Stored Cross-Site Scripting in WP Photo Album Plus Plugin for WordPress
CVE-2026-10095

6.4MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
1 July 2026

What is CVE-2026-10095?

The WP Photo Album Plus plugin for WordPress contains a vulnerability that allows authenticated attackers with contributor-level access to exploit the 'subtext' parameter. By injecting arbitrary web scripts, attackers can execute malicious payloads stored in posts submitted for review. The lack of proper input sanitization and output escaping enables these scripts to run whenever users access the affected pages, leading to potential data theft or website manipulation.

Affected Version(s)

WP Photo Album Plus 0 <= 9.1.13.005

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhammad Yudha - DJ
.