CVE-2026-39511 9.3 CRITICAL
Unauthenticated SQL injection in the WP Photo Album Plus plugin allows attackers to inject arbitrary SQL through a request parameter that is interpolated into a database query without prepared statements or proper escaping.
| Product | WP Photo Album Plus |
|---|---|
| Affected Versions | ≤ 9.1.08.001 |
| Fixed Version | 9.1.08.002 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| CWE | CWE-89 (Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)) |
| Published | 2026-04-13 |
| Active installs | 10,000+ |
Description
The WP Photo Album Plus plugin for WordPress is vulnerable to SQL Injection in all versions up to and including 9.1.08.001. A user-controlled parameter handled by the plugin flows into an SQL query built by string concatenation rather than through wpdb::prepare() with correct placeholders. Because the affected entry point does not require authentication, remote attackers can inject SQL syntax, alter the query's intent and extract data from any table in the WordPress database.
Impact
An unauthenticated attacker can read arbitrary data from the WordPress database, including user records, password hashes, secrets stored in the options table and any content stored by other plugins. The flaw lends itself to automated exploitation across the roughly ten thousand active installations of the plugin.