Testa din hemsida →
Photo Gallery by 10Web – Mobile-Friendly Image Gallery ikon

Photo Gallery by 10Web – Mobile-Friendly Image Gallery

4.5/5
200 000+ installationer

Photo Gallery is a powerful image gallery plugin with a list of advanced options for creating responsive image galleries with beautiful lightbox.

31
Kända sårbarheter
6
Kritiska / höga
2026-01-21
Senaste sårbarhet
200 000+
Aktiva installationer

Om Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Photo Gallery by 10Web är ett populärt WordPress-tillägg som gör det möjligt att skapa responsiva bildgallerier med avancerade funktioner och snygg lightbox-visning. Med över 200 000 aktiva installationer är det ett välkänt verktyg för webbplatser som vill visa bilder på ett professionellt sätt.

Säkerhetsläget

Tillägget har tyvärr en problematisk säkerhetshistorik med 27 dokumenterade sårbarheter. Fördelningen visar 21 sårbarheter av medel allvarlighetsgrad, 4 kritiska och 2 av hög allvarlighetsgrad. Den senaste kända sårbarheten upptäcktes i juni 2023.

Praktiska konsekvenser

De kritiska sårbarheterna utgör den största risken och kan potentiellt ge obehöriga tillgång till webbplatsen eller möjliggöra skadlig kod. Medium-sårbarheterna är mindre allvarliga men kan fortfarande utnyttjas av angripare för att samla information eller störa webbplatsens funktion.

Våra rekommendationer

  • Kontrollera omedelbart att du kör den senaste versionen av tillägget
  • Överväg att byta till ett tillägg med bättre säkerhetsrekord om du hanterar känslig information
  • Implementera extra säkerhetslager som Web Application Firewall (WAF)
  • Gör regelbundna säkerhetskopior av din webbplats

Regelbundna uppdateringar av WordPress, teman och tillägg är det absolut viktigaste skyddet mot säkerhetshot.

Använder du Photo Gallery by 10Web – Mobile-Friendly Image Gallery?

Kör ett gratis test och se om din hemsida är påverkad av dessa sårbarheter.

Testa din hemsida

Alla kända sårbarheter

Medel CVE-2026-1036

Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.36 - Missing Authorization to Unauthenticated Arbitrary Comment Deletion

Påverkade versioner: <= 1.8.36

Medel CVE-2026-27360

Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.38 - Authenticated (Editor+) Stored Cross-Site Scripting

Påverkade versioner: <= 1.8.38

Medel CVE-2025-2269

Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.34 Reflected Cross-Site Scripting via 'image_id' Parameter

Påverkade versioner: <= 1.8.34

Medel CVE-2025-0613

Photo Gallery by 10Web <= 1.8.33 - Unauthenticated Stored Cross-Site Scripting

Påverkade versioner: <= 1.8.33

Medel CVE-2021-46889

CVE-2021-46889: The 10Web Photo Gallery plugin through 1.5.69 for WordPress allows XSS via theme_id for bwg_frontend_data. NOTE: other parameters are covered by CVE-2021-24291, CVE-2021-25041, and CVE-2021-31693.

Påverkade versioner: <= 1.5.69

The 10Web Photo Gallery plugin through 1.5.69 for WordPress allows XSS via theme_id for bwg_frontend_data. NOTE: other parameters are covered by CVE-2021-24291, CVE-2021-25041, and CVE-2021-31693.

Medel CVE-2023-1427

CVE-2023-1427: - The Photo Gallery by 10Web WordPress plugin before 1.8.15 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images anywhere in the filesy...

Påverkade versioner: < 1.8.15

- The Photo Gallery by 10Web WordPress plugin before 1.8.15 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images anywhere in the filesystem via a path traversal vector.

Medel CVE-2022-4058

CVE-2022-4058: The Photo Gallery by 10Web WordPress plugin before 1.8.3 does not validate and escape some parameters before outputting them back in in JS code later on in another page, which could lead to Stored ...

Påverkade versioner: < 1.8.3

The Photo Gallery by 10Web WordPress plugin before 1.8.3 does not validate and escape some parameters before outputting them back in in JS code later on in another page, which could lead to Stored XSS issue when an attacker makes a logged in admin op...

Medel CVE-2021-31693

CVE-2021-31693: The 10Web Photo Gallery plugin through 1.5.68 for WordPress allows XSS via album_gallery_id_0, bwg_album_search_0, and type_0 for bwg_frontend_data. NOTE: other parameters are covered by CVE-2021-2...

Påverkade versioner: <= 1.5.68

The 10Web Photo Gallery plugin through 1.5.68 for WordPress allows XSS via album_gallery_id_0, bwg_album_search_0, and type_0 for bwg_frontend_data. NOTE: other parameters are covered by CVE-2021-24291, CVE-2021-25041, and CVE-2021-46889. NOTE: VMwar...

Medel CVE-2021-36891

CVE-2021-36891: Cross-Site Request Forgery (CSRF) vulnerability in Photo Gallery by Supsystic plugin <= 1.15.5 at WordPress allows changing the plugin settings.

Påverkade versioner: < 1.15.6

Cross-Site Request Forgery (CSRF) vulnerability in Photo Gallery by Supsystic plugin <= 1.15.5 at WordPress allows changing the plugin settings.

Medel CVE-2022-1394

CVE-2022-1394: The Photo Gallery by 10Web WordPress plugin before 1.6.4 does not properly validate and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scrip...

Påverkade versioner: < 1.6.4

The Photo Gallery by 10Web WordPress plugin before 1.6.4 does not properly validate and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed

Medel CVE-2022-0873

CVE-2022-0873: The Gmedia Photo Gallery WordPress plugin before 1.20.0 does not sanitise and escape the Album's name before outputting it in pages/posts with a media embed, which could allow high privilege users ...

Påverkade versioner: < 1.20.0

The Gmedia Photo Gallery WordPress plugin before 1.20.0 does not sanitise and escape the Album's name before outputting it in pages/posts with a media embed, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks...

Medel CVE-2022-1282

CVE-2022-1282: The Photo Gallery by 10Web WordPress plugin before 1.6.3 does not properly sanitize the $_GET['image_url'] variable, which is reflected back to the users when executing the editimage_bwg AJAX action.

Påverkade versioner: < 1.6.3

The Photo Gallery by 10Web WordPress plugin before 1.6.3 does not properly sanitize the $_GET['image_url'] variable, which is reflected back to the users when executing the editimage_bwg AJAX action.

Kritisk CVE-2022-1281

CVE-2022-1281: The Photo Gallery WordPress plugin through 1.6.3 does not properly escape the $_POST['filter_tag'] parameter, which is appended to an SQL query, making SQL Injection attacks possible.

Påverkade versioner: <= 1.6.3

The Photo Gallery WordPress plugin through 1.6.3 does not properly escape the $_POST['filter_tag'] parameter, which is appended to an SQL query, making SQL Injection attacks possible.

Kritisk CVE-2022-0169

CVE-2022-0169: The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX act...

Påverkade versioner: < 1.6.0

The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated u...

Medel CVE-2022-0186

CVE-2022-0186: The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.5.3 does not sanitise and escape the Description field when editing a gallery, allowing users with a role as low as contributor to...

Påverkade versioner: < 3.5.3

The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.5.3 does not sanitise and escape the Description field when editing a gallery, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks against other u...

Medel CVE-2021-24909

CVE-2021-24909: The ACF Photo Gallery Field WordPress plugin before 1.7.5 does not sanitise and escape the post parameter in the includes/acf_photo_gallery_metabox_edit.php file before outputing back in an attribu...

Påverkade versioner: < 1.7.5

The ACF Photo Gallery Field WordPress plugin before 1.7.5 does not sanitise and escape the post parameter in the includes/acf_photo_gallery_metabox_edit.php file before outputing back in an attribute, leading to a Reflected Cross-Site Scripting issue

Medel CVE-2021-25041

CVE-2021-25041: The Photo Gallery by 10Web WordPress plugin before 1.5.68 is vulnerable to Reflected Cross-Site Scripting (XSS) issues via the bwg_album_breadcrumb_0 and shortcode_id GET parameters passed to the b...

Påverkade versioner: < 1.5.68

The Photo Gallery by 10Web WordPress plugin before 1.5.68 is vulnerable to Reflected Cross-Site Scripting (XSS) issues via the bwg_album_breadcrumb_0 and shortcode_id GET parameters passed to the bwg_frontend_data AJAX action

Medel CVE-2021-24363

CVE-2021-24363: The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to p...

Påverkade versioner: < 1.5.75

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images/SVG anywhere in the filesystem via a path tra...

Medel CVE-2021-24362

CVE-2021-24362: The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, ...

Påverkade versioner: < 1.5.75

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SV...

Hög CVE-2021-24462

CVE-2021-24462: The get_gallery_categories() and get_galleries() functions in the Photo Gallery by Ays – Responsive Image Gallery WordPress plugin before 4.4.4 did not use whitelist or validate the orderby param...

Påverkade versioner: < 4.4.4

The get_gallery_categories() and get_galleries() functions in the Photo Gallery by Ays – Responsive Image Gallery WordPress plugin before 4.4.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the ge...

Medel CVE-2021-24310

CVE-2021-24310: The Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin before 1.5.67 did not properly sanitise the gallery title, allowing high privilege users to create one with XSS payload i...

Påverkade versioner: < 1.5.67

The Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin before 1.5.67 did not properly sanitise the gallery title, allowing high privilege users to create one with XSS payload in it, which will be triggered when another user will...

Medel CVE-2021-24291

CVE-2021-24291: The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.69 was vulnerable to Reflected Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id and _id G...

Påverkade versioner: < 1.5.69

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.69 was vulnerable to Reflected Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id and _id GET parameters passed to the bwg_frontend_data AJAX acti...

Kritisk CVE-2021-24139

CVE-2021-24139: Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter.

Påverkade versioner: < 1.5.55

Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter.

Medel CVE-2020-9335

CVE-2020-9335: Multiple stored XSS vulnerabilities exist in the 10Web Photo Gallery plugin before 1.5.46 WordPress. Successful exploitation of this vulnerability would allow a authenticated admin user to inject a...

Påverkade versioner: < 1.5.46

Multiple stored XSS vulnerabilities exist in the 10Web Photo Gallery plugin before 1.5.46 WordPress. Successful exploitation of this vulnerability would allow a authenticated admin user to inject arbitrary JavaScript code that is viewed by other user...

Medel CVE-2020-9334

CVE-2020-9334: A stored XSS vulnerability exists in the Envira Photo Gallery plugin through 1.7.6 for WordPress. Successful exploitation of this vulnerability would allow a authenticated low-privileged user to in...

Påverkade versioner: <= 1.7.6

A stored XSS vulnerability exists in the Envira Photo Gallery plugin through 1.7.6 for WordPress. Successful exploitation of this vulnerability would allow a authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by othe...

Medel CVE-2015-1394

CVE-2015-1394: Multiple cross-site scripting (XSS) vulnerabilities in the Photo Gallery plugin before 1.2.11 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the (1) sort_...

Påverkade versioner: < 1.2.11

Multiple cross-site scripting (XSS) vulnerabilities in the Photo Gallery plugin before 1.2.11 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the (1) sort_by, (2) sort_order, (3) items_view, (4) dir, (5) clip...

Hög CVE-2019-14467

CVE-2019-14467: The Social Photo Gallery plugin 1.0 for WordPress allows Remote Code Execution by creating an album and attaching a malicious PHP file in the cover photo album, because the file extension is not ch...

Påverkade versioner: all

The Social Photo Gallery plugin 1.0 for WordPress allows Remote Code Execution by creating an album and attaching a malicious PHP file in the cover photo album, because the file extension is not checked.

Kritisk CVE-2019-16119

CVE-2019-16119: SQL injection in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via the admin/controllers/Albumsgalleries.php album_id parameter.

Påverkade versioner: < 1.5.35

SQL injection in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via the admin/controllers/Albumsgalleries.php album_id parameter.

Medel CVE-2019-16118

CVE-2019-16118: Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/controllers/Options.php.

Påverkade versioner: < 1.5.35

Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/controllers/Options.php.

Medel CVE-2019-16117

CVE-2019-16117: Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/models/Galleries.php.

Påverkade versioner: < 1.5.35

Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/models/Galleries.php.

Medel CVE-2017-12977

CVE-2017-12977: The Web-Dorado "Photo Gallery by WD - Responsive Photo Gallery" plugin before 1.3.51 for WordPress has a SQL injection vulnerability related to bwg_edit_tag() in photo-gallery.php and edit_tag() in...

Påverkade versioner: <= 1.3.50

The Web-Dorado "Photo Gallery by WD - Responsive Photo Gallery" plugin before 1.3.51 for WordPress has a SQL injection vulnerability related to bwg_edit_tag() in photo-gallery.php and edit_tag() in admin/controllers/BWGControllerTags_bwg.php. It is e...

Så skyddar du din sajt

Sårbarheter i tillägg är den vanligaste attackytan för WordPress-sajter. Det bästa skyddet är att vara proaktiv — här är tre konkreta steg.

Håll tillägget uppdaterat

De flesta sårbarheter i Photo Gallery by 10Web – Mobile-Friendly Image Gallery åtgärdas snabbt av utvecklarna. Uppdatera alltid till senaste versionen.

Ta bort oanvända tillägg

Varje tillägg är en potentiell attackyta. Avinstallera det du inte aktivt använder.

Bevaka automatiskt

Med löpande övervakning upptäcker du problem innan de blir allvarliga.

Vill du slippa hålla koll själv? Med ett supportavtal från Sitesupport sköter vi uppdateringar och säkerhet åt dig.

Vanliga frågor om Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Photo Gallery by 10Web – Mobile-Friendly Image Gallery har 31 kända sårbarheter, varav 6 med hög eller kritisk allvarlighetsgrad. Det betyder inte nödvändigtvis att tillägget är osäkert — de flesta sårbarheter åtgärdas i nya versioner. Det viktigaste är att alltid köra den senaste versionen.
Det enklaste sättet är att köra ett gratis test av din hemsida på sitesupport.co. Testet kontrollerar vilka tillägg du använder och vilka versioner som är installerade, och jämför det mot kända sårbarheter.
Uppdatera till den senaste versionen så snart som möjligt. Om det inte finns en uppdatering som åtgärdar problemet bör du överväga att tillfälligt inaktivera tillägget, särskilt om sårbarheten har kritisk eller hög allvarlighetsgrad.
Photo Gallery by 10Web – Mobile-Friendly Image Gallery har över 200 000 aktiva installationer på WordPress.org och ett betyg på 4.5 av 5. Populära tillägg har generellt bättre säkerhetsrutiner tack vare större community och fler ögon på koden.

Andra tillägg med kända sårbarheter

Royal Addons for Elementor – Addons and Templates Kit for Elementor
59 sårbarheter
Ninja Forms – The Contact Form Builder That Grows With You
58 sårbarheter
Booking Calendar
56 sårbarheter
Newsletter – Send awesome emails from WordPress
56 sårbarheter
Elementor Website Builder – More Than Just a Page Builder
55 sårbarheter
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
54 sårbarheter

Hur mår din hemsida?

Kör ett gratis test och se hur din sajt presterar inom SEO, säkerhet, prestanda och tillgänglighet — på under en minut.

Testa gratis

Inget konto krävs