CVE-2026-6379
Description
The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection in WP Photo Album Plus plugin via the 'wppa-supersearch' parameter, allowing attackers to extract database contents.
The WP Photo Album Plus plugin for WordPress, versions before 9.1.11.001, contains an unauthenticated SQL injection vulnerability. The plugin fails to properly sanitize and escape the 'wppa-supersearch' parameter before incorporating it into a SQL query, enabling an attacker to inject arbitrary SQL commands [1].
Exploitation requires no authentication; an unauthenticated attacker can send a crafted HTTP request containing malicious SQL in the 'wppa-supersearch' parameter. The parameter is processed by the plugin without adequate input validation, allowing the injection to be executed against the WordPress database [1].
Successful exploitation allows an attacker to read sensitive data from the database, such as user credentials, session tokens, and other stored information. This could lead to further compromise of the WordPress site, including privilege escalation or data exfiltration [1].
The vulnerability has been fixed in version 9.1.11.001 of the plugin. Users are strongly advised to update to this version or later to mitigate the risk. No workarounds have been provided [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <9.1.11.001
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 13, 2026 to April 19, 2026)Wordfence Blog · Apr 23, 2026