CVE-2026-6379
WordPress · WP Photo Album Plus
The WP Photo Album Plus plugin for WordPress is vulnerable to SQL Injection, allowing attackers to execute unauthorized database queries.
Executive summary
The WP Photo Album Plus plugin for WordPress is vulnerable to SQL Injection, which could allow an attacker to gain unauthorized access to sensitive database information.
Vulnerability
This vulnerability is a SQL Injection (CWE-89) within the WP Photo Album Plus plugin. It allows an unauthenticated or authenticated attacker to manipulate database queries, potentially leading to unauthorized data disclosure or modification.
Business impact
With a CVSS score of 8.6, this is a High-severity vulnerability with significant business risk. Successful exploitation could result in the total compromise of the database, leading to the theft of user credentials, personal information, or administrative site data.
Remediation
Immediate Action: Update the WP Photo Album Plus plugin to version 9.1.11.001 or later immediately.
Proactive Monitoring: Monitor database query logs for syntax errors or anomalous patterns associated with SQL Injection attempts.
Compensating Controls: Implement a Web Application Firewall (WAF) with SQL injection protection rules to block malicious payloads targeting the database.
Exploitation status
Public Exploit Available: false
Analyst recommendation
SQL Injection vulnerabilities are critical risks. Administrators must apply the patch to version 9.1.11.001 immediately to prevent potential database compromise. If patching is delayed, restrict access to the affected site functionality.