← back
CVE-2026-6379

WP Photo Album Plus < 9.1.11.001 - Unauthenticated SQL Injection via 'wppa-supersearch' Parameter

CVSS 8.6 HIGHEPSS 0.3%CWE-89
The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Affected products
Unknown · WP Photo Album Plus
public PoCs found1
cve_referencewpscan.com/vulnerability/60b88fd2-4048-4773-b319-63caaf5bd8eb/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/60b88fd2-4048-4773-b319-63caaf5bd8eb/