CVE-2025-14835 - Vulnerability Details

- WP Photo Album Plus <= 9.1.05.008 - Reflected Cross-Site Scripting

Description

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Published: 2026-01-07

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The underlying issue arises from the WP Photo Album Plus plugin’s handling of the 'shortcode' parameter. The code fails to properly sanitize or escape user supplied values, allowing an attacker to embed arbitrary JavaScript. When an unsuspecting user follows a manipulated link containing a malicious shortcode, the script executes in the victim’s browser. This can lead to cookie theft, session hijacking, defacement or the execution of further malware in the victim’s context. The vulnerability is a classic Reflected Cross‑Site Scripting flaw and is categorized as CWE‑80.

Affected Systems

The flaw exists in all releases of WP Photo Album Plus up to and including 9.1.05.008 from the vendor opajaap. Site owners deploying any of these versions in a WordPress installation are potentially exposed unless the 'shortcode' feature is disabled or the plugin is updated.

Risk and Exploitability

The CVSS score of 7.1 signals that the flaw is moderately serious. The EPSS score is below 1 %, indicating that, at present, the likelihood of exploitation is low, and it is not listed in CISA’s KEV catalog. Exploitation requires no authentication; the attacker only needs to craft a link that includes a malicious value for the 'shortcode' parameter and convince a user to click it. Because the vulnerability operates entirely on the client side, the attack surface is broad, and any user visiting a compromised page could be impacted.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

opajaap

WP Photo Album Plus

unaffected

Version	Status	Constraints
`0`	affected	≤ 9.1.05.008

No data.

Vendor	Product	Confidence	Versions
Opajaap	Wp Photo Album Plus	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the WP Photo Album Plus plugin to version 9.1.05.009 or later.
If an upgrade is not immediately possible, disable the ‘shortcode’ functionality or remove existing shortcodes so that the vulnerable parameter is never processed.
Apply custom input validation or output escaping to the 'shortcode' parameter, or block requests containing an attacker‑controlled value using a web‑application firewall.

Generated by OpenCVE AI on April 22, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00146.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-ajax.php#L1130
https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-ajax.php#L43
https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-filter.php#L125
https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-functions.php#L5617
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3427638%40wp-photo-album-plus%2Ftrunk&old=3426267%40wp-photo-album-plus%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/0903521d-3b07-4539-97c9-15e6bbe2cc2e?source=cve

History

Wed, 07 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 07 Jan 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opajaap Opajaap wp Photo Album Plus Wordpress Wordpress wordpress
Vendors & Products		Opajaap Opajaap wp Photo Album Plus Wordpress Wordpress wordpress

Wed, 07 Jan 2026 05:30:00 +0000

Type	Values Removed	Values Added
Description		The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title		WP Photo Album Plus <= 9.1.05.008 - Reflected Cross-Site Scripting
Weaknesses		CWE-80
References		https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-ajax.php#L1130 https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-ajax.php#L43 https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-filter.php#L125 https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-functions.php#L5617 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3427638%40wp-photo-album-plus%2Ftrunk&old=3426267%40wp-photo-album-plus%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/0903521d-3b07-4539-97c9-15e6bbe2cc2e?source=cve
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

Opajaap Wp Photo Album Plus

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-01-07T05:25:55.255Z

Updated: 2026-04-08T16:34:22.806Z

Reserved: 2025-12-17T15:48:08.418Z

Link: CVE-2025-14835

Vulnrichment

Updated: 2026-01-07T14:53:02.953Z

NVD

Status : Deferred

Published: 2026-01-07T12:16:56.723

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14835

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T16:00:12Z

Weaknesses

CWE-80

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object