WP Photo Album Plus <= 9.1.13.005 - Unauthenticated SQL Injection
Description
The WP Photo Album Plus plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 9.1.13.005 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=9.1.13.005What Changed in the Fix
Changes introduced in v9.2.01.001
Source Code
WordPress.org SVN# WP Photo Album Plus <= 9.1.13.005 - Unauthenticated SQL Injection Research Plan ## 1. Vulnerability Summary The **WP Photo Album Plus** plugin for WordPress is vulnerable to **Unauthenticated SQL Injection** in versions up to and including **9.1.13.005**. The vulnerability exists because the plug…
Show full research plan
WP Photo Album Plus <= 9.1.13.005 - Unauthenticated SQL Injection Research Plan
1. Vulnerability Summary
The WP Photo Album Plus plugin for WordPress is vulnerable to Unauthenticated SQL Injection in versions up to and including 9.1.13.005. The vulnerability exists because the plugin handles user-supplied parameters in AJAX actions via the wppa_ajax_callback function and incorporates them into SQL queries without sufficient escaping or using $wpdb->prepare(). Specifically, the plugin uses a custom wrapper wppa_get_results() which, in many instances, is called with raw SQL strings built via concatenation.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - WordPress Action:
wppa(Registered for bothwp_ajax_andwp_ajax_nopriv_) - Plugin Action (sub-action): Determined by the
wppa-action(or sometimesaction) parameter. Likely candidates for unauthenticated injection aresearch,photo-list, orget-album-list. - Vulnerable Parameter:
wppa-album,wppa-photo,wppa-searchstring, orwppa-occur. - Authentication: Not required (Unauthenticated).
- Preconditions: Plugin version <= 9.1.13.005 must be active.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.