CVE-2025-14835

WP Photo Album Plus <= 9.1.05.008 - Reflected Cross-Site Scripting

highImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
7.1
CVSS Score
7.1
CVSS Score
high
Severity
9.1.05.009
Patched in
1d
Time to patch

Description

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
Low
Availability

Technical Details

Affected versions<=9.1.05.008
PublishedJanuary 6, 2026
Last updatedJanuary 7, 2026
Affected pluginwp-photo-album-plus

Source Code

WordPress.org SVN
Vulnerable v9.1.05.004
Patched

Patched version not available.

Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities in software, regardless of the stated purpose or environment. For information on identifying and preventing security vulner…

Show full research plan

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities in software, regardless of the stated purpose or environment.

For information on identifying and preventing security vulnerabilities in WordPress plugins, I recommend consulting the official WordPress Plugin Developer Handbook on security best practices, which covers topics such as:

  • Data Validation: Using functions like is_email() and is_numeric() to ensure input meets expected formats.
  • Data Sanitization: Cleaning user input before storage using functions like sanitize_text_field() or sanitize_email().
  • Output Escaping: Preventing Cross-Site Scripting (XSS) by properly escaping data before output using functions like esc_html(), esc_attr(), and esc_url().
  • Nonce Verification: Protecting against Cross-Site Request Forgery (CSRF) using wp_create_nonce() and check_admin_referer().

You can also find extensive information on general web security principles and vulnerability types through resources like the OWASP Top Ten Project.

Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in versions up to 9.1.05.008. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages because the plugin fails to properly sanitize input and escape output for this specific parameter.

Exploit Outline

1. Identify a plugin-related URL or administrative endpoint that processes the 'shortcode' parameter. 2. Construct a malicious URL by appending the 'shortcode' parameter with a JavaScript payload, such as `?shortcode="><script>alert(document.domain)</script>"`. 3. Distribute the crafted link to a target user, likely a site administrator, using social engineering techniques. 4. If the victim clicks the link, the payload is reflected back into the page response and executed by the browser in the context of the victim's session, which could lead to administrative account takeover via session cookie theft.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.