Analyst readout for executives and security teams
Plain-English summary
This vulnerability affects the Photo Gallery by 10Web WordPress plugin through version 1.8.41. A logged-in user with Contributor privileges or higher could cause the site database to reveal sensitive information. It is not listed as actively exploited in CISA KEV, but sites allowing many authors or shared accounts have higher risk.
Executive priority
Prioritize remediation for public WordPress sites with multiple content contributors or weak account controls. For tightly controlled sites with only trusted administrators, urgency is lower but still warrants patch tracking because the impact is sensitive database disclosure.
Technical view
CVE-2026-9829 is a time-based SQL injection in the compact_album_order_by shortcode parameter. Sources state insufficient escaping and query preparation allow authenticated Contributor+ users to store malicious shortcode data through an AJAX handler, later triggered through an unauthenticated frontend AJAX handler. CVSS is 6.5 with high confidentiality impact.
Likely exposure
Exposure is limited to WordPress sites running Photo Gallery by 10Web versions up to and including 1.8.41, especially where Contributor-level users are untrusted, compromised, or broadly provisioned. Public visitors alone are not enough to plant the vulnerable shortcode according to the provided description.
Exploitation context
The issue requires low-privileged authenticated access to save the shortcode. After storage, triggering occurs through a frontend AJAX path. No provided source or KEV status confirms active exploitation. The main business concern is database confidentiality, including possible exposure of WordPress data accessible through SQL queries.
Researcher notes
The source bundle identifies CWE-89 and a specific shortcode parameter path. The affected range is stated as all versions up to 1.8.41. A WordPress.org changeset is referenced, but the bundle does not clearly name a fixed version. Avoid assuming exploitation in the wild without additional evidence.
Mitigation direction
- Update the plugin when a vendor-fixed release is available through WordPress or 10Web guidance.
- Review the referenced WordPress.org changeset and vendor advisory for fix availability.
- Restrict Contributor and higher roles to trusted users only.
- Remove unused author accounts and rotate credentials for suspicious accounts.
- Monitor web application firewall or WordPress security logs for related AJAX abuse.
Validation and detection
- Inventory WordPress sites using Photo Gallery by 10Web.
- Confirm plugin version; treat versions through 1.8.41 as affected.
- Review user lists for Contributor, Author, Editor, and Administrator accounts.
- Check whether recent plugin updates include the referenced repository changeset.
- Inspect logs for unusual shortcode-saving or frontend AJAX activity.
Public sources used
- CVE Program
- CVE List V5
- Wordfence vulnerability entry
- WordPress plugin source, model.php 1.8.41 line 113
- WordPress plugin source, model.php 1.8.41 line 162
- WordPress plugin source, Shortcode.php 1.8.41 line 59
- WordPress plugin source, WDWLibrary.php 1.8.41 line 2281
- WordPress plugin source, photo-gallery.php 1.8.41 line 717
- WordPress.org plugin repository changeset
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-89: Database access and collection lookup
Injection into data stores can inform collection, data access, and exfiltration detection reviews. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupDatabase behavior lookup
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2026-9829 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 6.5 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
SSVC decision data
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6 Wordfence Vulnerability scoring details
Base CVSS 3.1 score
6.5 MediumVector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
- CVE reserved CVE Program
The CVE ID was reserved by the assigning CNA.
- Source timeline Wordfence
Vendor Notified
- Source timeline Wordfence
Disclosed
- CVE published CVE Program
The CVE record was published.
- CVE updated CVE Program
The CVE record metadata indicates this as the latest update time.
ADP provider summaries
Source materials
- CVE List V5 source CVE List V5
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cae7dabd-ce43-43e3-9f67-b2de55bd720b?source=cve CVE reference, Wordfence
- https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.40/frontend/models/model.php#L113 CVE reference, Wordfence
- https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.41/frontend/models/model.php#L113 CVE reference, Wordfence
- https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.41/admin/controllers/Shortcode.php#L59 CVE reference, Wordfence
- https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.41/framework/WDWLibrary.php#L2281 CVE reference, Wordfence
- https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.41/photo-gallery.php#L717 CVE reference, Wordfence
- https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.40/admin/controllers/Shortcode.php#L59 CVE reference, Wordfence
- https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.40/framework/WDWLibrary.php#L2281 CVE reference, Wordfence
- https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.40/photo-gallery.php#L717 CVE reference, Wordfence
- https://plugins.trac.wordpress.org/changeset/3553847 CVE reference, Wordfence
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.