CVE-2026-1036 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress. The issue arises from the delete_comment() function lacking a proper capability check, which means that the plugin does not verify whether the user has the required permissions before allowing deletion of image comments. This flaw is present in all versions up to and including 1.8.36. Since the comments feature is only available in the Pro version, only installations running the Pro edition are affected. An unauthenticated attacker can exploit this vulnerability remotely without any user interaction to delete arbitrary comments on images, thereby modifying data without authorization. The vulnerability does not impact confidentiality or availability but compromises data integrity by allowing unauthorized comment deletion. The CVSS v3.1 base score is 5.3, indicating a medium severity level due to the ease of exploitation (network vector, no privileges required, no user interaction) but limited impact scope. No patches or fixes have been published at the time of disclosure, and no known exploits have been observed in the wild. The vulnerability was reserved and published in January 2026 by Wordfence. This issue highlights the importance of proper authorization checks in WordPress plugins, especially those handling user-generated content.

The primary impact of CVE-2026-1036 is unauthorized modification of data integrity through deletion of image comments in the affected plugin’s Pro version. While this does not affect the confidentiality or availability of the system, it can degrade user trust and disrupt community interactions on websites relying on image comments for engagement. For organizations using this plugin, especially those with active user communities or customer feedback via comments, this could result in loss of valuable user-generated content and potential reputational damage. Although the vulnerability does not allow for code execution or data exfiltration, attackers could leverage this flaw to manipulate public perception or remove critical feedback. The ease of exploitation (no authentication or user interaction required) increases the risk of automated attacks or mass comment deletion campaigns. However, the impact is limited to sites using the Pro version of the plugin, which narrows the affected population. No known active exploitation reduces immediate risk but does not eliminate future threats once exploit code becomes available.

Organizations should immediately audit their WordPress installations to identify if the Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin is installed and whether the Pro version with comments functionality is in use. Until an official patch is released, administrators should consider disabling or restricting access to the comments feature or the plugin entirely to prevent exploitation. Implementing web application firewall (WAF) rules to detect and block suspicious requests targeting the delete_comment() function can provide temporary protection. Monitoring logs for unusual comment deletion activity is recommended to detect potential exploitation attempts. Additionally, restricting access to the WordPress admin and plugin endpoints via IP whitelisting or authentication can reduce exposure. Once a patch is available, prompt application of updates is critical. Developers and site owners should also review plugin permissions and ensure that capability checks are enforced for all sensitive operations. Regular backups of site content, including comments, will help in recovery if unauthorized deletions occur.