WordPress Coding Standards: Explained WordPress Permissions Using the 10Web Image Gallery Plugin Security Example (CVE-2026-1036)

January 23, 2026

4 Min Read

The WordPress API has a huge learning curve, so you might miss authentication and authorization checks when you code your first plugin. This article will explain how an authentication failure allowed random web users to delete comments stored with images using the 10Web Mobile-Friendly Image Gallery Plugin for WordPress, exposed and published as CVE-2026-1036.

10Web Image Gallery and Permissions in WordPress

Before getting into the vulnerability, first a word about the way WordPress permissions work and the 10Web Mobile-Friendly Image Gallery comment features. The 10Web plugin lets site owners create mobile-friendly versions of their images. Site creators can upload images and edit them directly in the WordPress dashboard. Users can then comment on images.

WordPress has a few major user account types: super admin, admin, contributor, author, subscriber, and editor. These user roles have permissions. For every action a user can do from your plugin, you need to ensure the user has permission to do it. WordPress coding standards suggest checking for a nonce (number used once) assigned to a valid user. After checking for the nonce and user permissions, your plugin code can then perform the action.

In CVE-2026-1036, 10Web Mobile-Friendly Image Gallery Plugin failed to check both, so an attacker could execute functions without authorization. For this vulnerability, an authorized user could execute the function delete_comment, which allowed users to delete comments assigned to 10Web images.

10Web Plugin Code Vulnerability

Admins can add images to their site with 10Web, and then users can comment. The 10Web Mobile-Friendly Image Gallery Plugin then lets the user who made the comment or admins delete comments. Even though the buttons to delete comments aren’t displayed on the frontend, attackers can use server requests to execute the delete_comment function, which means users could delete comments that don’t belong to them.

Here is the code prior to the recent 10Web security patch:

public function delete_comment() {
    global $wpdb;
    $json = array();
    $id_image = WDWLibrary::get('id_image', 0, 'intval');
    $id_comment = WDWLibrary::get('id_comment', 0, 'intval');

    if ( $id_image && $id_comment ) {
           //delete query here
        //.....snipped for brevity.....
    }
    //.....snipped for brevity.....
}

The single line to note in the code above is the if statement where the code validates that $id_image and $id_comment contains a value. This step ensures that the function can delete a comment, but it does not validate that the current user can delete the comment. It’s possible that the developer never thought that user permission validation was necessary if the function isn’t directly called from a user action, but even actions hidden in plugin code can be executed using WordPress hooks.

The 10Web Security Patch and New Plugin Code

After the vulnerability was found, 10Web published a patch. The patch is a good example of what WordPress developers should do to secure their code from unauthorized execution. Here is the new code for the delete_comment function:

public function delete_comment() {
    global $wpdb;
    $json = array();

    //verify that the user is active and can edit comments
    if (!wp_verify_nonce($_POST['bwg_nonce'], 'comment')) {
          $error = true;
    }

    $id_image = WDWLibrary::get('id_image', 0, 'intval');
    $id_comment = WDWLibrary::get('id_comment', 0, 'intval');

   //added current_user_can function to check permissions
    if ( $id_image && $id_comment && current_user_can('moderate_comments')  ) {
           //delete query here
        //.....snipped for brevity.....
    }

    //.....snipped for brevity.....
}

The added code is in the snippet above. I’ve added comments to explain the new code, but the new authorization validation is in two sections.

The first section verifies that the user making a call to the delete_comment is active on the site. WordPress assigns a nonce (number used once) to every user. This statement verifies that the nonce exists and it’s for commenting on images.

An additional condition in the form of a function named current_user_can is then added to the if statement validating that $id_image and $id_comment have values. The current_user_can function is a WordPress API feature. It checks that the current user account can perform an action. The action is passed to the function as an argument. In this example, the moderate_comments parameter asks the function to verify that the user can edit comments stored with images. If the function returns false, then comments are not deleted.

What WordPress Coders Should Learn from Here

For any event in your WordPress plugin, always check that the user has a legitimate nonce and permission to perform the action. Without authorization checks, you code security issues into your plugin. Luckily, the WordPress API has built-in functions to validate user authorization, so use them frequently for every feature.

Check out some of my other examples of security failures found in other WordPress functions. You’ll see that there is a common mistake among developers assuming that a function cannot be executed by the general public. Even if that’s true today, it might not be true tomorrow. Remember the cybersecurity theory to “trust but verify” even in your WordPress code.

Categorized in:

Coding vulnerabilities Programming Secure coding

Tagged in:

CVE-2026-1036, permissions in wordpress, wordpress coding, wordpress coding standards, wordpress permissions

jennifer

As a writer with 15 years of experience helping brands grow their visibility online, I provide content with proven success for many small businesses and large enterprises. I've helped numerous companies improve traffic to their sites including Microsoft, Pure Storage, Adobe, Rackspace, CloudLinux, SolarWinds, IBM and several more. I've had content featured in TechCrunch and FastCompany. I've also ghostwritten technical books for O'Reilly. Contact me to see what I can do for you at [email protected]. See my portfolio here: https://www.clippings.me/jennm.

View All Articles

Other Stories

How AI Reprompt Attacks Work: Phishing Links and Prompt AI Security Failures

jennifer

Founder & Editor

Title: The OWASP Top 10 Handbook: Hacking Broken Access Controls (with practical examples and code)

Summary: Buy this book on Amazon. The OWASP Top 10 is a categorization of common vulnerabilities affecting applications. This book covers category one: broken access controls. Broken access controls is an umbrella category for several different ways hackers can gain control over accounts and applications using mistakes in authentication and authorization. You might think that you have authentication locked down in your application or API, but hackers often find bugs to bypass controls. Broken access controls are usually minor mistakes with huge consequences, and this book provides developers and application owners with basic examples to help them find their own vulnerabilities. This book offers real-world examples and code to show developers or application owners how hackers gain access to accounts or unauthorized data using exploits on broken access controls. Python code is used in real-world example scenarios to test applications for common vulnerabilities, so developers can grasp the ease at which some broken access controls can be hacked. Application owners will get a better understanding of cybersecurity issues and the importance of hardened source code. All Python scripts are published on Github publicly for your convenience. The ebook has seven chapters: Introduction: A breakdown of several broken access control subcategories and an understanding of the OWASP Top 10. Chapter 1 (Principle of Least Privilege): If you’re designing an application or need to create authorization rules, the Principle of Least Privilege is covered in this chapter to help you understand the best way to provide data access to customers and employees. Chapter 2 (Modifying URL Parameters and IDOR): This chapter shows you examples of how to exploit query string parameters to gain access to data, escalate privileges, or gain unauthorized access to web pages. Chapter 3 (Exploit URL Parameter Vulnerabilities to Gain Access to Files): URL parameters are often an unnoticed vulnerability, so this chapter shows you how to manipulate URL parameters to access sensitive files that contain data such as server configurations or application passwords. Chapter 4 (Hacking APIs with Missing Authentication): APIs provide critical backend functionality, so this chapter covers testing of API endpoints to find missing authentication controls or other vulnerabilities. Chapter 5 (CORS Misconfigurations): Understand CORS, pre-fetching, and how you can configure an API to allow authorized access from remote domains. Chapter 6 (Bad Redirects and Authentication): Developers often use redirects to bring authenticated users to specific application pages, so we cover checking authorization controls on pages that could be abused by internal users. Chapter 7 (Where to Go From Here?): Wrap-up and provide basic advice for the next steps. Protecting an application is a huge undertaking, so it’s usually best to hire a professional.