CVE-2026-39511

Vulnerability

An unauthenticated SQL injection vulnerability exists in the WP Photo Album Plus plugin for WordPress, affecting versions up to and including 9.1.08.001. The flaw resides in an unsanitized input parameter that is directly used in database queries without proper escaping or parameterization, allowing attackers to inject arbitrary SQL commands without any prior authentication [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the affected WordPress site. No authentication or user interaction is required. The vulnerability is known to be leveraged in mass-exploit campaigns, targeting thousands of sites simultaneously due to its ease of exploitation [1].

Impact

Successful exploitation allows an attacker to directly interact with the website's database, potentially extracting sensitive information such as user credentials, personal data, and other stored content. The impact is classified as critical, with CVSS v3 score 9.3, indicating a severe risk of data breach and potential full site compromise [1].

Mitigation

The vulnerability is fixed in version 9.1.08.002 of the plugin. Users are strongly advised to update to this version or later immediately. For those unable to update, Patchstack offers a mitigation rule that blocks attacks. No other workarounds are available [1].