{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27360", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-19T09:51:48.837Z", "datePublished": "2026-02-19T20:35:42.196Z", "dateUpdated": "2026-04-28T16:15:02.268Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "photo-gallery", "product": "Photo Gallery by 10Web", "vendor": "10Web", "versions": [{"changes": [{"at": "1.8.39", "status": "unaffected"}], "lessThanOrEqual": "1.8.38", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tabulra | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:15.838Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.<p>This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.38.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.38."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:02.268Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/photo-gallery/vulnerability/wordpress-photo-gallery-by-10web-plugin-1-8-37-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Photo Gallery by 10Web plugin <= 1.8.38 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T17:18:19.584627Z", "id": "CVE-2026-27360", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:01:43.739Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-27360", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T17:18:19.584627Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T17:17:09.579Z"}}], "cna": {"title": "WordPress Photo Gallery by 10Web plugin <= 1.8.37 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tabulra | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "affected": [{"vendor": "10Web", "product": "Photo Gallery by 10Web", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.8.37"}], "packageName": "photo-gallery", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-02-19T20:07:49.581Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/photo-gallery/vulnerability/wordpress-photo-gallery-by-10web-plugin-1-8-37-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.37.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.<p>This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.37.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-02-19T20:35:42.196Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27360", "state": "PUBLISHED", "dateUpdated": "2026-02-20T17:19:02.553Z", "dateReserved": "2026-02-19T09:51:48.837Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T20:35:42.196Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.38."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') en 10Web Photo Gallery de 10Web photo-gallery permite XSS Almacenado. Este problema afecta a Photo Gallery de 10Web: desde n/d hasta &lt;= 1.8.37."}], "id": "CVE-2026-27360", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T21:18:32.950", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/photo-gallery/vulnerability/wordpress-photo-gallery-by-10web-plugin-1-8-37-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.37]"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "Photo Gallery by 10Web", "source": "cna", "vendor": "10Web"}, "product": "photo_gallery", "vendor": "10web"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:03:19.391987+00:00", "value": {"mitigation_remediation": ["Update the 10Web Photo Gallery plugin to version 1.8.39 or later, which removes the stored\u2011XSS vulnerability.", "If an upgrade is not immediately possible, disable the Photo Gallery plugin until the patch is applied.", "Apply input validation to any gallery title or description fields, ensuring that all user input is properly escaped before rendering in HTML contexts."], "summary": {"action": "Patch Update", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Any installation of the 10Web Photo Gallery plugin for WordPress with a version of 1.8.38 or earlier is affected. The vulnerability is present from the earliest releases through to and including 1.8.38.\\n", "description_and_impact": "The vulnerability is a stored Cross\u2011Site Scripting flaw in the WordPress Photo Gallery by 10Web plugin. User input fed to the photo gallery page is not properly escaped, allowing an attacker to inject arbitrary JavaScript that is later served to any user who views the gallery. This flaw is identified as CWE\u201179 and carries a CVSS score of 5.9. An attacker who can insert malicious code would gain the ability to execute client\u2011side scripts, potentially hijacking user sessions or defacing content, without having direct control over the server.\\n", "risk_and_exploitability": "The risk rating is moderate due to the CVSS score of 5.9, but the Probability of Exploitation according to the EPSS is very low (<1%). The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is a web\u2011based form or interface that allows an attacker with sufficient privileges (such as an administrator or a user with gallery\u2011creation rights) to inject malicious script into a gallery field. Once stored, the script executes for any visitor to the affected gallery page, with full access to the browser context but not to the underlying server. The low exploitation likelihood reflects the need for the attacker to have some level of access to the WordPress backend or gallery management interface."}}}}, "created": "2026-02-20T09:54:04.630848+00:00", "updated": "2026-04-16T00:15:18.631465+00:00", "vendors": ["10web", "10web$PRODUCT$photo_gallery", "wordpress", "wordpress$PRODUCT$wordpress"]}