A recently disclosed security flaw in Photo Gallery by 10Web, a widely used WordPress gallery plugin, allows unauthenticated visitors to delete image comments on affected sites, according to a Wordfence advisory. The issue affects websites running vulnerable plugin versions prior to the fixed release in version 1.8.37.
10Web WordPress Photo Gallery Plugin Vulnerability
The Photo Gallery by 10Web - Mobile-Friendly Image Gallery plugin is used to create and display image galleries on WordPress sites. Wordfence reports that it is installed on more than 200,000 sites and supports galleries, albums, slideshows, and related visual presentation features.
Wordfence attributes the flaw to a missing capability check in the plugin's delete_comment() function. The plugin fails to verify that a request to delete an image comment is made by a user with appropriate permissions. As a result, unauthenticated visitors can send crafted requests that trigger comment deletions.
Key technical details, based on the Wordfence advisory, include:
- Affected software: Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin
- Vulnerable function:
delete_comment() - Vulnerability class: Missing authorization for comment deletion requests
- Attacker requirement: No authentication or site account needed
- CVSS score: 5.3 (Medium), as reported by Wordfence
Impacted Features and Versions
The vulnerability affects all plugin versions up to and including 1.8.36, according to Wordfence. It targets the image comment deletion feature within the plugin and allows unauthenticated attackers to delete arbitrary image comments.
Comments on images are available only in the Pro edition of the plugin, as highlighted in the advisory. Sites using the free version without image comments are not exposed to this specific deletion path. Wordfence states that no additional server configuration or user interaction is required beyond running a vulnerable version with the affected functionality active.
Background Context
Photo Gallery by 10Web is a popular gallery plugin for WordPress that supports responsive image galleries and albums. It is used by photography sites, portfolios, blogs, and business websites that rely on visual content. The plugin can display galleries in multiple layouts and formats.
Wordfence summarized the vulnerability as follows in its public notice:
"The Photo Gallery by 10Web - Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to delete arbitrary image comments. Note: comments functionality is only available in the Pro version of the plugin."
This description identifies the affected code path, the missing authorization check, and the scope of possible comment deletions. It also confirms that the issue is limited to environments where image comments are in use.
Source Citations and Advisory Details
Wordfence published its security advisory on the vulnerability in the Photo Gallery by 10Web plugin on its threat intelligence portal. The advisory describes the issue as "Missing Authorization to Unauthenticated Arbitrary Comment Deletion" and assigns a CVSS score of 5.3. Full technical details and mitigation information are available in the official Wordfence advisory.
According to Wordfence, the issue is resolved in Photo Gallery by 10Web version 1.8.37 and later. The advisory states that this release includes a security fix for the missing capability check in the comment deletion function, marking version 1.8.36 and earlier as vulnerable when the affected functionality is enabled.
.svg)
.svg)
.svg)