Unauthenticated SQL Injection Vulnerability in WP Photo Album Plus by WordPress
CVE-2026-39511

9.3CRITICAL

Key Information:

Vendor

WordPress

Vendor
CVE Published:
15 June 2026

What is CVE-2026-39511?

A security vulnerability exists in the WP Photo Album Plus plugin for WordPress, where an unauthenticated SQL injection flaw can be exploited. This vulnerability allows attackers to send specially crafted requests to the plugin, potentially enabling them to execute arbitrary SQL commands on the database. Versions of the plugin up to and including 9.1.08.001 are affected, making it crucial for users to update their installations to mitigate risk and protect sensitive data.

Affected Version(s)

WP Photo Album Plus <= 9.1.08.001

References

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

MartĂ­n MartĂ­n | Patchstack Bug Bounty Program
.