Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jacob N. Breetvelt WP Photo Album Plus allows Blind SQL Injection.

This issue affects WP Photo Album Plus: from n/a through 9.1.13.005.
Published: 2026-06-25
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Photo Album Plus plugin up to version 9.1.13.005 suffers from an unchecked input that permits blind SQL injection. This flaw allows a remote attacker to craft arbitrary SQL statements, potentially compromising the integrity and confidentiality of the WordPress database. The weakness is classified as CWE‑89.

Affected Systems

Jacob N. Breetvelt’s WP Photo Album Plus for WordPress is affected. All releases from the earliest available configuration through 9.1.13.005 are vulnerable; versions 9.2.01.001 and later include the fix.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered high severity. The EPSS score is not available, leaving the exploitation probability uncertain. Its status in CISA’s KEV catalog is not listed, indicating no known public exploit. The likely attack vector is remote via the WordPress front‑end or admin interface when the plugin is active, and the exploit requires trial‑and‑error unless the attacker can observe error feedback, as it is a blind injection.

Generated by OpenCVE AI on June 25, 2026 at 15:29 UTC.

Remediation

Vendor Solution

Update the WordPress WP Photo Album Plus Plugin to the latest available version (at least 9.2.01.001).

OpenCVE Recommended Actions

  • Backup the site and database before proceeding
  • Update WP Photo Album Plus to version 9.2.01.001 or later
  • If an update cannot be performed, disable or remove the plugin to eliminate the vulnerability

Generated by OpenCVE AI on June 25, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Jacob N. Breetvelt
Jacob N. Breetvelt wp Photo Album Plus
Wordpress
Wordpress wordpress
Vendors & Products Jacob N. Breetvelt
Jacob N. Breetvelt wp Photo Album Plus
Wordpress
Wordpress wordpress

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jacob N. Breetvelt WP Photo Album Plus allows Blind SQL Injection. This issue affects WP Photo Album Plus: from n/a through 9.1.13.005.
Title WordPress WP Photo Album Plus plugin <= 9.1.13.005 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Jacob N. Breetvelt Wp Photo Album Plus
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-25T13:57:55.095Z

Reserved: 2026-06-16T09:21:51.802Z

Link: CVE-2026-54829

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T23:15:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')