WordPress Plugin Vulnerabilities

WP Photo Album Plus < 9.1.05.009 - Reflected Cross-Site Scripting

Description

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
wp-photo-album-plus
Fixed in 9.1.05.009

References

CVE
CVE-2025-14835
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0903521d-3b07-4539-97c9-15e6bbe2cc2e

Classification

Type
CROSS FRAME SCRIPTING
OWASP top 10
A1: Injection
CWE
CWE-80
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Muhammad Yudha - DJ
Verified
No
WPVDB ID
bf785b1d-df3d-4c25-9c57-69160d3462ee

Timeline

Publicly Published
2026-01-06 (about 5 months ago)
Added
2026-01-06 (about 5 months ago)
Last Updated
2026-01-07 (about 5 months ago)

Other

Published
Title
Published
2024-03-27
Title
GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress < 6.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2025-08-25
Title
WordPress Automatic Plugin - AI content generator and auto poster plugin < 3.119.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-07-19
Title
Elementor < 3.5.5 - Iframe Injection
Published
2024-02-26
Title
Orbit Fox by ThemeIsle < 2.10.31 - Contributor+ Stored XSS via Pricing Table Widget
Published
2024-03-14
Title
WP Recipe Maker < 9.3.0 - Authenticated Stored Cross-Site Scripting via Video Embed