VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 61 known issues Latest disclosed Jan 21, 2026

Photo Gallery by 10Web – Mobile-Friendly Image Gallery Vulnerabilities

Review known vulnerability records for the WordPress plugin Photo Gallery by 10Web – Mobile-Friendly Image Gallery (`photo-gallery`), including severity, CVE references, affected versions, and patch status.

View on WordPress.org Back to Feed
Known Records
61
High or Critical
12
Linked CVEs
50
Last Updated
Feb 26, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Photo Gallery by 10Web – Mobile-Friendly Image Gallery so operators can quickly confirm whether a disclosed issue maps to the installed slug and version range.

Patch Visibility
61 records include a published patch path.
Severity Mix
6 critical and 6 high severity findings.
Reference Workflow
Jump from the hub into the full report when you need remediation notes, CVSS vector details, or source references.
Known Vulnerabilities

Reports for Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-1036
Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.36 - Missing Authorization to Unauthenticated Arbitrary Comment Deletion

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthent...

Published
Jan 21, 2026
Patched Release
1.8.37
Affected Versions
Versions up to 1.8.36
Next Step
Update to 1.8.37 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: No CVE-2026-27360
Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.38 - Authenticated (Editor+) Stored Cross-Site Scripting

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.8.38 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...

Published
Dec 25, 2025
Patched Release
Not published
Affected Versions
Versions up to 1.8.38
Next Step
Open the full report for remediation notes and references.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-2269
Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.34 Reflected Cross-Site Scripting via 'image_id' Parameter

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘image_id’ parameter in all versions up to, and including, 1.8.34 due to insufficient input sanitization and output escaping. This makes it poss...

Published
Apr 11, 2025
Patched Release
1.8.35
Affected Versions
Versions up to 1.8.34
Next Step
Update to 1.8.35 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-0613
Photo Gallery by 10Web <= 1.8.33 - Unauthenticated Stored Cross-Site Scripting

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.8.33 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacke...

Published
Mar 10, 2025
Patched Release
1.8.34
Affected Versions
Versions up to 1.8.33
Next Step
Update to 1.8.34 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-13124
Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.32 - Authenticated (Admin+) Stored Cross-Site Scripting

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gallery Titles in all versions up to, and including, 1.8.32 due to insufficient input sanitization and output escaping. This makes it possible for auth...

Published
Mar 02, 2025
Patched Release
1.8.33
Affected Versions
Versions up to 1.8.32
Next Step
Update to 1.8.33 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10704
Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.30 - Authenticated (Admin+) Stored Cross-Site Scripting

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gallery Titles in all versions up to, and including, 1.8.30 due to insufficient input sanitization and output escaping. This makes it possible for auth...

Published
Nov 14, 2024
Patched Release
1.8.31
Affected Versions
Versions up to 1.8.30
Next Step
Update to 1.8.31 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-9878
Photo Gallery by 10Web <= 1.8.30 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.30 due to insufficient input sanitization and output escaping. This makes it possible for auth...

Published
Nov 04, 2024
Patched Release
1.8.31
Affected Versions
Versions up to 1.8.30
Next Step
Update to 1.8.31 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-8670
Photo Gallery by 10Web <= 1.8.28 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.28 due to insufficient input sanitization and output escaping. This makes it possible for auth...

Published
Oct 03, 2024
Patched Release
1.8.29
Affected Versions
Versions up to 1.8.28
Next Step
Update to 1.8.29 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-44043
Photo Gallery by 10Web <= 1.8.27 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Photo Gallery by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.8.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access an...

Published
Sep 23, 2024
Patched Release
1.8.28
Affected Versions
Versions up to 1.8.27
Next Step
Update to 1.8.28 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-5481
Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.23 - Authenticated (Contributor+) Path Traversal via esc_dir Function

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.8.23 via the esc_dir function. This makes it possible for authenticated attackers to cut and paste (copy) the contents of arbitr...

Published
Jun 06, 2024
Patched Release
1.8.24
Affected Versions
Versions up to 1.8.23
Next Step
Update to 1.8.24 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-5426
Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.23 - Authenticated (Contributor+) Stored Cross-Site Scripting via Zipped SVG

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘svg’ parameter in all versions up to, and including, 1.8.23 due to insufficient input sanitization and output escaping. This makes it possible for...

Published
Jun 06, 2024
Patched Release
1.8.24
Affected Versions
Versions up to 1.8.23
Next Step
Update to 1.8.24 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-35628
Photo Gallery by 10Web <= 1.8.25 - Missing Authorization to Notice Dismissal

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the dismiss_notice function in all versions up to, and including, 1.8.25. This makes it possible for authenticated attackers,...

Published
May 27, 2024
Patched Release
1.8.26
Affected Versions
Versions up to 1.8.25
Next Step
Update to 1.8.26 or newer if supported.
Open Full Report Open CVE Reference