CVE-2026-1036 Overview
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the delete_comment() function. This security flaw affects all versions up to and including 1.8.36, allowing unauthenticated attackers to delete arbitrary image comments without proper capability checks. The vulnerability is specific to the Pro version of the plugin where comments functionality is available.
Critical Impact
Unauthenticated attackers can perform unauthorized data modification by deleting image comments, potentially disrupting user engagement and content integrity on affected WordPress sites.
Affected Products
- Photo Gallery by 10Web (WordPress Plugin) versions up to and including 1.8.36
- Photo Gallery by 10Web Pro (with comments functionality enabled)
Discovery Timeline
- January 22, 2026 - CVE-2026-1036 published to NVD
- January 22, 2026 - Last updated in NVD database
Technical Details for CVE-2026-1036
Vulnerability Analysis
This vulnerability stems from a missing capability check in the delete_comment() function located in BWGControllerGalleryBox.php. The function processes comment deletion requests without verifying whether the requesting user has appropriate WordPress capabilities to perform such actions. This broken access control allows any unauthenticated visitor to invoke the comment deletion functionality.
The attack requires no user interaction and can be performed remotely over the network. While the vulnerability does not allow attackers to read sensitive data or disrupt service availability, it enables unauthorized modification of content by removing image comments from the gallery.
Root Cause
The root cause is a missing capability check (CWE-862 - Missing Authorization) in the delete_comment() function. WordPress plugins should implement proper capability checks using functions like current_user_can() before performing privileged operations. The vulnerable code path in BWGControllerGalleryBox.php at line 173 fails to validate user permissions before executing the comment deletion operation.
Attack Vector
The vulnerability is exploitable over the network by unauthenticated attackers. An attacker can craft HTTP requests targeting the delete_comment() function endpoint, specifying arbitrary comment IDs for deletion. Since no authentication or authorization checks are performed, the plugin processes these requests and removes the targeted comments from the database.
The attack flow involves:
- Identifying a WordPress site running the vulnerable Photo Gallery by 10Web Pro plugin
- Enumerating or guessing comment IDs associated with gallery images
- Sending crafted requests to the delete_comment endpoint without authentication
- The plugin processes the request and removes the specified comment
Technical details and source code analysis are available through the WordPress Photo Gallery Source and Wordfence Vulnerability Analysis.
Detection Methods for CVE-2026-1036
Indicators of Compromise
- Unexpected or unexplained deletion of image gallery comments
- Web server logs showing unauthorized requests to gallery comment deletion endpoints
- Database audit logs indicating comment deletions without corresponding admin activity
- User reports of missing comments on gallery images
Detection Strategies
- Monitor web application logs for requests to the Photo Gallery plugin endpoints containing comment deletion parameters
- Implement file integrity monitoring on the Photo Gallery plugin files to detect unauthorized modifications
- Review WordPress activity logs for comment deletion events that lack corresponding authenticated admin sessions
- Deploy web application firewall rules to detect and alert on suspicious parameter patterns targeting gallery functions
Monitoring Recommendations
- Enable comprehensive logging for all WordPress AJAX and REST API requests
- Set up alerts for bulk comment deletion activity or deletions occurring outside normal administrative hours
- Monitor for sequential or patterned comment ID access that may indicate enumeration attempts
- Correlate gallery comment deletion events with authenticated user sessions to identify unauthorized activity
How to Mitigate CVE-2026-1036
Immediate Actions Required
- Update Photo Gallery by 10Web plugin to a version newer than 1.8.36 that includes the security fix
- Temporarily disable the comments functionality in Photo Gallery Pro settings until the patch is applied
- Review gallery comments for any unauthorized deletions and restore from backup if necessary
- Implement web application firewall rules to restrict access to the vulnerable endpoint
Patch Information
Update the Photo Gallery by 10Web plugin to the latest available version through the WordPress admin dashboard or by downloading directly from the WordPress Plugin Directory. The fix should implement proper capability checks using WordPress's current_user_can() function to verify user authorization before processing comment deletion requests.
For detailed vulnerability information and patch verification, refer to the Wordfence Vulnerability Analysis.
Workarounds
- Disable the Photo Gallery Pro comments feature until the official patch is applied
- Implement server-level access restrictions to the plugin's AJAX endpoints for unauthenticated users
- Use a web application firewall to block requests matching comment deletion patterns from unauthenticated sources
- Consider temporarily reverting to a gallery solution that does not expose unauthenticated endpoints
# WordPress CLI command to check plugin version
wp plugin list --name=photo-gallery --fields=name,version,status
# Update the plugin via WP-CLI
wp plugin update photo-gallery
# Temporarily deactivate if update not available
wp plugin deactivate photo-gallery
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
