Reflected Cross-Site Scripting in WP Photo Album Plus Plugin for WordPress
CVE-2025-14835

7.1HIGH

Key Information:

Vendor: WordPress
Status: WP Photo Album Plus
Vendor: CVE Published:; 7 January 2026

What is CVE-2025-14835?

The WP Photo Album Plus plugin for WordPress exhibits a critical security flaw due to inadequate input sanitization and output escaping in its ‘shortcode’ parameter. This vulnerability enables unauthenticated attackers to craft malicious web scripts that can be injected onto pages. If a user is fooled into clicking on a compromised link, these scripts could execute within their browser, posing a significant risk to user data and site integrity. It's crucial for site administrators using this plugin to be aware of this issue and take necessary actions to safeguard their systems.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WP Photo Album Plus * <= 9.1.05.008

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-photo-album...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 7, 2026
Vulnerability Reserved
Dec 17, 2025

Credit

Muhammad Yudha - DJ

JSON

WordPress