cleantalk
Vulnerabilities and Security Researches

WP Photo Album Plus, CVE-2025-8726

CVE, Research URL

CVE-2025-8726

Home page URL

Security reports for WP Photo Album Plus

Application

WP Photo Album Plus

Published on
Oct 04, 2025
Research Description
The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping in the wppa_user_upload function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the photo album descriptions that execute in a victim's browser.
Affected versions
max 9.0.11.007.
Status
vulnerable
Previous vulnerability researches
WP Photo Album Plus (CVE-2021-25115) , Jun 07, 2024
WP Photo Album Plus (CVE-2015-3647) , Jun 07, 2024
WP Photo Album Plus (CVE-2023-49813) , Jun 07, 2024
WP Photo Album Plus (CVE-2023-49774) , Jun 07, 2024
WP Photo Album Plus (CVE-2024-4037) , Jun 07, 2024
New vulnerability
Email Template Customizer for WooCommerce (CVE-2025-64200) , Nov 11, 2025
Premmerce Wholesale Pricing for WooCommerce (CVE-2025-64285) , Nov 11, 2025
Premmerce Wholesale Pricing for WooCommerce (CVE-2025-60192) , Nov 11, 2025
Footnotes Made Easy (CVE-2025-11733) , Nov 11, 2025
CoSchedule (CVE-2025-49913) , Nov 11, 2025