A significant security vulnerability has been identified in the Photo Gallery by 10Web WordPress plugin, which boasts over 200,000 active installations. This critical flaw allows unauthenticated attackers to delete image comments, potentially leading to data loss and disruption for affected websites. The vulnerability impacts all plugin versions up to and including 1.8.36.
The Photo Gallery by 10Web plugin is a popular tool for WordPress site owners, enabling them to create and display visually appealing image galleries, slideshows, and albums. It's widely used by photographers, portfolio sites, and businesses that rely heavily on visual content for engagement.
Understanding the Vulnerability
The core of this security issue lies in how the plugin handles image comments. The flaw can be exploited by any visitor, even those who are not logged in or registered with the website. This "unauthenticated" access significantly increases the risk, as there's no barrier to entry for potential attackers.
It's important to note that the vulnerability specifically targets the image comments feature, which is exclusively available in the Pro version of the plugin. Therefore, sites not using the Pro version or those that have the comments feature disabled are not affected by this particular issue.
What Caused the Flaw?
The vulnerability stems from a missing capability check within the plugin’s delete_comment() function. In essence, the plugin fails to verify whether a request to delete an image comment is legitimate and comes from a user with the appropriate permissions.
Typically, WordPress plugins are designed to confirm a user's authorization before allowing modifications to site content. This crucial verification step is absent in the affected versions of the Photo Gallery by 10Web plugin, allowing it to accept deletion requests even from unauthenticated users.
Potential Impact of an Attack
Exploiting this flaw, an attacker can delete arbitrary image comments from a website. While this vulnerability does not enable a full website takeover or server compromise, it poses a medium threat level, rated at 5.3 on the common vulnerability scoring system.
For websites that depend on image comments for user engagement, moderation history, or interactive content, this unauthorized deletion can result in significant data loss and operational disruption. The official Wordfence advisory elaborates on the vulnerability:
“The Photo Gallery by 10Web — Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to delete arbitrary image comments. Note: comments functionality is only available in the Pro version of the plugin.”
Affected Versions and Exploitation Conditions
The vulnerability affects all versions of the Photo Gallery by 10Web plugin up to and including version 1.8.36. Exploitation is specifically tied to the comment deletion functionality and is limited to sites running the Pro version with the image comments feature enabled. No special server configuration or complex user interaction is required for an attacker to exploit this flaw, beyond the plugin being active and vulnerable.
Action for Site Owners
A patch addressing this security issue is readily available. Site owners are strongly advised to update their Photo Gallery by 10Web plugin to version 1.8.37 or later immediately. This update includes the necessary security fix.
If an immediate update is not feasible, temporary mitigation strategies include disabling the Photo Gallery by 10Web plugin entirely or, if applicable, disabling the image comments feature within the plugin. These actions will prevent exploitation until the site can be properly patched. Keeping plugins up to date remains the most direct and effective way to secure your WordPress website against such vulnerabilities.
