10web 10web

  1. Vendors
  2. 10web

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any 10web product.

RSS Feeds for 10web security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in 10web products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by 10web Sorted by Most Security Vulnerabilities since 2018

10web Photo Gallery45 vulnerabilities

10web Form Maker28 vulnerabilities

10web Slider9 vulnerabilities

10web Map Builder For Google Maps4 vulnerabilities

10webanalytics3 vulnerabilities

10web Social Post Feed2 vulnerabilities

10web Image Optimizer2 vulnerabilities

10web Seo2 vulnerabilities

10web Wps Telegram Chat2 vulnerabilities

10web Booster1 vulnerability

10websocial1 vulnerability

10web Ai Assistant1 vulnerability

Sliderby10web1 vulnerability

10web Spidercalendar1 vulnerability

10web Spidercontacts1 vulnerability

By the Year

In 2026 there have been 5 vulnerabilities in 10web with an average score of 6.0 out of ten. Last year, in 2025 10web had 17 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in 10web in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.33




Year Vulnerabilities Average Score
2026 5 5.98
2025 17 6.30
2024 40 5.77
2023 17 6.41
2022 11 6.34
2021 8 6.50
2020 1 0.00
2019 8 8.12

It may take a day or so for new 10web vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent 10web Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-32330 Mar 13, 2026
10Web Photo Gallery <=1.8.37 CSRF Vulnerability Cross-Site Request Forgery (CSRF) vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Cross Site Request Forgery.This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.37.
Photo Gallery
CVE-2026-27360 Feb 19, 2026
10Web Photo Gallery <=1.8.37 Stored XSS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.37.
Photo Gallery
CVE-2026-1058 Feb 03, 2026
Stored XSS in Form Maker 1.15.35 via hidden fields The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list.
Form Maker
CVE-2026-1065 Feb 03, 2026
Form Maker wp plugin stored XSS via SVG upload 1.15.35 The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms.
Form Maker
CVE-2026-1036 Jan 21, 2026
Unauth Delete via delete_comment() in 10Web Photo Gallery 1.8.36 The Photo Gallery by 10Web Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to delete arbitrary image comments. Note: comments functionality is only available in the Pro version of the plugin.
Photo Gallery
CVE-2025-13377 Dec 06, 2025
10Web Booster 2.32.7: Arbitrary Folder Deletion via get_cache_dir() The 10Web Booster Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition.
CVE-2020-36853 Oct 18, 2025
10WebMapBuilder 1.0.63: Stored XSS via Settings Change The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1.0.63 due to insufficient input sanitization and output escaping and a lack of capability checks. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-48341 May 19, 2025
10Web Form Maker: Stored XSS in 10W Form Maker up to 1.15.33 (CVE-2025-48341) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Form Maker by 10Web allows Stored XSS. This issue affects Form Maker by 10Web: from n/a through 1.15.33.
Form Maker
CVE-2024-13053 May 15, 2025
10Web Form Maker XSS before 1.15.33 The Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Form Maker
CVE-2024-8670 May 15, 2025
Photo Gallery by 10Web WP plugin <1.8.29: Stored XSS via unsanitized settings The Photo Gallery by 10Web WordPress plugin before 1.8.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Photo Gallery
CVE-2024-10680 Apr 16, 2025
Form Maker 10Web WP Plugin <1.15.32: Stored XSS via unsanitised settings The Form Maker by 10Web WordPress plugin before 1.15.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Form Maker
CVE-2025-2269 Apr 12, 2025
XSS via image_id in Photo Gallery by 10Web WP plugin up to 1.8.34 The Photo Gallery by 10Web Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the image_id parameter in all versions up to, and including, 1.8.34 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link.
Photo Gallery
CVE-2025-0613 Mar 31, 2025
10Web Photo Gallery WP Plugin XSS before 1.8.34 Unauthenticated Stored-XSS The Photo Gallery by 10Web WordPress plugin before 1.8.34 does not sanitised and escaped comment added on images by unauthenticated users, leading to an Unauthenticated Stored-XSS attack when comments are displayed
Photo Gallery
CVE-2024-10560 Mar 25, 2025
WP 10Web Form Maker <1.15.30 Unsanitised Settings XSS The Form Maker by 10Web WordPress plugin before 1.15.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Form Maker
CVE-2024-10565 Mar 25, 2025
Stored XSS in 10Web Slider WP Plugin before 1.2.62 The Slider by 10Web WordPress plugin before 1.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Slider
CVE-2024-10566 Mar 25, 2025
XSS via unsanitised settings in Slider by 10Web WP plugin <1.2.62 The Slider by 10Web WordPress plugin before 1.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Slider
CVE-2024-13124 Mar 24, 2025
Stored XSS in 10Web PhotoGallery WP plugin before 1.8.33 The Photo Gallery by 10Web WordPress plugin before 1.8.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Photo Gallery
CVE-2024-10558 Mar 24, 2025
WordPress Form Maker <=1.15.30 XSS via Unsanitised Settings The Form Maker by 10Web WordPress plugin before 1.15.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Form Maker
CVE-2024-13605 Feb 24, 2025
Form Maker WP Plugin <1.15.33 Vulnerable to Stored XSS The Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Form Maker
CVE-2024-10562 Jan 07, 2025
10Web Form Maker WP Plugin 1.15.31 XSS via unsanitized settings The Form Maker by 10Web WordPress plugin before 1.15.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Form Maker
CVE-2023-45272 Jan 02, 2025
Missing Auth in 10Web Map Builder for Google Maps (<=1.0.73) Missing Authorization vulnerability in 10Web 10Web Map Builder for Google Maps allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 10Web Map Builder for Google Maps: from n/a through 1.0.73.
Map Builder For Google Maps
CVE-2023-47807 Jan 02, 2025
10WebAnalytics v1.2.12 Missing Auth: access control flaw Missing Authorization vulnerability in 10Web 10WebAnalytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 10WebAnalytics: from n/a through 1.2.12.
10webanalytics
CVE-2023-33995 Dec 13, 2024
Missing Auth in Photo Gallery by 10Web <1.8.15, Access Control Bypass Missing Authorization vulnerability in Photo Gallery Team Photo Gallery by 10Web allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Photo Gallery by 10Web: from n/a through 1.8.15.
Photo Gallery
CVE-2024-5020 Dec 04, 2024
WordPress Plugins Stored XSS Vulnerability in FancyBox JavaScript Library Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Form Maker
CVE-2024-10704 Nov 29, 2024
Stored XSS Vulnerability in Photo Gallery by 10Web WordPress Plugin The Photo Gallery by 10Web WordPress plugin before 1.8.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Photo Gallery
CVE-2024-10265 Nov 10, 2024
Form Maker by 10Web XSS via add_query_arg The Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.15.30. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Form Maker
CVE-2024-9878 Nov 05, 2024
10Web Gallery XSS in Admin Settings The Photo Gallery by 10Web Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Photo Gallery
CVE-2024-9628 Oct 25, 2024
WPS Telegram Chat v4.5.4 Unauthorized Data Modification via Missing Capability Check The WPS Telegram Chat plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Wps_Telegram_Chat_Admin::check?onnection' function in versions up to, and including, 4.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the Telegram Bot API endpoint and communicate with it.
Wps Telegram Chat
CVE-2024-9630 Oct 25, 2024
WPS Telegram Chat <=4.5.4 Auth Bypass via Capability Check Missing The WPS Telegram Chat plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when accessing messages in versions up to, and including, 4.5.4. This makes it possible for unauthenticated attackers to view the messages that are sent through the Telegram Bot API.
Wps Telegram Chat
CVE-2024-9607 Oct 25, 2024
10Web Social Post Feed v1.2.9 XSS via add_query_arg The 10Web Social Post Feed plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Please note this is only exploitable when the leave a review notice is present.
10web Social Post Feed
CVE-2024-5968 Oct 09, 2024
XSS via Gallery settings in The Photo Gallery by 10Web v<1.8.28 The Photo Gallery by 10Web WordPress plugin before 1.8.28 does not properly sanitise and escape some of its Gallery settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Photo Gallery
CVE-2024-44043 Oct 06, 2024
10Web Photo Gallery 1.8.27 XSS via unsanitized input: Stored XSS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.27.
Photo Gallery
CVE-2024-8283 Sep 30, 2024
WordPress Slider 10Web Plugin v<1.2.59 Stored XSS The Slider by 10Web WordPress plugin before 1.2.59 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Slider
CVE-2024-8633 Sep 26, 2024
Stored XSS in Form Maker WP plugin <=1.15.27 The Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Form Maker
CVE-2024-43220 Aug 12, 2024
10Web Form Maker Reflected XSS in Versions <=1.15.26 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in 10Web Form Builder Team Form Maker by 10Web allows Reflected XSS.This issue affects Form Maker by 10Web: from n/a through 1.15.26.
Form Maker
CVE-2024-7150 Aug 08, 2024
SQLi via id param in Slider by 10Web <=1.2.57 (WordPress) The Slider by 10Web Responsive Image Slider plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' parameter in all versions up to, and including, 1.2.57 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Slider
CVE-2024-6408 Jul 31, 2024
XSS in Slider by 10Web WP plugin (v<1.2.57) for privileged users The Slider by 10Web WordPress plugin before 1.2.57 does not sanitise and escape its Slider Title, which could allow high privilege users such as editors and above to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Slider
CVE-2024-6272 Jul 31, 2024
SpiderContacts WP Plugin <=1.1.7 Reflected XSS via unsanitized param The SpiderContacts WordPress plugin through 1.1.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Spidercontacts
CVE-2024-6026 Jul 11, 2024
Stored XSS in Slider by 10Web WP Plugin <1.2.56 The Slider by 10Web WordPress plugin before 1.2.56 does not sanitise and escape some of its Slide options, which could allow authenticated users with access to the Sliders (by default Administrator, however this can be changed via the Slider by 10Web WordPress plugin before 1.2.56's options) and the ability to add images (Editor+) to perform Stored Cross-Site Scripting attacks
Slider
CVE-2024-6130 Jul 01, 2024
The Form Maker WP Plugin <1.15.26 XSS via Unsanitised Settings The Form Maker by 10Web WordPress plugin before 1.15.26 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Form Maker
CVE-2024-35628 Jun 11, 2024
Missing Auth CVE-2024-35628: Photo Gallery by 10Web <=1.8.25 Missing Authorization vulnerability in Photo Gallery Team Photo Gallery by 10Web.This issue affects Photo Gallery by 10Web: from n/a through 1.8.25.
Photo Gallery
CVE-2024-5481 Jun 07, 2024
10Web Photo Gallery 1.8.23 Path Traversal via esc_dir The Photo Gallery by 10Web Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.8.23 via the esc_dir function. This makes it possible for authenticated attackers to cut and paste (copy) the contents of arbitrary files on the server, which can contain sensitive information, and to cut (delete) arbitrary directories, including the root WordPress directory. By default this can be exploited by administrators only. In the premium version of the plugin, administrators can give gallery edit permissions to lower level users, which might make this exploitable by users as low as contributors.
Photo Gallery
CVE-2024-5426 Jun 07, 2024
Stored XSS via svg param in Photo Gallery <=1.8.23 (WordPress) The Photo Gallery by 10Web Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the svg parameter in all versions up to, and including, 1.8.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this can only be exploited by administrators, but the ability to use and configure Photo Gallery can be extended to contributors on pro versions of the plugin.
Photo Gallery
CVE-2023-48290 Jun 04, 2024
10Web Form Maker <=1.15.20: Auth Attempts Bypass (CVE-202348290) Improper Restriction of Excessive Authentication Attempts vulnerability in 10Web Form Builder Team Form Maker by 10Web allows Functionality Bypass.This issue affects Form Maker by 10Web: from n/a through 1.15.20.
Form Maker
CVE-2024-34437 May 14, 2024
Form Maker 10Web 1.15.24 Stored XSS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Form Builder Team Form Maker by 10Web allows Stored XSS.This issue affects Form Maker by 10Web: from n/a through 1.15.24.
Form Maker
CVE-2024-33586 Apr 29, 2024
Missing Auth in Photo Gallery by 10Web before 1.8.20 Missing Authorization vulnerability in Photo Gallery Team Photo Gallery by 10Web.This issue affects Photo Gallery by 10Web: from n/a through 1.8.20.
Photo Gallery
CVE-2024-2258 Apr 27, 2024
Form Maker by 10Web 1.15.24 XSS via User Display Name in Contact Forms The Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Form Maker
CVE-2024-32583 Apr 18, 2024
Photo Gallery by 10Web <=1.8.21 Reflected XSS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Photo Gallery Team Photo Gallery by 10Web allows Reflected XSS.This issue affects Photo Gallery by 10Web: from n/a through 1.8.21.
Photo Gallery
CVE-2024-32578 Apr 18, 2024
10Web Slider <=1.2.54 Reflected XSS Vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Slider by 10Web allows Reflected XSS.This issue affects Slider by 10Web: from n/a through 1.2.54.
Slider
CVE-2024-32534 Apr 17, 2024
10Web Form Maker Stored XSS in Team Form Maker v1.15.23 and earlier Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Form Builder Team Form Maker by 10Web allows Stored XSS.This issue affects Form Maker by 10Web: from n/a through 1.15.23.
Form Maker
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.