WP-Safety

WP Photo Album Plus Security & Risk Analysis

wordpress.org/plugins/wp-photo-album-plus

This plugin is more than just a photo album plugin, it is a complete, highly customizable multimedia cms and display system.

10K active installs v9.1.09.005 PHP 5.5+ WP 6.6+ Updated Mar 14, 2026
audiolightboxpdfphotovideo
76
B · Generally Safe
CVEs total18
Unpatched0
Last CVEJan 6, 2026
Plugin page Download
Safety Verdict

Is WP Photo Album Plus Safe to Use in 2026?

Mostly Safe

Score 76/100

WP Photo Album Plus is generally safe to use. 18 past CVEs were resolved. Keep it updated.

18 known CVEsLast CVE: Jan 6, 2026Updated 21d ago
Risk Assessment

The "wp-photo-album-plus" v9.1.09.003 plugin exhibits a mixed security posture. While it demonstrates good practices like using prepared statements for all SQL queries and a high percentage of properly escaped output, several areas raise concerns. The static analysis reveals a small but unprotected REST API route, indicating a potential entry point for unauthenticated attacks. Additionally, the presence of dangerous functions like `exec` and `unserialize` within the code, even if not directly exploited in the analyzed flows, warrants caution as they can be vectors for more severe vulnerabilities if misused.

The plugin's vulnerability history is a significant red flag. With a total of 18 known CVEs, including 3 critical, 4 high, and 11 medium vulnerabilities, this indicates a recurring pattern of security weaknesses. The common vulnerability types, such as XSS, Code Injection, Unrestricted Uploads, Authorization Bypass, and SQL Injection, suggest a history of insecure input handling and insufficient access control. Although there are currently no unpatched CVEs, the sheer volume and severity of past issues suggest a codebase that has historically been prone to significant security flaws. The most recent vulnerability in 2026 further emphasizes the need for ongoing vigilance.

In conclusion, "wp-photo-album-plus" v9.1.09.003 has some strengths in its SQL handling and output escaping. However, the unprotected REST API endpoint, the presence of dangerous functions, and the extensive history of critical and high-severity vulnerabilities significantly detract from its overall security. Users should be aware that while the current version may not have unpatched CVEs, the historical track record suggests a higher inherent risk and potential for future undiscovered vulnerabilities.

Key Concerns

  • Unprotected REST API route
  • Presence of dangerous functions (exec, unserialize)
  • History of 3 critical CVEs
  • History of 4 high CVEs
  • History of 11 medium CVEs
  • Flows with unsanitized paths
Vulnerabilities
18

WP Photo Album Plus Security Vulnerabilities

CVEs by Year

1 CVE in 2008
2008
1 CVE in 2013
2013
2 CVEs in 2014
2014
1 CVE in 2015
2015
1 CVE in 2022
2022
3 CVEs in 2023
2023
7 CVEs in 2024
2024
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
3
High
4
Medium
11

18 total CVEs

CVE-2025-14835high · 7.1Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

WP Photo Album Plus <= 9.1.05.008 - Reflected Cross-Site Scripting

Jan 6, 2026 Patched in 9.1.05.009 (1d)
CVE-2025-8726medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Photo Album Plus <= 9.0.11.006 - Authenticated (Subscriber+) Stored Cross-Site Scripting via wppa_user_upload

Oct 3, 2025 Patched in 9.0.11.007 (1d)
CVE-2024-10958high · 7.3Improper Control of Generation of Code ('Code Injection')

WP Photo Album Plus <= 8.8.08.007 - Unauthenticated Arbitrary Shortcode Execution via getshortcodedrenderedfenodelay

Nov 10, 2024 Patched in 8.9.01.001 (1d)
CVE-2024-9951medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Wordpress Photo Album Plus <= 8.8.05.003 - Reflected Cross-Site Scripting

Oct 16, 2024 Patched in 8.8.07.004 (1d)
CVE-2024-38713medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Photo Album Plus <= 8.8.02.002 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Jul 11, 2024 Patched in 8.8.02.003 (7d)
CVE-2024-37416medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Photo Album Plus <= 8.8.00.002 - Reflected Cross-Site Scripting

Jun 28, 2024 Patched in 8.8.00.003 (5d)
CVE-2024-4037medium · 6.5Improper Control of Generation of Code ('Code Injection')

WP Photo Album Plus <= 8.7.02.003 - Unauthenticated Arbitrary Shortcode Execution

May 23, 2024 Patched in 8.7.00.004 (1d)
CVE-2024-31377critical · 10Unrestricted Upload of File with Dangerous Type

WP Photo Album Plus <= 8.7.01.001 - Unauthenticated Arbitrary File Upload

May 7, 2024 Patched in 8.7.01.002 (9d)
CVE-2024-31286critical · 9.9Unrestricted Upload of File with Dangerous Type

WP Photo Album Plus <= 8.6.03.004 - Authenticated (Subscriber+) Arbitrary File Upload

Apr 5, 2024 Patched in 8.6.03.005 (6d)
CVE-2023-49774medium · 5.3Use of Less Trusted Source

WP Photo Album Plus <= 8.5.02.005 - IP Spoofing

Dec 5, 2023 Patched in 8.6.01.005 (63d)
CVE-2023-49813medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Photo Album Plus <= 8.5.02.005 - Cross-Site Scripting

Dec 5, 2023 Patched in 8.6.01.005 (63d)
CVE-2023-49812medium · 5.3Authorization Bypass Through User-Controlled Key

WP Photo Album Plus <= 8.5.02.005 - Insecure Direct Object Reference

Dec 5, 2023 Patched in 8.6.01.005 (63d)
CVE-2021-25115high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Photo Album Plus <= 8.0.10 - Stored Cross-Site Scripting

Jan 2, 2022 Patched in 8.1.00 (751d)
CVE-2015-3647high · 7.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Photo Album Plus < 6.1.3 - Cross-Site Scripting

May 20, 2015 Patched in 6.1.3 (3170d)
CVE-2014-8814medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Photo Album Plus <= 5.4.17 - Reflected Cross-Site Scripting

Nov 6, 2014 Patched in 5.4.18 (3365d)
WF-fdbb60e5-4d67-4deb-94e0-788c1fb0e42f-wp-photo-album-plusmedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Photo Album Plus <= 5.4.7 - Stored Cross-Site Scripting

Sep 17, 2014 Patched in 5.4.8 (3415d)
CVE-2013-3254medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Photo Album Plus < 5.0.3 - Cross-Site Scripting

May 6, 2013 Patched in 5.0.3 (3914d)
CVE-2008-0939critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Photo Album Plus <= 1.1 - SQL Injection

Feb 25, 2008 Patched in 1.1 (5811d)
Code Analysis
Analyzed Mar 16, 2026

WP Photo Album Plus Code Analysis

Dangerous Functions
6
Raw SQL Queries
0
437 prepared
Unescaped Output
30
895 escaped
Nonce Checks
56
Capability Checks
210
File Operations
6
External Requests
3
Bundled Libraries
1

Dangerous Functions Found

execexec( escapeshellcmd( $value . '/convert' ), $out, $err );wppa-ajax.php:4280
exec$run = exec( escapeshellcmd( $path . $command ), $out, $err );wppa-photo-files.php:855
execexec( escapeshellcmd( $path . '/convert -version' ), $out, $err );wppa-setting-functions.php:660
unserialize$result = unserialize( $result );wppa-utils.php:5248
unserializereturn unserialize( $xstring, array( 'allowed_classes' => array( 'wfCart' ) ) );wppa-wrappers.php:663
unserializereturn unserialize( $xstring, array( 'allowed_classes' => false ) );wppa-wrappers.php:666

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared437 total queries

Output Escaping

97% escaped925 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
wppa_ajax_callback (wppa-ajax.php:45)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

WP Photo Album Plus Attack Surface

Entry Points8
Unprotected1

AJAX Handlers 2

authwp_ajax_wppawppa-ajax.php:42
noprivwp_ajax_wppawppa-ajax.php:43

REST API Routes 1

GETPOST/wp-json/wp-photo-album-plus/endPoint/wppa.php:173

Shortcodes 5

[cart] wppa-cart.php:115
[wppa_div] wppa-filter.php:122
[wppa] wppa-filter.php:1041
[wppa_set] wppa-filter.php:1080
[photo] wppa-filter.php:1125
WordPress Hooks 121
actionadmin_footerblocks\common\index.php:10
actionadmin_initblocks\common\index.php:65
actioninitblocks\general\index.php:28
actioninitblocks\photo\index.php:28
actioninitblocks\potd\index.php:28
actioninitblocks\slideshow\index.php:28
actioninitblocks\upload\index.php:28
actioninitwppa-admin.php:14
actionadmin_menuwppa-admin.php:17
actionadmin_initwppa-admin.php:222
actionadmin_enqueue_scriptswppa-admin.php:254
actionadmin_initwppa-admin.php:284
actionadmin_initwppa-admin.php:443
filterplugin_row_metawppa-admin.php:458
actionadmin_noticeswppa-admin.php:461
actionadmin_noticeswppa-admin.php:464
actionadmin_noticeswppa-admin.php:467
actionadmin_initwppa-admin.php:470
actionadmin_initwppa-admin.php:473
actionadmin_footerwppa-admin.php:479
filterblock_categories_allwppa-admin.php:503
actionsave_postwppa-admin.php:529
actiondelete_userwppa-admin.php:567
actionadmin_noticeswppa-admin.php:571
actionadmin_bar_menuwppa-adminbar.php:12
actionwidgets_initwppa-admins-choice-widget.php:113
actiontemplate_redirectwppa-ajax.php:20
actioninitwppa-ajax.php:31
filterquery_varswppa-ajax.php:39
actionwidgets_initwppa-album-navigator-widget.php:390
actionwidgets_initwppa-album-widget.php:452
actionwidgets_initwppa-bestof-widget.php:251
actioninitwppa-cloudinary.php:10
actionwidgets_initwppa-comment-widget.php:202
actionwppa_cron_eventwppa-cron.php:22
actionwppa_cleanupwppa-cron.php:134
actionwppa_update_treecountswppa-cron.php:351
actiondo_meta_boxeswppa-dashboard-widgets.php:14
actiondo_meta_boxeswppa-dashboard-widgets.php:56
actiondo_meta_boxeswppa-dashboard-widgets.php:188
actionwidgets_initwppa-featen-widget.php:272
actioninitwppa-filter.php:13
filterthe_contentwppa-filter.php:17
actionwidgets_initwppa-gp-widget.php:142
actioninitwppa-gutenberg-wppa.php:24
actionadmin_noticeswppa-init.php:315
actionadmin_noticeswppa-init.php:339
actionadmin_noticeswppa-init.php:402
filtergettextwppa-init.php:543
filterwidget_titlewppa-init.php:544
filtertranslate_textwppa-init.php:545
filtergettextwppa-init.php:547
actioninitwppa-init.php:550
actionwp_headwppa-init.php:560
actionadmin_headwppa-init.php:561
filterupload_mimeswppa-init.php:570
actionplugins_loadedwppa-input.php:13
actionwidgets_initwppa-lasten-widget.php:292
actionadmin_footerwppa-listtable.php:70
actionwppa_do_mailinglist_cronwppa-mailing.php:25
actionwidgets_initwppa-multitag-widget.php:155
actionwp_enqueue_scriptswppa-non-admin.php:22
actionwp_headwppa-non-admin.php:65
actioninitwppa-non-admin.php:308
actionwp_footerwppa-non-admin.php:336
filterjetpack_photon_skip_imagewppa-non-admin.php:371
filterwidget_textwppa-non-admin.php:379
filterbbp_after_get_the_content_parse_argswppa-non-admin.php:391
filterbbp_get_teeny_mce_buttonswppa-non-admin.php:403
filterbbp_get_topic_contentwppa-non-admin.php:413
filterbbp_get_reply_contentwppa-non-admin.php:414
filterautoptimize_filter_js_noptimizewppa-non-admin.php:417
actionwidgets_initwppa-notify-widget.php:104
actionwppa_pdf_to_albumwppa-photo-files.php:1184
actionwidgets_initwppa-potd-widget.php:271
filterwp_privacy_personal_data_exporterswppa-privacy-policy.php:71
filterwp_privacy_personal_data_eraserswppa-privacy-policy.php:108
filterwp_privacy_personal_data_exporterswppa-privacy-policy.php:176
filterwp_privacy_personal_data_eraserswppa-privacy-policy.php:221
filterwp_privacy_personal_data_exporterswppa-privacy-policy.php:440
actionwp_privacy_personal_data_export_file_createdwppa-privacy-policy.php:446
filterwp_privacy_personal_data_eraserswppa-privacy-policy.php:602
actionadmin_initwppa-privacy-policy.php:636
actionwidgets_initwppa-qr-widget.php:113
actioninitwppa-scripts.php:306
actionwp_headwppa-scripts.php:508
actionadmin_headwppa-scripts.php:509
actionwp_footerwppa-scripts.php:561
actionwidgets_initwppa-search-widget.php:211
actioninitwppa-setting-see-also.php:12
actionadmin_noticeswppa-setup.php:381
actionwidgets_initwppa-slideshow-widget.php:357
actionwidgets_initwppa-stats-widget.php:310
actionwidgets_initwppa-stereo-widget.php:93
actioninitwppa-stereo.php:12
actionwidgets_initwppa-super-view-widget.php:132
actionwidgets_initwppa-tagcloud-widget.php:146
actionwidgets_initwppa-thumbnail-widget.php:270
actioninitwppa-tinymce-photo-front.php:11
filtermce_buttonswppa-tinymce-photo-front.php:17
filtermce_external_pluginswppa-tinymce-photo-front.php:18
actionadmin_initwppa-tinymce-photo.php:11
filtermce_buttonswppa-tinymce-photo.php:17
filtermce_external_pluginswppa-tinymce-photo.php:18
actionadmin_initwppa-tinymce-shortcodes.php:10
filtermce_buttonswppa-tinymce-shortcodes.php:18
filtermce_external_pluginswppa-tinymce-shortcodes.php:19
actionwidgets_initwppa-topten-widget.php:619
actionwidgets_initwppa-upldr-widget.php:303
filterwp_read_video_metadatawppa-upload-common.php:507
actionwidgets_initwppa-upload-widget.php:128
filtersafe_style_csswppa-wrappers.php:1099
actionplugins_loadedwppa.php:32
actionplugins_loadedwppa.php:48
actioninitwppa.php:156
actionadmin_initwppa.php:157
actioninitwppa.php:160
actioninitwppa.php:163
actioninitwppa.php:166
actionshutdownwppa.php:169
actionrest_api_initwppa.php:172

Scheduled Events 6

wppa_cron_event
wppa_cleanup
wppa_cleanup
wppa_update_treecounts
wppa_do_mailinglist_cron
wppa_pdf_to_album
Maintenance & Trust

WP Photo Album Plus Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 14, 2026
PHP min version5.5
Downloads3.4M

Community Trust

Rating94/100
Number of ratings199
Active installs10K
Alternatives

WP Photo Album Plus Alternatives

Mixed Media Gallery Blocks

Mixed Media Gallery Blocks

simply-gallery-block

A
92

Create mixed media galleries with images, HTML5 video, YouTube, Vimeo, and VideoPress — all in one gallery by Simply Gallery.

40K 7 CVEs
Album Gallery

Album Gallery

new-album-gallery

A
97

Create stunning photo and video albums with responsive layouts, lightbox display, and customizable hover effects.

4K 3 CVEs
FolioBlocks

FolioBlocks

folioblocks

A
100

Create fast, responsive photo and video galleries with grid, masonry, justified, modular, and carousel layouts—ideal for photographers and creatives.

10 No CVEs
Live Editor File Manager

Live Editor File Manager

live-editor-file-manager

A
85

Better media management for WordPress. Upload, embed, and link to your files hosted on Live Editor directly in your WordPress site.

10 No CVEs
Video-Link-Gallery

Video-Link-Gallery

video-link-gallery

A
85

Video-Gallery defined by shortcodes for youtube, vimeo and direct links, opening videos in a lightbox (default-lightbox: "PhotoSwipe")

0 No CVEs
Developer Profile

WP Photo Album Plus Developer Profile

Jacob N. Breetvelt

6 plugins · 10K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
1147 days
View full developer profile
Detection Fingerprints

How We Detect WP Photo Album Plus

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about WP Photo Album Plus