Unrated severityNVD Advisory· Published May 21, 2015· Updated May 6, 2026

CVE-2015-3647

Description

Multiple cross-site scripting (XSS) vulnerabilities in wppa-ajax-front.php in the WP Photo Album Plus (aka WPPA) plugin before 6.1.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) comemail or (2) comname parameter in a wppa do-comment action.

Affected products

Wppa.opajaap/Wp Photo Album Plus
cpe:2.3:a:wppa.opajaap:wp-photo-album-plus:*:*:*:*:*:wordpress:*:*
Range: <=6.1.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wordpress.org/plugins/wp-photo-album-plus/changelog/nvdPatchVendor Advisory
packetstormsecurity.com/files/131976/WordPress-WP-Photo-Album-Plus-6.1.2-Cross-Site-Scripting.htmlnvdExploit
www.securityfocus.com/bid/74741nvdExploit
www.htbridge.com/advisory/HTB23257nvdExploit
www.securityfocus.com/archive/1/535575/100/0/threadednvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000