Skip to main content

WP Photo Album Plus EUVDEUVD-2026-36950

| CVE-2026-39511 CRITICAL
SQL Injection (CWE-89)
2026-06-15 Patchstack GHSA-984x-crwg-rm3r
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.9 CRITICAL

Unauthenticated network-reachable SQLi (AV:N/AC:L/PR:N/UI:N) with scope change to other WP tables; raised I from N to L because SQLi sinks typically permit some write impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:23 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions.

AnalysisAI

Unauthenticated SQL injection in the WP Photo Album Plus WordPress plugin (versions ≤ 9.1.08.001) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. With a CVSS 3.1 score of 9.3 (scope-changed) and no public exploit identified at time of analysis, the flaw exposes WordPress sites running the plugin to database content disclosure and limited integrity/availability impact. Patchstack reported the issue and it carries CWE-89 (SQL Injection).

Technical ContextAI

WP Photo Album Plus is a WordPress photo gallery plugin authored by Jacob N. Breetvelt (CPE: cpe:2.3:a:jacob_n._breetvelt:wp_photo_album_plus). The root cause class, CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), indicates user-controlled input is concatenated into SQL queries executed against the WordPress wp_* database without proper parameterization or escaping via $wpdb->prepare(). Because the vulnerable code path is reachable without authentication, the attacker interacts directly with a public-facing plugin endpoint (typically admin-ajax.php, REST routes, or a public shortcode handler) that ultimately drives a SELECT/UPDATE query. The CVSS scope change (S:C) suggests the injected query can read or affect data beyond the plugin's own logical authorization boundary - i.e., reach other WordPress tables such as wp_users or wp_options.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data - administrators should upgrade WP Photo Album Plus to the latest version above 9.1.08.001 as published on the WordPress.org plugin repository and consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-photo-album-plus/vulnerability/wordpress-wp-photo-album-plus-plugin-9-1-08-001-sql-injection-vulnerability for the fixed release number. If immediate patching is not possible, compensating controls include deactivating the WP Photo Album Plus plugin entirely (the cleanest mitigation, at the cost of losing gallery functionality), enabling a WAF such as Patchstack, Wordfence, or Cloudflare with a virtual patch / SQLi ruleset (effective but may produce false positives on legitimate gallery queries), and restricting access to the plugin's public endpoints (admin-ajax.php actions and any wppa-* REST/shortcode handlers) via web server rules where feasible. As defense-in-depth, ensure the WordPress database user has only the minimum required privileges to limit the blast radius of a successful injection.

CVE-2021-25115 MEDIUM POC
6.4 Feb 14

The WP Photo Album Plus WordPress plugin before 8.0.10 was vulnerable to Stored Cross-Site Scripting (XSS). Rated medium

CVE-2015-3647 MEDIUM POC
4.3 May 21

Multiple cross-site scripting (XSS) vulnerabilities in wppa-ajax-front.php in the WP Photo Album Plus (aka WPPA) plugin

CVE-2026-54829 HIGH
7.5 Jun 25

Blind SQL injection in the WP Photo Album Plus WordPress plugin (all versions up to and including 9.1.13.005) lets remot

CVE-2024-10958 HIGH
7.3 Nov 10

The The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution via getshortcodedrendere

CVE-2026-57675 HIGH
7.1 Jul 02

Reflected/unauthenticated Cross-Site Scripting in the WP Photo Album Plus WordPress plugin (versions <= 9.2.02.004) lets

CVE-2024-4037 MEDIUM
6.5 May 24

The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and i

CVE-2026-10095 MEDIUM
6.4 Jul 01

Stored Cross-Site Scripting in WP Photo Album Plus (WordPress plugin, all versions through 9.1.13.005) allows contributo

CVE-2024-37416 MEDIUM
6.1 Jul 22

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in J.N. Rated

CVE-2023-49812 MEDIUM
5.3 Dec 19

Authorization Bypass Through User-Controlled Key vulnerability in J.N. Rated medium severity (CVSS 5.3), this vulnerabil

CVE-2013-3254 MEDIUM
4.3 May 10

Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in the WP Photo Album Plus plugin before 5.0.3 for WordPr

Share

EUVD-2026-36950 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy