Skip to main content

WP Photo Album Plus EUVDEUVD-2026-39392

| CVE-2026-54829 HIGH
SQL Injection (CWE-89)
2026-06-25 Patchstack GHSA-cr8m-2vj9-r7h2
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
5.9 MEDIUM

Unauthenticated network blind SQLi (AV:N/PR:N) with high complexity (AC:H); impact is confidentiality-only and confined to the database, so S:U with I:N/A:N rather than Patchstack's S:C/A:L.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:26 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jacob N. Breetvelt WP Photo Album Plus allows Blind SQL Injection.

This issue affects WP Photo Album Plus: from n/a through 9.1.13.005.

AnalysisAI

Blind SQL injection in the WP Photo Album Plus WordPress plugin (all versions up to and including 9.1.13.005) lets remote attackers inject crafted SQL into a database query, enabling extraction of sensitive data such as user credentials and WordPress secrets. The flaw, reported by Patchstack, is reachable over the network without authentication (CVSS:3.1 PR:N) but carries high attack complexity (AC:H), and there is no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running WP Photo Album Plus
Delivery
Locate injectable plugin parameter
Exploit
Send blind SQL injection payloads
Execution
Infer database contents via timing/boolean responses
Impact
Extract credentials and secret keys

Vulnerability AssessmentAI

Exploitation Exploitation requires network access to a WordPress site running WP Photo Album Plus version 9.1.13.005 or earlier and reaching the specific plugin parameter that flows into an unsanitized SQL query; the CVSS vector (PR:N/UI:N) indicates no authentication and no user interaction are needed against an affected installation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward a moderate, not emergency, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WordPress site running a vulnerable WP Photo Album Plus build and sends crafted requests to the injectable parameter, using time-based or boolean-blind payloads to infer database contents one condition at a time. With an automated tool, they iterate over many requests to dump password hashes from wp_users or secret keys from wp_options. …
Remediation Upgrade WP Photo Album Plus to a release newer than 9.1.13.005 once the maintainer publishes a fixed version; the input data does not specify an exact patched version, so this is best characterized as no vendor-released patched version independently confirmed at time of analysis - verify the fixed build against the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-photo-album-plus/vulnerability/wordpress-wp-photo-album-plus-plugin-9-1-13-005-sql-injection-vulnerability before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for WP Photo Album Plus presence and version; isolate affected systems from internet-facing traffic if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-25115 MEDIUM POC
6.4 Feb 14

The WP Photo Album Plus WordPress plugin before 8.0.10 was vulnerable to Stored Cross-Site Scripting (XSS). Rated medium

CVE-2026-39511 CRITICAL
9.3 Jun 15

Unauthenticated SQL injection in the WP Photo Album Plus WordPress plugin (versions ≤ 9.1.08.001) allows remote attacker

CVE-2015-3647 MEDIUM POC
4.3 May 21

Multiple cross-site scripting (XSS) vulnerabilities in wppa-ajax-front.php in the WP Photo Album Plus (aka WPPA) plugin

CVE-2024-10958 HIGH
7.3 Nov 10

The The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution via getshortcodedrendere

CVE-2026-57675 HIGH
7.1 Jul 02

Reflected/unauthenticated Cross-Site Scripting in the WP Photo Album Plus WordPress plugin (versions <= 9.2.02.004) lets

CVE-2024-4037 MEDIUM
6.5 May 24

The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and i

CVE-2026-10095 MEDIUM
6.4 Jul 01

Stored Cross-Site Scripting in WP Photo Album Plus (WordPress plugin, all versions through 9.1.13.005) allows contributo

CVE-2024-37416 MEDIUM
6.1 Jul 22

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in J.N. Rated

CVE-2023-49812 MEDIUM
5.3 Dec 19

Authorization Bypass Through User-Controlled Key vulnerability in J.N. Rated medium severity (CVSS 5.3), this vulnerabil

CVE-2013-3254 MEDIUM
4.3 May 10

Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in the WP Photo Album Plus plugin before 5.0.3 for WordPr

Share

EUVD-2026-39392 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy