WordPress WP Photo Album Plus plugin <= 8.8.00.002 - Reflected Cross Site Scripting (XSS) vulnerability

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the WP Photo Album Plus plugin for WordPress, affecting versions from n/a through 8.8.00.002. The plugin fails to properly neutralize user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript code through a crafted URL or query parameter that is immediately reflected back to the user without sanitization or encoding.

Exploitation

An attacker can trigger the vulnerability by convincing a logged-in administrator or other user with access to the plugin's administrative interface to click a maliciously crafted link. The link contains the XSS payload in the input that the plugin processes without proper neutralization. No authentication is required from the attacker's side for the initial delivery, but the victim must be authenticated in the WordPress backend for the reflected payload to execute in the privileged context.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to theft of administrative session cookies, modification of plugin settings, creation or deletion of albums and media items, or other actions that the victim user is authorized to perform, resulting in a full compromise of the affected plugin's data and functionality.

Mitigation

The vulnerability is fixed in version 8.8.00.003 or higher [1]. Users should update the WP Photo Album Plus plugin to the latest available version (currently 9.1.13.005) immediately. No workarounds have been provided for unfixed versions. The plugin is actively maintained, and the vendor has released patches.