Plataforma
wordpress
Componente
photo-gallery
Corregido en
1.8.38
CVE-2026-32330 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the 10Web Photo Gallery WordPress plugin. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions of gallery content. The vulnerability impacts versions from 0.0.0 up to and including 1.8.37, and a fix is available in version 1.8.38.
A successful CSRF attack could allow an attacker to manipulate the Photo Gallery plugin's functionality without the user's knowledge or consent. This could involve adding, deleting, or modifying images and albums within the gallery. Depending on the user's permissions within the WordPress site, the attacker could potentially gain control over significant portions of the gallery's content. While the impact is not as severe as a Remote Code Execution (RCE) vulnerability, it can still lead to data loss, defacement, or unauthorized access to sensitive information if the gallery contains private or confidential images. The attacker would need to craft a malicious request and entice the user to click a link or visit a compromised webpage.
CVE-2026-32330 was publicly disclosed on 2026-03-13. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog. Given the nature of CSRF vulnerabilities, it is likely that attackers will attempt to develop exploits once the vulnerability becomes more widely known.
WordPress websites utilizing the 10Web Photo Gallery plugin, particularly those running versions 0.0.0 through 1.8.37, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromised website could potentially be used to target other websites on the same server.
• wordpress / composer / npm:
grep -r '10Web Photo Gallery' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep '10Web Photo Gallery'• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/10web-photo-gallery/ | grep '1.8.37' # Check versiondisclosure
Estado del Exploit
EPSS
0.02% (3% percentil)
Vector CVSS
The primary mitigation for CVE-2026-32330 is to immediately upgrade the 10Web Photo Gallery plugin to version 1.8.38 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Ensure that all forms and critical actions within the Photo Gallery plugin are properly protected with CSRF tokens. Regularly review WordPress user permissions to minimize the potential impact of a successful attack. After upgrade, confirm by verifying that new gallery actions require authentication and are protected against CSRF attacks.
Actualizar a la versión 1.8.38 o una versión parcheada más reciente
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-32330 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the 10Web Photo Gallery WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using the 10Web Photo Gallery plugin in WordPress versions 0.0.0 through 1.8.37.
Upgrade the 10Web Photo Gallery plugin to version 1.8.38 or later. Consider WAF rules as a temporary workaround.
There are currently no known active exploits, but it is likely attackers will attempt to develop them.
Refer to the 10Web website and WordPress plugin repository for the latest advisory and update information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.