WordPress Plugin Vulnerabilities

WP Photo Album Plus < 9.0.11.007 - Authenticated (Subscriber+) Stored Cross-Site Scripting via wppa_user_upload

Description

The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping in the wppa_user_upload function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the photo album descriptions that execute in a victim's browser.

Affects Plugins

Plugin icon
wp-photo-album-plus
Fixed in 9.0.11.007

References

CVE
CVE-2025-8726
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/575b11a3-9fa4-4ee0-8f19-7d53e6c1785f

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
zer0gh0st
Verified
No
WPVDB ID
897526e4-cd04-4fbd-9d03-76a7f2e90c00

Timeline

Publicly Published
2025-10-03 (about 8 months ago)
Added
2025-10-03 (about 8 months ago)
Last Updated
2025-10-04 (about 8 months ago)

Other

Published
Title
Published
2024-06-20
Title
Ali2Woo Lite < 3.3.7 - Reflected Cross-Site Scripting
Published
2021-05-04
Title
Hotjar Connecticator <= 1.1.1 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2018-08-31
Title
UserPro <= 4.9.23 - Unauthenticated Cross-Site Scripting (XSS)
Published
2015-02-22
Title
FancyBox for WordPress 3.0.0-3.0.2 - Stored Cross-Site Scripting (XSS)
Published
2025-11-06
Title
JetElements For Elementor < 2.7.12.1 - Authenticated (Contributor+) Stored Cross-Site Scripting