📄 Description (English)
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compact_album_order_by' Shortcode Parameter in all versions up to, and including, 1.8.41 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The malicious payload is stored via the 'shortcode_bwg' AJAX handler — accessible to Contributor-level users and exploitable without a valid nonce by omitting the 'page' parameter — and is subsequently triggered by the unauthenticated 'bwg_frontend_data' AJAX handler, meaning successful exploitation requires only that an attacker has Contributor-level access to save the shortcode.
🤖 AI Executive Summary
The Photo Gallery by 10Web WordPress plugin (versions ≤1.8.41) contains a time-based SQL injection vulnerability in the 'compact_album_order_by' shortcode parameter. Authenticated attackers with Contributor-level access can inject malicious SQL queries to extract sensitive database information. The vulnerability is stored via AJAX and triggered without authentication, making it a significant risk for WordPress installations using this plugin.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 6, 2026 10:16
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WordPress with the Photo Gallery by 10Web plugin face significant risk, particularly: (1) Government agencies and ministries hosting public-facing WordPress sites for citizen services; (2) Banking and financial institutions using WordPress for customer portals or informational sites; (3) Healthcare providers (Ministry of Health, private hospitals) with patient data in WordPress databases; (4) E-commerce platforms and retail businesses; (5) Educational institutions (universities, schools) managing content. The vulnerability allows extraction of sensitive data including user credentials, personal information, and financial records. Organizations in the Kingdom relying on WordPress for critical services are particularly vulnerable if they have not restricted Contributor-level access properly.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Healthcare and Medical Services
E-commerce and Retail
Education and Universities
Telecommunications
Energy and Utilities
Media and Publishing
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all WordPress installations for Photo Gallery by 10Web plugin presence and version
2. Restrict Contributor-level user access immediately — review and remove unnecessary Contributor accounts
3. Disable the plugin if not actively used; if required, deactivate until patch is available
4. Review AJAX handler logs (shortcode_bwg and bwg_frontend_data) for suspicious activity
5. Check database access logs for unusual SQL queries
COMPENSATING CONTROLS (until patch available):
1. Implement Web Application Firewall (WAF) rules to block SQL injection patterns in shortcode parameters
2. Add database query monitoring and alerting for time-based SQL injection signatures
3. Implement strict input validation at the application level for all shortcode parameters
4. Use database user accounts with minimal privileges (read-only where possible)
5. Enable WordPress security plugins with SQL injection detection (e.g., Wordfence, Sucuri)
6. Implement rate limiting on AJAX handlers
DETECTION RULES:
1. Monitor for POST requests to /wp-admin/admin-ajax.php with action=shortcode_bwg containing 'compact_album_order_by' parameter
2. Alert on SQL keywords (UNION, SELECT, SLEEP, BENCHMARK) in shortcode parameters
3. Monitor for time-based delays in AJAX responses (>5 seconds)
4. Track database query execution times for anomalies
5. Log all Contributor-level user activities, especially shortcode creation/modification
PATCHING GUIDANCE:
1. Monitor 10Web plugin repository for security updates
2. When patch is released, test in staging environment before production deployment
3. Implement automated patching where possible
4. Document all plugin versions and maintain inventory
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress للتحقق من وجود مكون Photo Gallery by 10Web والإصدار
2. تقييد وصول المستخدمين على مستوى المساهم فورًا — مراجعة وإزالة حسابات المساهمين غير الضرورية
3. تعطيل المكون إذا لم يكن قيد الاستخدام النشط؛ إذا لزم الأمر، قم بإلغاء التفعيل حتى توفر التصحيح
4. مراجعة سجلات معالجات AJAX (shortcode_bwg و bwg_frontend_data) للنشاط المريب
5. فحص سجلات وصول قاعدة البيانات للاستعلامات SQL غير العادية
الضوابط التعويضية (حتى توفر التصحيح):
1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر أنماط حقن SQL في معاملات shortcode
2. إضافة مراقبة قاعدة البيانات والتنبيهات لتوقيعات حقن SQL القائمة على الوقت
3. تنفيذ التحقق الصارم من المدخلات على مستوى التطبيق لجميع معاملات shortcode
4. استخدام حسابات مستخدمي قاعدة البيانات بأقل صلاحيات ممكنة (قراءة فقط حيث أمكن)
5. تفعيل مكونات أمان WordPress مع كشف حقن SQL (مثل Wordfence و Sucuri)
6. تنفيذ تحديد معدل على معالجات AJAX
قواعد الكشف:
1. مراقبة طلبات POST إلى /wp-admin/admin-ajax.php مع action=shortcode_bwg تحتوي على معامل 'compact_album_order_by'
2. التنبيه على كلمات مفتاحية SQL (UNION و SELECT و SLEEP و BENCHMARK) في معاملات shortcode
3. مراقبة التأخيرات القائمة على الوقت في استجابات AJAX (>5 ثوان)
4. تتبع أوقات تنفيذ استعلامات قاعدة البيانات للشذوذ
5. تسجيل جميع أنشطة المستخدمين على مستوى المساهم، خاصة إنشاء/تعديل shortcode
إرشادات التصحيح:
1. مراقبة مستودع مكون 10Web للتحديثات الأمنية
2. عند إصدار التصحيح، اختبره في بيئة التجميع قبل نشره في الإنتاج
3. تنفيذ التصحيح الآلي حيث أمكن
4. توثيق جميع إصدارات المكونات والحفاظ على جرد
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.2.1 - Establishment of information security baselines
ECC 2024 A.5.23 - Information security for development, test and production environments
🔵 SAMA CSF
SAMA CSF ID.BE-3.1 - Governance and risk management processes
SAMA CSF PR.DS-1.1 - Data security and protection
SAMA CSF PR.IP-1.1 - Security development practices
SAMA CSF DE.CM-1.1 - Detection and analysis of anomalies
SAMA CSF RS.MI-2.1 - Incident response and recovery
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for information security
ISO 27001:2022 A.8.1 - Organizational controls
ISO 27001:2022 A.8.2 - Mobile device management
ISO 27001:2022 A.12.2 - Endpoint protection
ISO 27001:2022 A.12.6 - Management of technical vulnerabilities
ISO 27001:2022 A.14.2 - Supplier relationships
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Ensure security patches are installed within one month of release
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 11.2 - Vulnerability scanning and management
🔗 References & Sources 12
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.40/admin/controllers/...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.40/framework/WDWLibra...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.40/frontend/models/mo...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.40/frontend/models/mo...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.40/photo-gallery.php#...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.41/admin/controllers/...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.41/framework/WDWLibra...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.41/frontend/models/mo...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.41/frontend/models/mo...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.41/photo-gallery.php#...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3553847
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/cae7dabd-ce43-43e3-9f67-b2de5...
security@wordfence.com