CVE-2026-6379

WordPress · WP Photo Album Plus

The WP Photo Album Plus plugin for WordPress is vulnerable to SQL Injection, allowing attackers to execute unauthorized database queries.

Executive summary

The WP Photo Album Plus plugin for WordPress is vulnerable to SQL Injection, which could allow an attacker to gain unauthorized access to sensitive database information.

Vulnerability

This vulnerability is a SQL Injection (CWE-89) within the WP Photo Album Plus plugin. It allows an unauthenticated or authenticated attacker to manipulate database queries, potentially leading to unauthorized data disclosure or modification.

Business impact

With a CVSS score of 8.6, this is a High-severity vulnerability with significant business risk. Successful exploitation could result in the total compromise of the database, leading to the theft of user credentials, personal information, or administrative site data.

Remediation

Immediate Action: Update the WP Photo Album Plus plugin to version 9.1.11.001 or later immediately.

Proactive Monitoring: Monitor database query logs for syntax errors or anomalous patterns associated with SQL Injection attempts.

Compensating Controls: Implement a Web Application Firewall (WAF) with SQL injection protection rules to block malicious payloads targeting the database.

Exploitation status

Public Exploit Available: false

Analyst recommendation

SQL Injection vulnerabilities are critical risks. Administrators must apply the patch to version 9.1.11.001 immediately to prevent potential database compromise. If patching is delayed, restrict access to the affected site functionality.