WP Photo Album Plus < 8.0.10 – Stored Cross-Site Scripting (XSS) | CVE 2021-25115 | Plugin Vulnerabilities

Description

The plugin was vulnerable to Stored Cross-Site Scripting (XSS). Error log content was handled improperly, therefore any user, even unauthenticated, could cause arbitrary javascript to be executed in the admin panel.

Proof of Concept

http://127.0.0.1:8001/?search-submit={img%20src%20onerror=alert(1)} 

Then the admin neds to browse http://127.0.0.1:8001/wp-admin/admin.php?page=wppa_options&wppa-tab=miscadv and show the content of error log in the "logging" section.

Affects Plugins

wp-photo-album-plus

Fixed in 8.0.10

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2655859/wp-photo-album-plus

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

dbc18c2c-7547-44fc-8a41-c819757e47a7

Timeline

Publicly Published

2022-01-02 (about 3 years ago)

Added

2022-01-14 (about 3 years ago)

Last Updated

2022-04-12 (about 3 years ago)

Other

Published

Title

Published

2025-10-21

Title

Welcart e-Commerce < 2.11.23 - Authenticated (Editor+) Stored Cross-Site Scripting via order_mail

Published

2025-03-11

Title

Bee Layer Slider <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-11-07

Title

Custom post types < 5.0.0 - Admin+ Stored Cross-Site Scripting

Published

2025-09-05

Title

Smooth Accordion <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-09-22

Title

WP Mailto Links <= 3.1.4 - Authenticated (Administrator+) Stored Cross-Site Scripting