According to Roger Montti’s article on Search Engine Journal, “10Web WordPress Photo Gallery Plugin Vulnerability,” a security flaw has been identified in the Photo Gallery by 10Web WordPress plugin, potentially affecting more than 200,000 installations.
Vulnerability Overview
Montti reports that the flaw allows unauthenticated attackers to delete image comments on affected WordPress sites. The issue impacts all versions up to and including 1.8.36 of the plugin and carries a medium severity rating of 5.3.
While the vulnerability does not allow a full site takeover or server compromise, it enables unauthorized modification of site data, specifically the deletion of image comments.
What Caused the Issue
The problem stems from a missing capability check in the plugin’s delete_comment() function. According to Montti, the plugin fails to verify whether a user has the appropriate permissions to delete an image comment. As a result, the plugin accepts deletion requests even from unauthenticated visitors.
This violates standard WordPress security practices, which require explicit permission checks before allowing content modification.
Scope and Impact
Montti notes that the vulnerability only affects sites using the Pro version of the plugin, as image comments are not available in the free version. Sites that do not use the comments feature are not exposed.
If exploited, attackers could:
- Delete arbitrary image comments.
- Disrupt user engagement and moderation history.
- Causes loss of community-generated content
Although the impact is limited to comments, the lack of authentication makes exploitation relatively easy.
Patch and Recommendations
The issue has been fixed in version 1.8.37 of the plugin. Montti advises site owners to update immediately. If updating is not possible, disabling the plugin or turning off the comments feature can mitigate the risk until a patch is applied.
As Montti’s reporting highlights, even medium-severity vulnerabilities can cause meaningful disruption, especially on sites that rely heavily on user interaction and visual content. Keeping plugins up to date remains the most effective defense.