Skip to main content

Wp Photo Album Plus

11 CVEs product

Monthly

CVE-2026-57675 HIGH This Week

Reflected/unauthenticated Cross-Site Scripting in the WP Photo Album Plus WordPress plugin (versions <= 9.2.02.004) lets a remote attacker inject arbitrary JavaScript that executes in a victim's browser session when they interact with a crafted link or request. The CVSS 3.1 vector (PR:N, UI:R, S:C) indicates no authentication is required but the victim must be lured into triggering the payload, and the scope change reflects script execution crossing into the WordPress user's authenticated context. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

XSS Wp Photo Album Plus
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-10095 MEDIUM This Month

Stored Cross-Site Scripting in WP Photo Album Plus (WordPress plugin, all versions through 9.1.13.005) allows contributor-level authenticated attackers to inject persistent JavaScript payloads via the unsanitized 'subtext' parameter of the [photo] shortcode. The CVSS scope change (S:C) is the critical amplifier: a low-privileged contributor can embed malicious shortcodes in posts submitted for editorial review, causing the stored payload to execute in administrator browser sessions when the content is previewed - enabling session hijacking and potential full site takeover. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and common WordPress contributor registration practices make this a realistic threat on affected installations.

WordPress XSS Wp Photo Album Plus
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-54829 HIGH This Week

Blind SQL injection in the WP Photo Album Plus WordPress plugin (all versions up to and including 9.1.13.005) lets remote attackers inject crafted SQL into a database query, enabling extraction of sensitive data such as user credentials and WordPress secrets. The flaw, reported by Patchstack, is reachable over the network without authentication (CVSS:3.1 PR:N) but carries high attack complexity (AC:H), and there is no public exploit identified at time of analysis. No EPSS score or CISA KEV listing was provided in the source data.

SQLi Wp Photo Album Plus
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-39511 CRITICAL Act Now

Unauthenticated SQL injection in the WP Photo Album Plus WordPress plugin (versions ≤ 9.1.08.001) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. With a CVSS 3.1 score of 9.3 (scope-changed) and no public exploit identified at time of analysis, the flaw exposes WordPress sites running the plugin to database content disclosure and limited integrity/availability impact. Patchstack reported the issue and it carries CWE-89 (SQL Injection).

SQLi Wp Photo Album Plus
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2024-10958 HIGH PATCH This Week

The The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution via getshortcodedrenderedfenodelay AJAX action in all versions up to, and including, 8.8.08.007 . Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection WordPress RCE Wp Photo Album Plus
NVD
CVSS 3.1
7.3
EPSS
1.6%
CVE-2024-37416 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in J.N. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Wp Photo Album Plus
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-4037 MEDIUM PATCH This Month

The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.7.02.003. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection WordPress Wp Photo Album Plus
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2023-49812 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in J.N. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Wp Photo Album Plus
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2021-25115 MEDIUM POC PATCH This Month

The WP Photo Album Plus WordPress plugin before 8.0.10 was vulnerable to Stored Cross-Site Scripting (XSS). Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress XSS Wp Photo Album Plus
NVD WPScan VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2015-3647 MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in wppa-ajax-front.php in the WP Photo Album Plus (aka WPPA) plugin before 6.1.3 for WordPress allow remote attackers to inject arbitrary web. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS WordPress PHP Wp Photo Album Plus
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2013-3254 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in the WP Photo Album Plus plugin before 5.0.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

WordPress PHP XSS Wp Photo Album Plus
NVD
CVSS 2.0
4.3
EPSS
0.3%
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/unauthenticated Cross-Site Scripting in the WP Photo Album Plus WordPress plugin (versions <= 9.2.02.004) lets a remote attacker inject arbitrary JavaScript that executes in a victim's browser session when they interact with a crafted link or request. The CVSS 3.1 vector (PR:N, UI:R, S:C) indicates no authentication is required but the victim must be lured into triggering the payload, and the scope change reflects script execution crossing into the WordPress user's authenticated context. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

XSS Wp Photo Album Plus
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in WP Photo Album Plus (WordPress plugin, all versions through 9.1.13.005) allows contributor-level authenticated attackers to inject persistent JavaScript payloads via the unsanitized 'subtext' parameter of the [photo] shortcode. The CVSS scope change (S:C) is the critical amplifier: a low-privileged contributor can embed malicious shortcodes in posts submitted for editorial review, causing the stored payload to execute in administrator browser sessions when the content is previewed - enabling session hijacking and potential full site takeover. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and common WordPress contributor registration practices make this a realistic threat on affected installations.

WordPress XSS Wp Photo Album Plus
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Blind SQL injection in the WP Photo Album Plus WordPress plugin (all versions up to and including 9.1.13.005) lets remote attackers inject crafted SQL into a database query, enabling extraction of sensitive data such as user credentials and WordPress secrets. The flaw, reported by Patchstack, is reachable over the network without authentication (CVSS:3.1 PR:N) but carries high attack complexity (AC:H), and there is no public exploit identified at time of analysis. No EPSS score or CISA KEV listing was provided in the source data.

SQLi Wp Photo Album Plus
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the WP Photo Album Plus WordPress plugin (versions ≤ 9.1.08.001) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. With a CVSS 3.1 score of 9.3 (scope-changed) and no public exploit identified at time of analysis, the flaw exposes WordPress sites running the plugin to database content disclosure and limited integrity/availability impact. Patchstack reported the issue and it carries CWE-89 (SQL Injection).

SQLi Wp Photo Album Plus
NVD
EPSS 2% CVSS 7.3
HIGH PATCH This Week

The The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution via getshortcodedrenderedfenodelay AJAX action in all versions up to, and including, 8.8.08.007 . Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection WordPress RCE +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in J.N. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Wp Photo Album Plus
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.7.02.003. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection WordPress +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in J.N. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Wp Photo Album Plus
NVD
EPSS 0% CVSS 6.4
MEDIUM POC PATCH This Month

The WP Photo Album Plus WordPress plugin before 8.0.10 was vulnerable to Stored Cross-Site Scripting (XSS). Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress XSS Wp Photo Album Plus
NVD WPScan VulDB
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in wppa-ajax-front.php in the WP Photo Album Plus (aka WPPA) plugin before 6.1.3 for WordPress allow remote attackers to inject arbitrary web. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS WordPress PHP +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in the WP Photo Album Plus plugin before 5.0.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

WordPress PHP XSS +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy