Description
The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtext' parameter in all versions up to, and including, 9.1.13.005 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A contributor-level attacker can embed the malicious [photo] shortcode in a post submitted for review, causing the stored payload to execute when an administrator or any other user views the post.
Published: 2026-07-01
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Photo Album Plus plugin is vulnerable to stored cross‑site scripting through the subtext attribute of the [photo] shortcode. The flaw arises because the plugin does not sufficiently sanitize or escape user input. An attacker who is authenticated with contributor or higher privileges can embed malicious scripts into a post, and when any user— including administrators—views that post, the injected code runs in the victim’s browser. This can lead to session hijacking, credential theft, defacement or other downstream attacks.

Affected Systems

Any WordPress installation that has the WP Photo Album Plus plugin version 9.1.13.005 or earlier is affected. The issue exists in all releases up to and including 9.1.13.005, regardless of other plugin updates. Site owners should verify the plugin version and upgrade to 9.2.01.001 or later.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity vulnerability that could be leveraged if an attacker gains contributor access. Because the EPSS score is unavailable, the concrete likelihood of exploitation is uncertain, but the fact that the vulnerability is not listed in the CISA KEV catalog suggests that there is no widespread exploitation yet. An attacker with contributor ownership can store malicious scripts that will execute on every subsequent view of the affected post, creating persistent attack surface until the plugin is updated or content is sanitized.

Generated by OpenCVE AI on July 1, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Photo Album Plus plugin to version 9.2.01.001 or later, which removes the vulnerable code paths.
  • If an immediate update is impossible, restrict contributor role permissions so they cannot add the [photo] shortcode and manually remove stored scripts from existing content.
  • Conduct a thorough search of posts, pages, and database entries for injected scripts and delete or neutralize any detected payloads.

Generated by OpenCVE AI on July 1, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Opajaap
Opajaap wp Photo Album Plus
Wordpress
Wordpress wordpress
Vendors & Products Opajaap
Opajaap wp Photo Album Plus
Wordpress
Wordpress wordpress

Wed, 01 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 10:45:00 +0000

Type Values Removed Values Added
Description The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtext' parameter in all versions up to, and including, 9.1.13.005 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A contributor-level attacker can embed the malicious [photo] shortcode in a post submitted for review, causing the stored payload to execute when an administrator or any other user views the post.
Title WP Photo Album Plus <= 9.1.13.005 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'subtext' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Opajaap Wp Photo Album Plus
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-01T12:22:01.471Z

Reserved: 2026-05-29T13:57:08.455Z

Link: CVE-2026-10095

cve-icon Vulnrichment

Updated: 2026-07-01T12:21:57.940Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T21:30:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')