3 matches found
CVE-2026-6379
WP Photo Album Plus plugin prior to 9.1.11.001 is vulnerable: wppa_get_photos() concatenates the wppa-supersearch parameter into SQL (owner, name, tag, calendar exifdtm/timestamp sinks) without proper quoting or $wpdb->prepare, enabling unauthenticated SQL injection. The patch in commit d2b0d0...
CVE-2026-6379 WP Photo Album Plus < 9.1.11.001 - Unauthenticated SQL Injection via 'wppa-supersearch' Parameter
The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks...
CVE-2026-6379 WP Photo Album Plus < 9.1.11.001 - Unauthenticated SQL Injection via 'wppa-supersearch' Parameter
The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks...