escaped 'order_by' parameter, allowing attackers to append malicious SQL queries to existing ones. By embedding crafted shortcodes within posts or drafts, malicious actors can extract sensitive information directly from the database during shortcode execution. Mitigating this risk requires immediate updates to ensure that the affected versions are patched.

Affected Version(s)

Photo Gallery by 10Web – Mobile-Friendly Image Gallery 0 <= 1.8.40

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/photo-gallery/...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
Apr 25, 2026

Credit

Or Benit

CVE-2026-7048 Data

JSON