CVE-2026-6379 WP Photo Album Plus < 9.1.11.001 - Unauthenticated SQL Injection via 'wppa-supersearch' Parameter

The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks...

CVE-2026-6379 WP Photo Album Plus < 9.1.11.001 - Unauthenticated SQL Injection via 'wppa-supersearch' Parameter

The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks...

CVE-2026-6379

WP Photo Album Plus plugin prior to 9.1.11.001 is vulnerable: wppa_get_photos() concatenates the wppa-supersearch parameter into SQL (owner, name, tag, calendar exifdtm/timestamp sinks) without proper quoting or $wpdb-&gt;prepare, enabling unauthenticated SQL injection. The patch in commit d2b0d0...

CVE-2025-8726

The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping in the wppauserupload function. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-8726

The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping in the wppauserupload function. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-8726 WP Photo Album Plus <= 9.0.11.006 - Authenticated (Subscriber+) Stored Cross-Site Scripting via wppa_user_upload

The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping in the wppauserupload function. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-8726 WP Photo Album Plus <= 9.0.11.006 - Authenticated (Subscriber+) Stored Cross-Site Scripting via wppa_user_upload

The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping in the wppauserupload function. This makes it possible for authenticated attackers, with Subscriber-level...

PT-2024-39962 · WordPress · Wp Photo Album Plus

Name of the Vulnerable Software and Affected Versions: WP Photo Album Plus plugin for WordPress versions up to, and including, 8.8.05.003 Description: The issue is related to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping, allowing unauthenticated...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in wppa-ajax-front.php in the WP Photo Album Plus aka WPPA plugin before 6.1.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 comemail or 2 comname parameter in a wppa do-comment action...

CVE-2015-3647

CVE-2015-3647 concerns multiple stored XSS flaws in WP Photo Album Plus (WordPress plugin) via wppa-ajax-front.php. The affected component handles the wppa-do-comment action and uses unsanitized user input from comemail and comname POST parameters, enabling an attacker to inject arbitrary script ...

CVE-2015-3647

Multiple cross-site scripting XSS vulnerabilities in wppa-ajax-front.php in the WP Photo Album Plus aka WPPA plugin before 6.1.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 comemail or 2 comname parameter in a wppa do-comment action...

WordPress plugin WP Photo Album stores cross-site scripting vulnerabilities

WordPress is a blogging platform developed using the PHP language, which supports personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the WordPress plugin WP Photo Album. Due to the lack of user-supplied filters for scripts passed to the...

WordPress WP Photo Album Plus Plugin <= 6.1.2 - Multiple XSS

Because of these vulnerabilities in wppa-ajax-front.php, the attackers can inject arbitrary web script or HTML via the "comemail" or "comname" parameters. Solution Update the plugin...

WordPress Plugin Photo Album Plus 4.1.1 - SQL Injection

WordPress Plugin Photo Album Plus 4.1.1 - SQL Injection Exploit Title: WP Photo Album Plus 1,BENCHMARK500000000,MD5CHAR115,113,108,109,97,112,0&wppa-cover=0&wppa-occur=1 wppa-album=1 AND 1=IF21,BENCHMARK500000000,MD5CHAR115,113,108,109,97,112,0&wppa-cover=0&wppa-occur=1 e.g. wget...