Vulnerabilities and security researches forwp-photo-album-plus wp-photo-album-plus
Direction: descendingNov 10, 2025
WP Photo Album Plus # CVE-2025-8726
- CVE, Research URL
- Home page URL
- Application
- Date
- Oct 04, 2025
- Research Description
- The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping in the wppa_user_upload function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the photo album descriptions that execute in a victim's browser.
- Affected versions
-
max 9.0.11.007.
- Status
-
vulnerable
Nov 10, 2024
WP Photo Album Plus # CVE-2024-10958
- CVE, Research URL
- Home page URL
- Application
- Date
- Nov 10, 2024
- Research Description
- The The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution via getshortcodedrenderedfenodelay AJAX action in all versions up to, and including, 8.8.08.007 . This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
- Affected versions
-
max 8.9.01.001.
- Status
-
vulnerable
Oct 18, 2024
WP Photo Album Plus # CVE-2024-9951
- CVE, Research URL
- Home page URL
- Application
- Date
- Oct 17, 2024
- Research Description
- The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wppa-tab' parameter in all versions up to, and including, 8.8.05.003 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- Affected versions
-
max 8.8.07.004.
- Status
-
vulnerable
Jul 15, 2024
WP Photo Album Plus # CVE-2024-38713
- CVE, Research URL
- Home page URL
- Application
- Date
- Jul 20, 2024
- Research Description
- Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus allows Stored XSS.This issue affects WP Photo Album Plus: from n/a through 8.8.02.002.
- Affected versions
-
max 8.8.02.003.
- Status
-
vulnerable
Jul 02, 2024
WP Photo Album Plus # CVE-2024-37416
- CVE, Research URL
- Home page URL
- Application
- Date
- Jul 22, 2024
- Research Description
- Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus allows Reflected XSS.This issue affects WP Photo Album Plus: from n/a through 8.8.00.002.
- Affected versions
-
max 8.8.00.003.
- Status
-
vulnerable
Jun 10, 2024
WP Photo Album Plus # CVE-2008-0939
- CVE, Research URL
- Home page URL
- Application
- Date
- -
- Research Description
- Multiple SQL injection vulnerabilities in wppa.php in the WP Photo Album (WPPA) before 1.1 plugin for WordPress allow remote attackers to execute arbitrary SQL commands via (1) the photo parameter to index.php, used by the wppa_photo_name function; or (2) the album parameter to index.php, used by the wppa_album_name function. NOTE: some of these details are obtained from third party information.
- Affected versions
-
max 1.0.
- Status
-
vulnerable
WP Photo Album Plus # CVE-2014-8814
- CVE, Research URL
- Home page URL
- Application
- Date
- -
- Research Description
- The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘walbum’ parameter in versions up to, and including, 5.4.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- Affected versions
-
max 5.4.17.
- Status
-
vulnerable
Jun 07, 2024
WP Photo Album Plus # CVE-2013-3254
- CVE, Research URL
- Home page URL
- Application
- Date
- May 10, 2013
- Research Description
- Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in the WP Photo Album Plus plugin before 5.0.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the commentid parameter in a wppa_manage_comments edit action.
- Affected versions
-
Min 5.4.5, max 4.2.0.
- Status
-
vulnerable
WP Photo Album Plus # CVE-2021-25115
- CVE, Research URL
- Home page URL
- Application
- Date
- Feb 14, 2022
- Research Description
- The WP Photo Album Plus WordPress plugin before 8.0.10 was vulnerable to Stored Cross-Site Scripting (XSS). Error log content was handled improperly, therefore any user, even unauthenticated, could cause arbitrary javascript to be executed in the admin panel.
- Affected versions
-
max 8.0.10.
- Status
-
vulnerable
WP Photo Album Plus # CVE-2015-3647
- CVE, Research URL
- Home page URL
- Application
- Date
- May 22, 2015
- Research Description
- Multiple cross-site scripting (XSS) vulnerabilities in wppa-ajax-front.php in the WP Photo Album Plus (aka WPPA) plugin before 6.1.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) comemail or (2) comname parameter in a wppa do-comment action.
- Affected versions
-
max 6.1.3.
- Status
-
vulnerable
WP Photo Album Plus # CVE-2023-49813
- CVE, Research URL
- Home page URL
- Application
- Date
- Dec 14, 2023
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus allows Stored XSS.This issue affects WP Photo Album Plus: from n/a through 8.5.02.005.
- Affected versions
-
max 8.6.01.005.
- Status
-
vulnerable
WP Photo Album Plus # CVE-2023-49774
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 04, 2024
- Research Description
- Exposure of Sensitive Information to an Unauthorized Actor vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Photo Album Plus: from n/a through 8.5.02.005.
- Affected versions
-
max 8.6.01.005.
- Status
-
vulnerable
WP Photo Album Plus # CVE-2024-4037
- CVE, Research URL
- Home page URL
- Application
- Date
- May 24, 2024
- Research Description
- The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.7.02.003. This is due to the plugin allowing unauthenticated users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
- Affected versions
-
max 8.7.00.004.
- Status
-
vulnerable
WP Photo Album Plus # CVE-2024-31286
- CVE, Research URL
- Home page URL
- Application
- Date
- Apr 07, 2024
- Research Description
- Unrestricted Upload of File with Dangerous Type vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a before 8.6.03.005.
- Affected versions
-
max 8.6.03.005.
- Status
-
vulnerable
WP Photo Album Plus # CVE-2024-31377
- CVE, Research URL
- Home page URL
- Application
- Date
- May 14, 2024
- Research Description
- Unrestricted Upload of File with Dangerous Type vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a through 8.7.01.001.
- Affected versions
-
max 8.7.01.002.
- Status
-
vulnerable
WP Photo Album Plus # CVE-2023-49812
- CVE, Research URL
- Home page URL
- Application
- Date
- Dec 20, 2023
- Research Description
- Authorization Bypass Through User-Controlled Key vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a through 8.5.02.005.
- Affected versions
-
max 8.6.01.005.
- Status
-
vulnerable