– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-1036 (metadata-based):
This vulnerability is a Missing Authorization flaw in the Photo Gallery by 10Web plugin, allowing unauthenticated attackers to delete arbitrary image comments. The issue affects the Pro version’s comment functionality in all releases up to and including version 1.8.36. The CVSS score of 5.3 (Medium) reflects an attack that impacts data integrity without affecting confidentiality or availability.

Atomic Edge research infers the root cause is a missing capability check on a function named `delete_comment()`. This function is likely an AJAX callback or REST API endpoint handler. The CWE-862 classification confirms the plugin fails to verify a user’s authorization before performing a privileged action. Without code access, this conclusion is inferred from the standard WordPress pattern where such functions are hooked to `wp_ajax_nopriv_` actions or unsecured REST endpoints, permitting unauthenticated execution.

Exploitation requires sending a crafted HTTP request to the vulnerable endpoint. Based on WordPress plugin conventions, the likely attack vector is the admin-ajax.php handler. An attacker would send a POST request to `/wp-admin/admin-ajax.php` with an `action` parameter targeting the plugin’s delete comment function, such as `photo_gallery_delete_comment` or a similar derivative of the plugin slug. The request must include a parameter like `comment_id` to specify the target. No nonce or authentication cookie is required.

The patch in version 1.8.37 likely adds a proper authorization check. Remediation requires implementing a capability check, such as `current_user_can(‘moderate_comments’)`, or verifying a valid nonce. The function should also validate the user owns the comment or has appropriate administrative privileges. The fix must ensure the callback is not registered with the `wp_ajax_nopriv_` prefix, or that a user authentication check is performed before any data modification.

Successful exploitation allows any site visitor to delete any comment associated with the plugin’s image galleries. This constitutes unauthorized data destruction and can disrupt user engagement, moderate content visibility, or be used maliciously to erase evidence or legitimate feedback. The impact is limited to data integrity loss within the plugin’s comment system and does not extend to site compromise or privilege escalation.