CVE-2026-6379
Deferred Deferred - Pending Action
SQL Injection in WP Photo Album Plus WordPress Plugin

Publication date: 2026-05-18

Last updated on: 2026-05-18

Assigner: WPScan

Description
The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-18
Generated
2026-06-10
AI Q&A
2026-05-18
EPSS Evaluated
2026-06-08
NVD
CVE-2026-6379
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_photo_album_plus wp_photo_album_plus 9.1.11.001
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WP Photo Album Plus plugin for WordPress, before version 9.1.11.001, contains a vulnerability where it does not properly sanitize and escape the 'wppa-supersearch' parameter before using it in a SQL query.

This improper handling allows unauthenticated users to perform SQL injection attacks, meaning attackers can execute malicious SQL commands on the database without needing to log in.

This vulnerability is classified as CVE-2026-6379 and is considered high severity with a CVSS score of 8.6.

Impact Analysis

This vulnerability allows attackers to execute arbitrary SQL queries on your WordPress site's database without authentication.

  • Attackers could potentially access, modify, or delete sensitive data stored in the database.
  • It could lead to data breaches or unauthorized data exposure.
  • The integrity of your website's data could be compromised.
  • Since the vulnerability does not affect availability or integrity directly, denial of service or data corruption are less likely but still possible depending on the attack.
Detection Guidance

This vulnerability involves an unauthenticated SQL injection via the 'wppa-supersearch' parameter in the WP Photo Album Plus WordPress plugin versions prior to 9.1.11.001.

To detect this vulnerability on your system, you can monitor HTTP requests targeting the vulnerable plugin and specifically look for suspicious or malformed inputs in the 'wppa-supersearch' parameter that could indicate SQL injection attempts.

While no specific commands are provided, typical detection methods include using web application firewalls (WAFs) with SQL injection detection rules, or running vulnerability scanners that test for SQL injection on the 'wppa-supersearch' parameter.

Additionally, you can use tools like curl or wget to manually test the parameter by sending crafted requests to the plugin endpoint and observing the responses for SQL errors or unexpected behavior.

Mitigation Strategies

The immediate and most effective mitigation step is to update the WP Photo Album Plus plugin to version 9.1.11.001 or later, where the vulnerability has been fixed.

Until the update can be applied, consider implementing web application firewall (WAF) rules to block or monitor suspicious requests containing the 'wppa-supersearch' parameter.

Restricting access to the vulnerable plugin endpoints or disabling the plugin temporarily can also reduce the risk of exploitation.

Compliance Impact

The provided information does not specify how the SQL injection vulnerability in the WP Photo Album Plus plugin directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6379. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart