Impact
The WP Photo Album Plus plugin is vulnerable to stored cross‑site scripting through the subtext attribute of the [photo] shortcode. The flaw arises because the plugin does not sufficiently sanitize or escape user input. An attacker who is authenticated with contributor or higher privileges can embed malicious scripts into a post, and when any user— including administrators—views that post, the injected code runs in the victim’s browser. This can lead to session hijacking, credential theft, defacement or other downstream attacks.
Affected Systems
Any WordPress installation that has the WP Photo Album Plus plugin version 9.1.13.005 or earlier is affected. The issue exists in all releases up to and including 9.1.13.005, regardless of other plugin updates. Site owners should verify the plugin version and upgrade to 9.2.01.001 or later.
Risk and Exploitability
The CVSS score of 6.4 indicates a moderate severity vulnerability that could be leveraged if an attacker gains contributor access. Because the EPSS score is unavailable, the concrete likelihood of exploitation is uncertain, but the fact that the vulnerability is not listed in the CISA KEV catalog suggests that there is no widespread exploitation yet. An attacker with contributor ownership can store malicious scripts that will execute on every subsequent view of the affected post, creating persistent attack surface until the plugin is updated or content is sanitized.
OpenCVE Enrichment