CVE-2026-9829: WordPress Photo Gallery Plugin SQLi Flaw

CVE-2026-9829 Overview

CVE-2026-9829 is a time-based SQL injection vulnerability [CWE-89] in the Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress. The flaw affects all versions up to and including 1.8.41. The vulnerable compact_album_order_by shortcode parameter lacks proper escaping and query preparation. Authenticated attackers with Contributor-level access can inject additional SQL queries to extract sensitive database information. The malicious payload is stored via the shortcode_bwg AJAX handler and later triggered by the unauthenticated bwg_frontend_data AJAX handler.

Critical Impact

Authenticated Contributor-level attackers can exfiltrate sensitive database contents, including user credentials and session data, through time-based SQL injection.

Affected Products

• Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress
• All plugin versions up to and including 1.8.41
• WordPress sites permitting Contributor-level user registration

Discovery Timeline

• 2026-06-06 - CVE-2026-9829 published to NVD
• 2026-06-08 - Last updated in NVD database

Technical Details for CVE-2026-9829

Vulnerability Analysis

The vulnerability resides in how the Photo Gallery plugin processes the compact_album_order_by shortcode parameter. User-supplied input is concatenated into an SQL query without sufficient escaping or use of prepared statements. This allows attackers to append arbitrary SQL clauses to the existing query.

The attack chain involves two AJAX endpoints. The shortcode_bwg handler accepts the malicious shortcode for storage. Although this handler normally requires a valid nonce, attackers can bypass nonce validation by omitting the page parameter from the request. The stored payload is then executed when the unauthenticated bwg_frontend_data AJAX handler renders the shortcode.

Because the injection is time-based, attackers infer query results by measuring server response delays from payloads such as SLEEP(). This enables blind extraction of database contents one character at a time.

Root Cause

The root cause is insufficient input sanitization combined with unparameterized SQL query construction in the plugin's frontend model code. The compact_album_order_by parameter is interpolated directly into an ORDER BY clause, a context where standard wpdb::prepare() placeholders cannot be applied without an allowlist. The plugin fails to validate the parameter against a fixed set of acceptable column names.

Attack Vector

An authenticated attacker with Contributor-level access submits a crafted shortcode to the shortcode_bwg AJAX endpoint, omitting the page parameter to bypass nonce checks. The shortcode contains a malicious compact_album_order_by value with embedded SQL. Any subsequent request to the unauthenticated bwg_frontend_data endpoint that renders this shortcode triggers execution of the attacker's SQL payload against the WordPress database.

The vulnerability mechanism is documented in the plugin source files referenced in the Wordfence Vulnerability Analysis and the WordPress Photo Gallery Model Code. No public proof-of-concept code is available at this time.

Detection Methods for CVE-2026-9829

Indicators of Compromise

• POST requests to /wp-admin/admin-ajax.php with action=shortcode_bwg containing SQL keywords such as SLEEP, BENCHMARK, UNION, or SELECT in the compact_album_order_by parameter
• POST requests to shortcode_bwg missing the page parameter, indicating nonce-bypass attempts
• Requests to action=bwg_frontend_data immediately following shortcode submission from a Contributor account
• Unusual response latency on admin-ajax.php consistent with time-based SQL injection probing

Detection Strategies

• Inspect web server access logs for admin-ajax.php POSTs containing the compact_album_order_by parameter with non-alphanumeric characters or SQL syntax
• Enable WordPress database query logging and alert on ORDER BY clauses containing functions like SLEEP() or IF()
• Monitor for Contributor accounts performing AJAX activity outside normal authoring workflows
• Correlate slow query log entries with the originating HTTP request and user session

Monitoring Recommendations

• Deploy a Web Application Firewall (WAF) rule set that inspects shortcode parameters for SQL metacharacters
• Alert on creation of new Contributor accounts followed by AJAX activity to plugin endpoints
• Track plugin version inventory across WordPress installations and flag instances at or below version 1.8.41

How to Mitigate CVE-2026-9829

Immediate Actions Required

• Update the Photo Gallery by 10Web plugin to the version released after 1.8.41 that addresses WordPress Changeset #3553847
• Audit existing Contributor-level accounts and remove any unrecognized users
• Review the wp_options table and post content for stored shortcodes containing suspicious compact_album_order_by values
• Rotate database credentials and WordPress administrator passwords if exploitation is suspected

Patch Information

The vendor addressed the vulnerability in WordPress Changeset #3553847. Site administrators should apply the patched plugin version through the WordPress admin dashboard or via WP-CLI. Review the Wordfence Vulnerability Analysis for detailed remediation guidance.

Workarounds

• Restrict Contributor-level registration and disable open user signup until the plugin is patched
• Deploy WAF rules to block requests to shortcode_bwg containing SQL keywords in shortcode parameters
• Temporarily deactivate the Photo Gallery by 10Web plugin if an immediate patch cannot be applied
• Limit access to admin-ajax.php from untrusted networks where feasible

# Update the Photo Gallery plugin using WP-CLI
wp plugin update photo-gallery

# Verify installed version is above 1.8.41
wp plugin get photo-gallery --field=version

# Audit Contributor accounts
wp user list --role=contributor --fields=ID,user_login,user_registered