Description
WordPress Plugin PICA Photo Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid parameter. Attackers can send GET requests with crafted SQL payloads in the aid parameter to extract sensitive database information including user credentials and table contents.
Published: 2026-06-09
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection found in WordPress Plugin PICA Photo Gallery 1.0. Attackers can send crafted GET requests to the aid parameter, which is not properly sanitized, causing arbitrary SQL statements to be executed against the database. Successful exploitation lets the adversary read any table, including user credentials, thereby compromising confidentiality and enabling further lateral movement or data theft.

Affected Systems

The affected component is the WordPress plugin PICA Photo Gallery developed by Apptha, specifically version 1.0. Site owners who have installed this exact release on any WordPress installation are susceptible to the vulnerability.

Risk and Exploitability

The CVSS score of 8.8 assigns high severity to the flaw. Because authentication is not required, the exploit is straightforward: a remote attacker simply crafts a URL with a malicious aid value. No special setup is needed beyond being able to reach the site. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, but the high CVSS coupled with the trivial remote execution path keeps the risk significant. Since the injected SQL can read sensitive data, the potential damage to confidentiality is high.

Generated by OpenCVE AI on June 9, 2026 at 13:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest version of PICA Photo Gallery that addresses the SQL injection, if one is available.
  • If no update exists, remove or deactivate the plugin entirely to eliminate the attack vector.
  • As a temporary measure, sanitize or whitelist the aid parameter or use a web application firewall to block malicious payloads.
  • Optionally, restrict access to the plugin’s endpoints behind authentication or IP filtering.

Generated by OpenCVE AI on June 9, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Apptha
Apptha pica Photo Gallery
Wordpress
Wordpress wordpress
Vendors & Products Apptha
Apptha pica Photo Gallery
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description WordPress Plugin PICA Photo Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid parameter. Attackers can send GET requests with crafted SQL payloads in the aid parameter to extract sensitive database information including user credentials and table contents.
Title WordPress Plugin PICA Photo Gallery 1.0 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Apptha Pica Photo Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-09T13:01:53.848Z

Reserved: 2026-06-08T11:50:35.698Z

Link: CVE-2017-20247

cve-icon Vulnrichment

Updated: 2026-06-09T13:01:49.967Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T13:16:34.550

Modified: 2026-06-09T13:51:18.770

Link: CVE-2017-20247

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:20:54Z

Weaknesses