PatchSiren cyber security CVE debrief

CVE-2026-6379 WP Photo Album Plus CVE debrief

WP Photo Album Plus, a WordPress plugin, contains an unauthenticated SQL injection vulnerability in versions prior to 9.1.11.001. The flaw stems from improper sanitization and escaping of a parameter used in a SQL query, allowing remote attackers to manipulate database queries without authentication. The CVSS 3.1 score of 8.6 (HIGH) reflects network attack vector, low attack complexity, no privileges required, no user interaction, and changed scope with high confidentiality impact. The vulnerability was published to CVE on 2026-05-18 and modified the same day. No known exploitation in ransomware campaigns has been documented, and the vulnerability does not appear on CISA's Known Exploited Vulnerabilities catalog.

Vendor: WP Photo Album Plus
Product: WP Photo Album Plus
CVSS: HIGH 8.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-18
Original CVE updated: 2026-05-18
Advisory published: 2026-05-18
Advisory updated: 2026-05-18

Who should care

WordPress site administrators using WP Photo Album Plus; security teams managing WordPress estates; web application firewall operators; managed service providers hosting WordPress environments

Technical summary

The WP Photo Album Plus plugin fails to sanitize and escape a parameter before incorporating it into a SQL query. This allows unauthenticated remote attackers to inject arbitrary SQL commands, potentially enabling unauthorized data extraction from the WordPress database. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

Defensive priority

HIGH

Recommended defensive actions

Upgrade WP Photo Album Plus to version 9.1.11.001 or later immediately
Review web application firewall rules for SQL injection patterns targeting WordPress photo album functionality
Audit database logs for anomalous queries from unauthenticated sources dating to 2026-05-18
Consider implementing prepared statements and parameterized queries as defense-in-depth for custom WordPress integrations
Verify plugin auto-update settings are enabled to prevent regression to vulnerable versions

Evidence notes

Vulnerability description and affected version range derived from official CVE record and NVD entry. WPScan reference confirms plugin-specific technical details. CVSS vector and score sourced from NVD metadata. Vendor identification marked as low confidence requiring review due to 'Unknown Vendor' classification in source data.

Official resources

2026-05-18