Description
Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions.
Published: 2026-06-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress users can exploit an unauthenticated SQL Injection flaw (CWE-89) in WP Photo Album Plus up to version 9.1.08.001, allowing the injection of arbitrary SQL statements. This vulnerability can lead to unauthorized read or modification of the database, potentially exposing sensitive content or compromising site integrity.

Affected Systems

The vulnerability affects the WP Photo Album Plus plugin, developed by Jacob N. Breetvelt, on all WordPress installations where the plugin version is 9.1.08.001 or earlier. All other versions are not impacted.

Risk and Exploitability

The flaw carries a CVSS score of 9.3 and an EPSS score of less than 1 %. It is not yet listed in CISA’s KEV catalog. Because the injection is unauthenticated, an attacker with web access can trigger it directly via crafted requests, making exploitation highly probable for exposed sites that have not applied the patch.

Generated by OpenCVE AI on June 18, 2026 at 01:05 UTC.

Remediation

Vendor Solution

Update the WordPress WP Photo Album Plus Plugin to the latest available version (at least 9.1.08.002).


OpenCVE Recommended Actions

  • Update the WP Photo Album Plus plugin to version 9.1.08.002 or later to apply the vendor fix.
  • If an immediate update is not possible, disable the plugin to block SQL injection attempts.
  • After disabling, remove the plugin’s files from the WordPress installation to eliminate the attack surface.

Generated by OpenCVE AI on June 18, 2026 at 01:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Jacob N. Breetvelt
Jacob N. Breetvelt wp Photo Album Plus
Wordpress
Wordpress wordpress
Vendors & Products Jacob N. Breetvelt
Jacob N. Breetvelt wp Photo Album Plus
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions.
Title WordPress WP Photo Album Plus plugin <= 9.1.08.001 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Jacob N. Breetvelt Wp Photo Album Plus
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T12:34:02.768Z

Reserved: 2026-04-07T10:47:50.137Z

Link: CVE-2026-39511

cve-icon Vulnrichment

Updated: 2026-06-16T12:33:57.911Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:45.730

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-39511

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:07:49Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')