WordPress Plugin Vulnerabilities

WP Photo Album Plus < 9.1.11.001 - Unauthenticated SQL Injection via 'wppa-supersearch' Parameter

Description

The plugin does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks.

Proof of Concept

Affects Plugins

Plugin icon
wp-photo-album-plus
Fixed in 9.1.11.001

References

CVE
CVE-2026-6379

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (High)

Miscellaneous

Original Researcher
Daniel Púa - devploit
Submitter
Daniel Púa - devploit
Submitter website
https://devploit.dev
Submitter twitter
devploit
Verified
Yes
WPVDB ID
60b88fd2-4048-4773-b319-63caaf5bd8eb

Timeline

Publicly Published
2026-04-27 (about 18 days ago)
Added
2026-04-27 (about 18 days ago)
Last Updated
2026-04-27 (about 18 days ago)

Other

Published
Title
Published
2026-01-07
Title
Media Search Enhanced < 0.9.2 - Authenticated (Author+) SQL Injection
Published
2025-03-28
Title
Duplicate Page and Post <= 1.0 - Authenticated (Contributor+) SQL Injection
Published
2026-03-23
Title
Addon Jobsearch Chat < 3.1 - Unauthenticated SQL Injection
Published
2026-03-05
Title
Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme <= 1.5.0 - Unauthenticated SQL Injection
Published
2026-01-10
Title
Neoforum <= 1.0 - Authenticated (Administrator+) SQL Injection