WordPress Plugin Vulnerabilities

Photo Gallery by 10Web < 1.8.26 - Subscriber+ Notice Dismiss

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on the dismiss_notice() function, allowing authenticated attackers, with Subscriber-level access and above, to dismiss admin notices from the plugin.

Affects Plugins

Plugin icon
photo-gallery
Fixed in 1.8.26

References

CVE
CVE-2024-35628
URL
https://patchstack.com/database/vulnerability/photo-gallery/wordpress-photo-gallery-by-10web-plugin-1-8-23-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dhabaleshwar Das
Verified
No
WPVDB ID
5461999b-d9cc-488c-ba40-bc0161c08a6a

Timeline

Publicly Published
2024-05-27 (about 2 years ago)
Added
2024-06-18 (about 1 year ago)
Last Updated
2024-06-25 (about 1 year ago)

Other

Published
Title
Published
2026-01-29
Title
SupportCandy – Helpdesk & Customer Support Ticket System < 3.4.5 - Missing Authorization
Published
2024-11-22
Title
WP User Manager – User Profile Builder & Membership < 2.9.12 - Missing Authorization to Carbon Fields Custom Sidebar Addition/Removal
Published
2025-12-07
Title
WooCommerce PDF Invoices & Packing Slips < 5.0.0 - Missing Authorization
Published
2026-02-16
Title
EventPrime < 4.2.8.5 - Missing Authorization to Unauthenticated Image Upload via 'ep_upload_file_media' AJAX Endpoint
Published
2025-10-08
Title
Salient Core < 3.0.9 - Missing Authorization