The Photo Gallery by 10Web plugin for WordPress suffers from a time-based SQL Injection vulnerability (CWE-89) via the 'compact_album_order_by' shortcode parameter. Due to insufficient input escaping and lack of prepared statements, authenticated users with contributor-level privileges can inject arbitrary SQL commands. The injection vector involves the 'shortcode_bwg' AJAX handler, which does not require a valid nonce if the 'page' parameter is omitted, allowing storage of malicious payloads. These payloads can then be triggered by the unauthenticated 'bwg_frontend_data' AJAX handler, enabling exploitation without further authentication. This vulnerability affects all versions up to and including 1.8.41. The CVSS 3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction.

Successful exploitation allows an attacker with contributor-level access to inject additional SQL queries into existing database queries, potentially extracting sensitive information from the database. The vulnerability does not impact integrity or availability but compromises confidentiality. No known exploits in the wild have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict contributor-level access where possible and monitor for unusual shortcode usage. Since the vulnerability requires contributor-level access, limiting user privileges can reduce risk. No vendor advisory or official patch information is currently available.