How is CVE-2026-49771 exploited?

Network reachability (required): The attacker must reach the WordPress installation over the network; the vulnerable plugin endpoint is exposed via standard HTTP/HTTPS. Authentication (required): An admin-level (high-privilege) WordPress account is required; the vulnerability is not reachable by unauthenticated or low-privilege users. Victim interaction (not-required): No victim interaction is needed; the attacker submits crafted SQL payloads directly to the plugin endpoint without involving another user. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental prerequisites.

What is the impact of CVE-2026-49771?

Reads data from the WordPress database, including user credentials, stored session tokens, and any customer or content records managed by the site. Database contents outside the WordPress schema may also be enumerated if the database user has broad privileges, expanding the disclosure surface beyond the plugin's own tables. Availability of the affected service is partially degraded by resource-intensive blind injection queries, which can slow or intermittently disrupt database responsiveness.

Back to search

HIGHCVE-2026-49771Published 2026-06-04Modified 2026-06-04CNA Patchstack

CVE-2026-49771: WordPress Photo Gallery by 10Web plugin <= 1.8.41 - SQL Injection vulnerability

Q: What is CVE-2026-49771?

SQL injection vulnerability in the Photo Gallery by 10Web WordPress plugin (versions through 1.8.41) allows an authenticated attacker with administrator-level credentials to reach the flaw over the network without any victim interaction. Exploitation enables blind SQL injection against the underlying database, disclosing sensitive data stored there and causing limited service disruption. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as a fix is released.

Q: Is CVE-2026-49771 patched?

Because no fix version has been published upstream, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment 10Web releases a corrected version of the plugin. Until then, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation of affected WordPress deployments.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 10Web Photo Gallery by 10Web allows Blind SQL Injection. This issue affects Photo Gallery by 10Web: from n/a through 1.8.41.

CVSS v3.1: 7.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

SQL injection vulnerability in the Photo Gallery by 10Web WordPress plugin (versions through 1.8.41) allows an authenticated attacker with administrator-level credentials to reach the flaw over the network without any victim interaction. Exploitation enables blind SQL injection against the underlying database, disclosing sensitive data stored there and causing limited service disruption. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as a fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images in registries and CI/CD pipelines, covering custom-built WordPress images alongside official ones.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.6 (High, v3.1) and weighting it against each environment's compliance policy to route the finding to the appropriate team inbox inside each customer organization.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment 10Web releases a corrected version of the plugin. Until then, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation of affected WordPress deployments.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress installation over the network; the vulnerable plugin endpoint is exposed via standard HTTP/HTTPS.
AuthenticationRequired
An admin-level (high-privilege) WordPress account is required; the vulnerability is not reachable by unauthenticated or low-privilege users.
Victim interactionNot required
No victim interaction is needed; the attacker submits crafted SQL payloads directly to the plugin endpoint without involving another user.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental prerequisites.

Blast Radius

Reads data from the WordPress database, including user credentials, stored session tokens, and any customer or content records managed by the site.
Database contents outside the WordPress schema may also be enumerated if the database user has broad privileges, expanding the disclosure surface beyond the plugin's own tables.
Availability of the affected service is partially degraded by resource-intensive blind injection queries, which can slow or intermittently disrupt database responsiveness.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for this CVE, HarborGuard continuously re-checks the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically once 10Web publishes a corrected plugin version. In the meantime, customers can use HarborGuard's policy engine to flag any image containing Photo Gallery by 10Web at or below version 1.8.41 and apply compensating controls such as network-policy isolation (restricting inbound access to affected WordPress pods), egress filtering to limit the database user's reachable surfaces, and feature-flag or plugin-deactivation steps documented in the remediation notes attached to the finding. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated automatically as soon as the fix version is available, with median time from CVE fix publication to merged patch PR for high-severity issues around 90 minutes.

See how HarborGuard automates this

Affected packages

10Web / Photo Gallery by 10Web
≤ 1.8.41

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified