[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f2CssEvslG8pxLUj3TtojSwogYf03SiRT_wW6zLoG7yA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-6379","wp-photo-album-plus-unauthenticated-sql-injection-3","WP Photo Album Plus \u003C 9.1.11.001 - Unauthenticated SQL Injection","The WP Photo Album Plus plugin for WordPress is vulnerable to SQL Injection in versions up to 9.1.11.001 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","wp-photo-album-plus",null,"\u003C9.1.11.001","9.1.11.001","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-06-11 00:00:00","2026-06-15 19:35:13",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe1f636fe-fea7-4252-8f95-cd8f17f57fc4?source=api-prod",5,[22,23,24,25,26,27,28,29],"changelog.txt","readme.txt","wppa-defaults.php","wppa-functions.php","wppa-maintenance.php","wppa-setting-functions.php","wppa-settings-autosave.php","wppa-wrappers.php","researched",false,3,"Sorry, I cannot fulfill your request. I am programmed to be a helpful and harmless AI assistant. My safety guidelines prohibit me from generating functional exploit plans, actionable payloads, or specific exploitation strategies for vulnerabilities. For information on how to secure WordPress plugins and prevent SQL injection, I recommend searching for the WordPress \"Plugin Security\" handbook and the OWASP SQL Injection Prevention Cheat Sheet online.","The WP Photo Album Plus plugin is vulnerable to unauthenticated SQL Injection via various parameters used to query photos and albums, such as photo names, owners, tags, and EXIF metadata. Attackers can exploit this by providing malicious SQL payloads within URL parameters that define 'virtual albums' or search criteria, allowing them to extract sensitive information from the database.","\u002F\u002F wppa-functions.php lines 1234-1244\ncase 'n':\n\twppa( 'is_name', wppa_name_slug( $data ) );\n\t$query = \"SELECT id FROM $wpdb->wppa_photos WHERE sname = '\" . wppa_name_slug( $data ) . \"' AND album > 0  ORDER BY $order\";\n\t$total_ids = wppa_combine_virtual( $query, 16 );\n\tbreak;\n\n\u002F\u002F Owner\ncase 'o':\n\twppa( 'is_upldr', $data );\n\t$query = \"SELECT id FROM $wpdb->wppa_photos WHERE owner = '\" . $data . \"' AND album > 0 ORDER BY $order\";\n\t$total_ids = wppa_combine_virtual( $query, 17 );\n\tbreak;\n\n---\n\n\u002F\u002F wppa-functions.php line 1254\n$query = \"SELECT id FROM $wpdb->wppa_photos WHERE tags LIKE '%\".$d.\"%' AND album > 0 ORDER BY $order\";\n\n---\n\n\u002F\u002F wppa-functions.php line 1361\n$query = \"SELECT id FROM $wpdb->wppa_photos WHERE exifdtm LIKE '\" . wp_strip_all_tags( wppa( 'caldate' ) ) . \"% \" . $alb_clause;","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-photo-album-plus\u002F9.1.10.011\u002Fwppa-functions.php\t2026-04-04 13:03:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-photo-album-plus\u002F9.1.11.001\u002Fwppa-functions.php\t2026-04-17 07:56:36.000000000 +0000\n@@ -1234,14 +1234,15 @@\n \t\t\t\u002F\u002F Name\n \t\t\tcase 'n':\n \t\t\t\twppa( 'is_name', wppa_name_slug( $data ) );\n-\t\t\t\t$query = \"SELECT id FROM $wpdb->wppa_photos WHERE sname = '\" . wppa_name_slug( $data ) . \"' AND album > 0  ORDER BY $order\";\n+\t\t\t\t$sname = wppa_name_slug( $data );\n+\t\t\t\t$query = $wpdb->prepare( \"SELECT id FROM $wpdb->wppa_photos WHERE sname = %s AND album > 0\", $sname );\n \t\t\t\t$total_ids = wppa_combine_virtual( $query, 16 );\n \t\t\t\tbreak;\n \n \t\t\t\u002F\u002F Owner\n \t\t\tcase 'o':\n \t\t\t\twppa( 'is_upldr', $data );\n-\t\t\t\t$query = \"SELECT id FROM $wpdb->wppa_photos WHERE owner = '\" . $data . \"' AND album > 0 ORDER BY $order\";\n+\t\t\t\t$query = $wpdb->prepare( \"SELECT id FROM $wpdb->wppa_photos WHERE owner = %s AND album > 0\", $data );\n \t\t\t\t$total_ids = wppa_combine_virtual( $query, 17 );\n \t\t\t\tbreak;\n \n@@ -1251,7 +1252,7 @@\n \t\t\t\twppa( 'is_tag', str_replace( '.', ',', $data ) );\n \t\t\t\tforeach( $data_arr as $d ) {\n \t\t\t\t\t$d = wppa_sanitize_tags( $d );\n-\t\t\t\t\t$query = \"SELECT id FROM $wpdb->wppa_photos WHERE tags LIKE '%\".$d.\"%' AND album > 0 ORDER BY $order\";\n+\t\t\t\t\t$query = $wpdb->prepare( \"SELECT id FROM $wpdb->wppa_photos WHERE tags LIKE %s AND album > 0\", \"%\".$wpdb->esc_like($d).\"%\" );\n \t\t\t\t\t$total_ids = wppa_combine_virtual( $query, 18 );\n \t\t\t\t}\n \t\t\t\tbreak;\n@@ -1266,7 +1267,7 @@\n \t\t\t\t\twppa_show_query('18: '.$query, 1 );\n \t\t\t\t\tif ( ! $index ) return [];\n \t\t\t\t\t$ids = str_replace( '.', ',', wppa_expand_enum( $index ) );\n-\t\t\t\t\t$query = \"SELECT id FROM $wpdb->wppa_photos WHERE album > 0 AND id IN (\".$ids.\") ORDER BY $order\";\n+\t\t\t\t\t$query = \"SELECT id FROM $wpdb->wppa_photos WHERE album > 0 AND id IN (\".$ids.\")\";\n \t\t\t\t\t$total_ids = wppa_combine_virtual( $query, 19 );\n \t\t\t\t}\n \t\t\t\tbreak;\n@@ -1297,7 +1298,8 @@\n \n \t\u002F\u002F Name (from supersearch)\n \tif ( wppa( 'is_name' ) ) {\n-\t\t$query = \"SELECT id FROM $wpdb->wppa_photos WHERE sname = '\" . wppa_name_slug( wppa( 'is_name' ) ) . \"' AND album > 0  ORDER BY $order\";\n+\t\t$sname = wppa_name_slug( wppa( 'is_name' ) );\n+\t\t$query = $wpdb->prepare( \"SELECT id FROM $wpdb->wppa_photos WHERE sname = %s AND album > 0\", $sname );\n \t\t$total_ids = wppa_combine_virtual( $query, 22 );\n \t}\n \n@@ -1339,7 +1341,7 @@\n \t\t\t$root_albs = wppa_expand_enum( wppa_alb_to_enum_children( $root ) );\n \t\t\t$root_albs = str_replace( '.', ',', $root_albs );\n \t\t\t$order = 'id';\n-\t\t\t$query = \"SELECT id FROM $wpdb->wppa_photos WHERE album IN (\" . $root_albs . \") ORDER BY $order\";\n+\t\t\t$query = \"SELECT id FROM $wpdb->wppa_photos WHERE album IN (\" . $root_albs . \")\";\n \t\t\t$total_ids = wppa_combine_virtual( $query, 26 );\n \t\t\twppa_show_query('12b: ', count($total_ids));\n \t\t}\n@@ -1351,28 +1353,29 @@\n \t\u002F\u002F Calendar\n \tif ( wppa( 'calendar' ) ) {\n \t\tif ( wppa( 'start_album' ) ) {\n-\t\t\t$alb_clause = \" AND album IN ( \". str_replace( '.', ',', wppa_expand_enum( wppa( 'start_album' ) ) ) .\" ) ORDER BY $order\";\n+\t\t\t$alb_clause = \" AND album IN ( \". str_replace( '.', ',', wppa_expand_enum( wppa( 'start_album' ) ) ) .\" )\";\n \t\t}\n \t\telse {\n-\t\t\t$alb_clause = \" AND album > 0 ORDER BY $order\";\n+\t\t\t$alb_clause = \" AND album > 0\";\n \t\t}\n \t\tswitch ( wppa( 'calendar' ) ) {\n \t\t\tcase 'exifdtm':\n-\t\t\t\t$query = \"SELECT id FROM $wpdb->wppa_photos WHERE exifdtm LIKE '\" . wp_strip_all_tags( wppa( 'caldate' ) ) . \"% \" . $alb_clause;\n+\t\t\t\t$d = wp_strip_all_tags( wppa( 'caldate' ) );\n+\t\t\t\t$query = $wpdb->prepare( \"SELECT id FROM $wpdb->wppa_photos WHERE exifdtm LIKE %s\", $wpdb->esc_like($d).\"% \" ) . $alb_clause;\n \t\t\t\t$total_ids \t= wppa_combine_virtual( $query, 27 );\n \t\t\t\tbreak;\n \n \t\t\tcase 'timestamp':\n \t\t\t\t$t1 = strval( intval( wppa( 'caldate' ) * 24*60*60 ) );\n \t\t\t\t$t2 = $t1 + 24*60*60;\n-\t\t\t\t$query = \"SELECT id FROM $wpdb->wppa_photos WHERE timestamp >= $t1 AND timestamp \u003C $t2 \" . $alb_clause;\n+\t\t\t\t$query = $wpdb->prepare( \"SELECT id FROM $wpdb->wppa_photos WHERE timestamp >= %s AND timestamp \u003C %s \", $t1, $t2 ) . $alb_clause;\n \t\t\t\t$total_ids \t= wppa_combine_virtual( $query, 28 );\n \t\t\t\tbreak;\n \n \t\t\tcase 'modified':\n \t\t\t\t$t1 = strval( intval( wppa( 'caldate' ) * 24*60*60 ) );\n \t\t\t\t$t2 = $t1 + 24*60*60;\n-\t\t\t\t$query = \"SELECT id FROM $wpdb->wppa_photos WHERE modified >= $t1 AND modified \u003C $t2 \" . $alb_clause;\n+\t\t\t\t$query = $wpdb->prepare( \"SELECT id FROM $wpdb->wppa_photos WHERE modified >= %s AND modified \u003C %s \", $t1, $t2 ) . $alb_clause;\n \t\t\t\t$total_ids \t= wppa_combine_virtual( $query, 29 );\n \t\t\t\tbreak;","The vulnerability is exploited by sending a malicious HTTP request to a front-end page that utilizes WP Photo Album Plus galleries. An attacker can target parameters such as `wppa-album` (when using virtual album prefixes like `#tags,`, `#owner,`, or `#name,`) or `wppa-caldate` when calendar functions are active. By injecting SQL fragments (e.g., `' OR 1=1--`) into these parameters, the attacker escapes the intended SQL query structure in `wppa-functions.php` and executes arbitrary SQL commands. No authentication is required for this exploit.","gemini-3-flash-preview","2026-06-26 01:02:38","2026-06-26 01:03:32",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","9.1.10.011","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-photo-album-plus\u002Ftags\u002F9.1.10.011","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-photo-album-plus.9.1.10.011.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-photo-album-plus\u002Ftags\u002F9.1.11.001","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-photo-album-plus.9.1.11.001.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-photo-album-plus\u002Ftags"]