Impact
WordPress users can exploit an unauthenticated SQL Injection flaw (CWE-89) in WP Photo Album Plus up to version 9.1.08.001, allowing the injection of arbitrary SQL statements. This vulnerability can lead to unauthorized read or modification of the database, potentially exposing sensitive content or compromising site integrity.
Affected Systems
The vulnerability affects the WP Photo Album Plus plugin, developed by Jacob N. Breetvelt, on all WordPress installations where the plugin version is 9.1.08.001 or earlier. All other versions are not impacted.
Risk and Exploitability
The flaw carries a CVSS score of 9.3 and an EPSS score of less than 1 %. It is not yet listed in CISA’s KEV catalog. Because the injection is unauthenticated, an attacker with web access can trigger it directly via crafted requests, making exploitation highly probable for exposed sites that have not applied the patch.
OpenCVE Enrichment