CVE-2026-1036
Unauthorized Comment Deletion in Photo Gallery by 10Web Plugin
Publication date: 2026-01-22
Last updated on: 2026-01-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 10web | photo_gallery | to 1.8.36 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to delete comments on your images without authorization. This could lead to loss of user-generated content, disruption of community interaction, and potential reputational damage if legitimate comments are removed maliciously. Since the attacker does not need to be authenticated, it increases the risk and ease of exploitation. [1]
Can you explain this vulnerability to me?
This vulnerability exists in the Photo Gallery by 10Web WordPress plugin (up to version 1.8.36) and allows unauthenticated attackers to delete arbitrary image comments. The root cause is a missing capability check on the delete_comment() function, which means the plugin does not properly verify if the user has permission to delete comments. Since the comments feature is only available in the Pro version, this flaw allows unauthorized deletion of comments without authentication. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized AJAX requests targeting the delete_comment function in the Photo Gallery by 10Web plugin, especially POST requests attempting to delete image comments without proper authentication. You can inspect web server logs for suspicious POST requests to endpoints handling AJAX tasks with parameters like ajax_task=delete_comment. For example, using command-line tools: 1. To search web server logs for delete_comment AJAX calls: grep 'ajax_task=delete_comment' /path/to/access.log 2. To monitor live traffic for such requests (assuming logs or traffic capture): tail -f /path/to/access.log | grep 'ajax_task=delete_comment' 3. Using curl to test if the delete_comment AJAX endpoint is accessible without authentication (replace URL accordingly): curl -X POST 'https://yourwordpresssite.com/wp-admin/admin-ajax.php' -d 'ajax_task=delete_comment&comment_id=1' 4. Use WordPress security plugins or web application firewalls to detect and alert on unauthorized comment deletion attempts. Note that the vulnerability exists only in the Pro version with comments enabled. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Update the Photo Gallery by 10Web plugin to a version later than 1.8.36 where the missing capability check on delete_comment() is fixed. 2. If updating is not immediately possible, disable or restrict access to the comments functionality in the plugin, especially if using the Pro version. 3. Implement web application firewall (WAF) rules to block unauthorized AJAX requests attempting to delete comments. 4. Monitor and audit logs for suspicious deletion attempts and unauthorized access. 5. Ensure that WordPress user roles and capabilities are properly configured to limit who can delete comments. These steps help prevent unauthenticated attackers from deleting arbitrary image comments. [1]