WordPress Plugin Vulnerabilities

Photo Gallery by 10Web < 1.8.38 - Cross-Site Request Forgery

Description

The Photo Gallery by 10Web plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.37. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
photo-gallery
Fixed in 1.8.38

References

CVE
CVE-2026-32330
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5fb176f2-d966-4d78-9915-e6903d8f226a

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Sandeep V
Verified
No
WPVDB ID
c7aedb1a-41c4-41c2-96f7-f1867b190413

Timeline

Publicly Published
2026-02-08 (about 3 months ago)
Added
2026-04-15 (about 28 days ago)
Last Updated
2026-04-15 (about 28 days ago)

Other

Published
Title
Published
2025-04-09
Title
User Registration Using Contact Form 7 < 2.5 - Cross-Site Request Forgery
Published
2014-08-01
Title
Featured Comments 1.2.1 - wp-admin/admin-ajax.php Comment Status Manipulation CSRF
Published
2023-08-11
Title
WP HTML Mail < 3.4.2 - Test Email Sending via CSRF
Published
2023-09-29
Title
Backend Localization <= 2.1.10 - Settings Update via CSRF
Published
2025-04-09
Title
Scheduled <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting