Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated network-reachable SQLi (AV:N/AC:L/PR:N/UI:N) with scope change to other WP tables; raised I from N to L because SQLi sinks typically permit some write impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions.
AnalysisAI
Unauthenticated SQL injection in the WP Photo Album Plus WordPress plugin (versions ≤ 9.1.08.001) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. With a CVSS 3.1 score of 9.3 (scope-changed) and no public exploit identified at time of analysis, the flaw exposes WordPress sites running the plugin to database content disclosure and limited integrity/availability impact. Patchstack reported the issue and it carries CWE-89 (SQL Injection).
Technical ContextAI
WP Photo Album Plus is a WordPress photo gallery plugin authored by Jacob N. Breetvelt (CPE: cpe:2.3:a:jacob_n._breetvelt:wp_photo_album_plus). The root cause class, CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), indicates user-controlled input is concatenated into SQL queries executed against the WordPress wp_* database without proper parameterization or escaping via $wpdb->prepare(). Because the vulnerable code path is reachable without authentication, the attacker interacts directly with a public-facing plugin endpoint (typically admin-ajax.php, REST routes, or a public shortcode handler) that ultimately drives a SELECT/UPDATE query. The CVSS scope change (S:C) suggests the injected query can read or affect data beyond the plugin's own logical authorization boundary - i.e., reach other WordPress tables such as wp_users or wp_options.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data - administrators should upgrade WP Photo Album Plus to the latest version above 9.1.08.001 as published on the WordPress.org plugin repository and consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-photo-album-plus/vulnerability/wordpress-wp-photo-album-plus-plugin-9-1-08-001-sql-injection-vulnerability for the fixed release number. If immediate patching is not possible, compensating controls include deactivating the WP Photo Album Plus plugin entirely (the cleanest mitigation, at the cost of losing gallery functionality), enabling a WAF such as Patchstack, Wordfence, or Cloudflare with a virtual patch / SQLi ruleset (effective but may produce false positives on legitimate gallery queries), and restricting access to the plugin's public endpoints (admin-ajax.php actions and any wppa-* REST/shortcode handlers) via web server rules where feasible. As defense-in-depth, ensure the WordPress database user has only the minimum required privileges to limit the blast radius of a successful injection.
More in Wp Photo Album Plus
View allThe WP Photo Album Plus WordPress plugin before 8.0.10 was vulnerable to Stored Cross-Site Scripting (XSS). Rated medium
Multiple cross-site scripting (XSS) vulnerabilities in wppa-ajax-front.php in the WP Photo Album Plus (aka WPPA) plugin
Blind SQL injection in the WP Photo Album Plus WordPress plugin (all versions up to and including 9.1.13.005) lets remot
The The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution via getshortcodedrendere
Reflected/unauthenticated Cross-Site Scripting in the WP Photo Album Plus WordPress plugin (versions <= 9.2.02.004) lets
The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and i
Stored Cross-Site Scripting in WP Photo Album Plus (WordPress plugin, all versions through 9.1.13.005) allows contributo
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in J.N. Rated
Authorization Bypass Through User-Controlled Key vulnerability in J.N. Rated medium severity (CVSS 5.3), this vulnerabil
Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in the WP Photo Album Plus plugin before 5.0.3 for WordPr
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36950
GHSA-984x-crwg-rm3r