Unauthenticated SQL Injection Vulnerability in WP Photo Album Plus by WordPress
CVE-2026-39511
9.3CRITICAL
What is CVE-2026-39511?
A security vulnerability exists in the WP Photo Album Plus plugin for WordPress, where an unauthenticated SQL injection flaw can be exploited. This vulnerability allows attackers to send specially crafted requests to the plugin, potentially enabling them to execute arbitrary SQL commands on the database. Versions of the plugin up to and including 9.1.08.001 are affected, making it crucial for users to update their installations to mitigate risk and protect sensitive data.
Affected Version(s)
WP Photo Album Plus <= 9.1.08.001