Description
The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks.
Published: 2026-05-18
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Photo Album Plus WordPress plugin before 9.1.11.001 fails to sanitize the 'wppa-supersearch' parameter before incorporating it into a database query. This omission allows an unauthenticated user to inject arbitrary SQL statements, potentially compromising the confidentiality and integrity of the site’s database. The weakness is a classic SQL injection, classified as CWE‑89.

Affected Systems

WordPress sites running WP Photo Album Plus plugin versions earlier than 9.1.11.001 are impacted. The vulnerability exists in all editions of the plugin where the vulnerable code path is active, regardless of user role.

Risk and Exploitability

Because the vulnerability is triggered by an unauthenticated HTTP request, any visitor can attempt an exploit without prior access or credentials. The EPSS score of <1% indicates a low probability of exploitation, yet the potential impact remains high due to the remote nature of the injection. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a standard crafted URL or form submission containing the malicious payload.

Generated by OpenCVE AI on May 18, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Photo Album Plus plugin to version 9.1.11.001 or later.
  • If an upgrade is not immediately possible, disable or remove the 'wppa-supersearch' functionality until a patch is applied.
  • Configure a web application firewall rule or server-level filter to block requests containing the 'wppa-supersearch' parameter until a patch is applied.

Generated by OpenCVE AI on May 18, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 18 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Photo Album Plus Project
Wp Photo Album Plus Project wp Photo Album Plus
Vendors & Products Wordpress
Wordpress wordpress
Wp Photo Album Plus Project
Wp Photo Album Plus Project wp Photo Album Plus

Mon, 18 May 2026 08:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Mon, 18 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks.
Title WP Photo Album Plus < 9.1.11.001 - Unauthenticated SQL Injection via 'wppa-supersearch' Parameter
References

Subscriptions

Wordpress Wordpress
Wp Photo Album Plus Project Wp Photo Album Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-05-18T13:38:36.731Z

Reserved: 2026-04-15T17:43:43.278Z

Link: CVE-2026-6379

cve-icon Vulnrichment

Updated: 2026-05-18T13:38:33.381Z

cve-icon NVD

Status : Deferred

Published: 2026-05-18T07:16:12.590

Modified: 2026-05-18T17:05:46.240

Link: CVE-2026-6379

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T16:00:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')