CVE-2026-6379
SQL Injection in WP Photo Album Plus WordPress Plugin
Publication date: 2026-05-18
Last updated on: 2026-05-18
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_photo_album_plus | wp_photo_album_plus | 9.1.11.001 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the SQL injection vulnerability in the WP Photo Album Plus plugin directly affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
The WP Photo Album Plus plugin for WordPress, before version 9.1.11.001, contains a vulnerability where it does not properly sanitize and escape the 'wppa-supersearch' parameter before using it in a SQL query.
This improper handling allows unauthenticated users to perform SQL injection attacks, meaning attackers can execute malicious SQL commands on the database without needing to log in.
This vulnerability is classified as CVE-2026-6379 and is considered high severity with a CVSS score of 8.6.
How can this vulnerability impact me? :
This vulnerability allows attackers to execute arbitrary SQL queries on your WordPress site's database without authentication.
- Attackers could potentially access, modify, or delete sensitive data stored in the database.
- It could lead to data breaches or unauthorized data exposure.
- The integrity of your website's data could be compromised.
- Since the vulnerability does not affect availability or integrity directly, denial of service or data corruption are less likely but still possible depending on the attack.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an unauthenticated SQL injection via the 'wppa-supersearch' parameter in the WP Photo Album Plus WordPress plugin versions prior to 9.1.11.001.
To detect this vulnerability on your system, you can monitor HTTP requests targeting the vulnerable plugin and specifically look for suspicious or malformed inputs in the 'wppa-supersearch' parameter that could indicate SQL injection attempts.
While no specific commands are provided, typical detection methods include using web application firewalls (WAFs) with SQL injection detection rules, or running vulnerability scanners that test for SQL injection on the 'wppa-supersearch' parameter.
Additionally, you can use tools like curl or wget to manually test the parameter by sending crafted requests to the plugin endpoint and observing the responses for SQL errors or unexpected behavior.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to update the WP Photo Album Plus plugin to version 9.1.11.001 or later, where the vulnerability has been fixed.
Until the update can be applied, consider implementing web application firewall (WAF) rules to block or monitor suspicious requests containing the 'wppa-supersearch' parameter.
Restricting access to the vulnerable plugin endpoints or disabling the plugin temporarily can also reduce the risk of exploitation.