CVE-2026-6379 | THREATINT

Description

The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks.

PUBLISHED Reserved 2026-04-15 | Published 2026-05-18 | Updated 2026-05-18 | Assigner WPScan

Problem types

CWE-89 SQL Injection

Product status

Default status

unaffected

Any version before 9.1.11.001

affected

Credits

Daniel Púa - devploit finder

WPScan coordinator

References

wpscan.com/...rability/60b88fd2-4048-4773-b319-63caaf5bd8eb/ exploit vdb-entry technical-description

cve.org (CVE-2026-6379)

nvd.nist.gov (CVE-2026-6379)

Download JSON