CVE-2026-1036 identifies a missing authorization vulnerability (CWE-862) in the Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin, affecting all versions up to and including 1.8.36. The vulnerability arises because the delete_comment() function lacks a proper capability check, allowing unauthenticated attackers to invoke this function and delete arbitrary image comments. Since the comments feature is only available in the Pro version of the plugin, only installations running this version are vulnerable. The vulnerability does not affect confidentiality or availability but impacts data integrity by enabling unauthorized deletion of user comments on images. The attack vector is network-based (remote), requires no privileges or user interaction, and can be exploited by simply sending crafted requests to the vulnerable endpoint. Although no known exploits have been observed in the wild and no patches have been officially released at the time of publication, the flaw poses a risk to the integrity of user-generated content and could be leveraged for reputational damage or to disrupt community interactions on affected websites. The CVSS 3.1 base score of 5.3 reflects a medium severity due to the ease of exploitation combined with limited impact scope. The vulnerability is cataloged under CWE-862, which concerns missing authorization checks that allow unauthorized actions. The lack of patch links suggests that users should monitor vendor advisories closely for updates and consider interim mitigations.

For European organizations using the 10Web Photo Gallery Pro plugin, this vulnerability primarily threatens the integrity of image comment data by allowing unauthorized deletion. While it does not compromise confidentiality or availability, the ability to delete comments without authorization can undermine user trust, disrupt community engagement, and potentially be used to censor or manipulate user feedback. Organizations relying on user-generated content for marketing, customer interaction, or community building may experience reputational harm. The ease of exploitation without authentication increases the risk of automated or opportunistic attacks. Since the vulnerability affects only the Pro version, organizations using the free version are not impacted. The lack of known exploits reduces immediate risk, but the exposure remains significant given the widespread use of WordPress and the popularity of 10Web plugins in Europe. Attackers could combine this vulnerability with other weaknesses to conduct more complex attacks or social engineering campaigns. Therefore, European businesses with active WordPress sites using this plugin should prioritize mitigation to maintain data integrity and user confidence.

1. Immediately audit all WordPress sites using the Photo Gallery by 10Web plugin to identify installations running the Pro version with comments enabled. 2. Restrict access to the plugin’s comment deletion functionality by implementing web application firewall (WAF) rules that block unauthorized requests targeting the delete_comment() endpoint. 3. Monitor web server and application logs for unusual or unauthorized deletion attempts, focusing on requests without valid authentication tokens. 4. Disable or restrict the comments feature in the plugin if it is not essential to reduce the attack surface. 5. Apply principle of least privilege by ensuring that only trusted administrators have permissions to manage comments. 6. Stay informed about vendor updates and apply official patches as soon as they are released. 7. Consider deploying additional security plugins that enforce authorization checks or provide enhanced logging and alerting for WordPress administrative actions. 8. Educate site administrators about this vulnerability and encourage vigilance against suspicious activity. 9. If possible, implement network-level access controls to limit exposure of the WordPress admin interface to trusted IP addresses. 10. Regularly back up website data, including comments, to enable recovery in case of unauthorized deletions.