Reflected Cross-Site Scripting in WP Photo Album Plus Plugin for WordPress
CVE-2025-14835

7.1HIGH

Key Information:

Vendor

WordPress
Status
WP Photo Album Plus
Vendor
CVE Published:
7 January 2026

What is CVE-2025-14835?

The WP Photo Album Plus plugin for WordPress exhibits a critical security flaw due to inadequate input sanitization and output escaping in its ‘shortcode’ parameter. This vulnerability enables unauthenticated attackers to craft malicious web scripts that can be injected onto pages. If a user is fooled into clicking on a compromised link, these scripts could execute within their browser, posing a significant risk to user data and site integrity. It's crucial for site administrators using this plugin to be aware of this issue and take necessary actions to safeguard their systems.

Affected Version(s)

WP Photo Album Plus 0 <= 9.1.05.008

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/wp-photo-album...
https://plugins.trac.wordpress.org/browser/wp-photo-album...

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhammad Yudha - DJ
.