CVE-2026-7048: 10Web Photo Gallery SQL Injection Flaw

CVE-2026-7048 Overview

CVE-2026-7048 is a time-based blind SQL injection vulnerability in the Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress. The flaw affects all versions up to and including 1.8.40. The vulnerability resides in the order_by parameter, which is processed without sufficient escaping or query preparation. Authenticated attackers with contributor-level access or above can append arbitrary SQL to existing queries by embedding a malicious shortcode in a post or draft. When the shortcode renders, the injected SQL executes against the WordPress database, enabling extraction of sensitive data.

Critical Impact

Authenticated contributors can exfiltrate database contents — including user credentials, session tokens, and configuration secrets — through time-based blind SQL injection delivered via WordPress shortcodes.

Affected Products

• Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress
• All versions up to and including 1.8.40
• WordPress sites permitting contributor-level (or higher) user registration

Discovery Timeline

• 2026-05-28 - CVE-2026-7048 published to NVD
• 2026-05-28 - Last updated in NVD database

Technical Details for CVE-2026-7048

Vulnerability Analysis

The vulnerability is classified as [CWE-89] Improper Neutralization of Special Elements used in an SQL Command. The plugin accepts the order_by parameter from user-controlled input and concatenates it into an SQL query without proper escaping or use of wpdb::prepare() placeholders. Because the injection point is an ORDER BY clause, standard UNION-based extraction is constrained, so attackers rely on time-based blind techniques using payloads such as SLEEP() or BENCHMARK() to infer data one character at a time.

The vulnerable code paths reside in framework/WDWLibrary.php and frontend/controllers/controller.php, where the order_by value flows into the query construction logic. Confidentiality impact is high while integrity and availability are unaffected, consistent with a read-only data extraction primitive.

Root Cause

The root cause is insufficient input validation and absence of parameterized queries for the order_by parameter. WordPress's wpdb API supports placeholder-based query preparation, but the plugin builds the ORDER BY clause using direct string concatenation. Since ORDER BY values cannot be passed as standard %s or %d placeholders, developers must explicitly allowlist column names — a control absent from the affected versions.

Attack Vector

Exploitation requires an authenticated session with contributor privileges or higher. The attacker creates or edits a post or draft and embeds the plugin's shortcode with a crafted order_by attribute containing a SQL payload. When the post is rendered — for example, during a preview or after publication — the shortcode handler executes the tainted query. Time-based responses indicate truth values, allowing iterative extraction of sensitive database content such as the wp_users table.

No verified public proof-of-concept code is referenced in the advisory. Technical analysis is available in the Wordfence Vulnerability Report and the vendor changeset.

Detection Methods for CVE-2026-7048

Indicators of Compromise

• Database query logs containing SLEEP(, BENCHMARK(, or WAITFOR DELAY within ORDER BY clauses originating from the Photo Gallery plugin.
• Anomalously long page render times on posts containing the plugin's shortcode.
• Post or draft content authored by contributor-level accounts that embeds the plugin shortcode with unusual order_by attribute values.
• Unexpected database errors referencing the plugin's frontend controller in PHP error logs.

Detection Strategies

• Review WordPress audit logs for contributor-level accounts creating or editing posts that include the Photo Gallery shortcode.
• Enable MySQL general query logging or slow query logging and alert on queries from the plugin containing time-delay functions.
• Deploy a web application firewall rule that inspects POST bodies for shortcode attributes carrying SQL keywords such as UNION, SELECT, SLEEP, or IF(.

Monitoring Recommendations

• Monitor the wp_posts table for newly created drafts containing the plugin shortcode from non-administrator accounts.
• Track HTTP response latency on endpoints that render plugin shortcodes; sustained multi-second responses warrant investigation.
• Audit WordPress role assignments to identify unexpected contributor or author accounts that could be used for exploitation.

How to Mitigate CVE-2026-7048

Immediate Actions Required

• Update the Photo Gallery by 10Web plugin to a version newer than 1.8.40 as soon as the vendor patch is available.
• Audit and remove unnecessary contributor, author, and editor accounts to reduce the authenticated attack surface.
• Inspect existing posts and drafts for suspicious uses of the plugin shortcode with non-standard order_by attribute values.
• Rotate WordPress administrator passwords and database credentials if exploitation is suspected.

Patch Information

The vendor committed a fix in the WordPress plugin repository, referenced as changeset 3532364 for the photo-gallery plugin. Site administrators should upgrade through the WordPress plugin updater. Review the vendor changeset and the Wordfence advisory for full remediation details.

Workarounds

• Temporarily deactivate the Photo Gallery plugin until the patched version is installed.
• Restrict the edit_posts capability so that only trusted, vetted users can create or edit content containing shortcodes.
• Deploy a WordPress-aware web application firewall with virtual patching rules covering this CVE.
• Disable shortcode rendering in post previews for non-privileged users where feasible.