Medium severity5.4NVD Advisory· Published Oct 4, 2025· Updated Apr 15, 2026
CVE-2025-8726
CVE-2025-8726
Description
The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping in the wppa_user_upload function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the photo album descriptions that execute in a victim's browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=9.0.11.006+ 1 more
- (no CPE)range: <=9.0.11.006
- (no CPE)range: <=9.0.11.006
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.