Stored Cross-Site Scripting in WP Photo Album Plus Plugin for WordPress
CVE-2026-10095
6.4MEDIUM
What is CVE-2026-10095?
The WP Photo Album Plus plugin for WordPress contains a vulnerability that allows authenticated attackers with contributor-level access to exploit the 'subtext' parameter. By injecting arbitrary web scripts, attackers can execute malicious payloads stored in posts submitted for review. The lack of proper input sanitization and output escaping enables these scripts to run whenever users access the affected pages, leading to potential data theft or website manipulation.
Affected Version(s)
WP Photo Album Plus 0 <= 9.1.13.005