Which WP Photo Album Plus CVEs are tracked?

WP Photo Album Plus tracked CVEs include CVE-2024-31377, CVE-2024-31286, CVE-2008-0939, CVE-2026-39511, and CVE-2024-10958.

How many WP Photo Album Plus vulnerabilities have patch guidance?

19 of 19 tracked WP Photo Album Plus records include a published patch path.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 19 known issues Latest disclosed Apr 13, 2026

WP Photo Album Plus Vulnerabilities

Review known vulnerability records for the WordPress plugin WP Photo Album Plus (`wp-photo-album-plus`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-39511, CVE-2025-14835 and CVE-2025-8726, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Apr 21, 2026

Related Security Guides

Use these guides while reviewing WP Photo Album Plus fixes

Pair this plugin vulnerability hub with practical WordPress hardening, scanner, and patch workflow guidance.

Hardening

WordPress hardening checklist for exposed plugins

Review patch cadence, privileged access, XML-RPC exposure, backups, and monitoring controls.

Plugin Security

WordPress plugin security basics for patch decisions

Use ownership, update testing, least privilege, and removal criteria to reduce plugin risk.

Scanning

WordPress vulnerability scanner buyer's guide

Compare scanner coverage for plugin CVEs, version detection, alert noise, and remediation workflow.

Patch Decision Workflow

How to prioritize WP Photo Album Plus remediation

Use the hub as a decision layer before opening individual records: confirm whether the issue has a CVE, whether a fixed version exists, and whether the affected range overlaps production installs.

Search-Ready Records

1. Match the Package

Confirm the installed WordPress plugin slug is wp-photo-album-plus before acting on any CVE from this cluster.

2. Sort by Severity

Start with 8 high or critical records, then review medium and unrated findings with public references.

3. Check Patch Evidence

19 records include a patch path; verify compatibility before closing the finding.

4. Monitor Gaps

0 records still lack a listed fixed release, so keep this hub in the review queue.

High-Signal Remediation Targets

CVE-2024-31377 Critical

Remote Code Execution remediation for WP Photo Album Plus

Affected range: Versions up to 8.7.01.001. Fixed version: 8.7.01.002.

CVE-2024-31286 Critical

Remote Code Execution remediation for WP Photo Album Plus

Affected range: Versions up to 8.6.03.004. Fixed version: 8.6.03.005.

CVE-2008-0939 Critical

SQL Injection remediation for WP Photo Album Plus

Affected range: Versions up to 1.0. Fixed version: 1.1.

CVE-2026-39511 High

SQL Injection remediation for WP Photo Album Plus

Affected range: Versions up to 9.1.08.001. Fixed version: 9.1.08.002.

Priority CVE Quick Links

Fast paths into WP Photo Album Plus CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

Tracked CVE	Issue Type	Affected Versions	Fixed Version	CVSS
CVE-2024-31377 WP Photo Album Plus <= 8.7.01.001 - Unauthenticated Arbitrary File Upload	Remote Code Execution	Versions up to 8.7.01.001	8.7.01.002	CVSS 10.0
CVE-2024-31286 WP Photo Album Plus <= 8.6.03.004 - Authenticated (Subscriber+) Arbitrary File Uploa...	Remote Code Execution	Versions up to 8.6.03.004	8.6.03.005	CVSS 9.9
CVE-2008-0939 WP Photo Album Plus <= 1.1 - SQL Injection	SQL Injection	Versions up to 1.0	1.1	CVSS 9.8
CVE-2026-39511 WP Photo Album Plus <= 9.1.08.001 - Unauthenticated SQL Injection	SQL Injection	Versions up to 9.1.08.001	9.1.08.002	CVSS 7.5
CVE-2024-10958 WP Photo Album Plus <= 8.8.08.007 - Unauthenticated Arbitrary Shortcode Execution vi...	Vulnerability	Versions up to 8.8.08.007	8.9.01.001	CVSS 7.3
CVE-2021-25115 WP Photo Album Plus <= 8.0.10 - Stored Cross-Site Scripting	Stored Cross-Site Scripting	Versions before 8.0.10	8.1.00	CVSS 7.2
CVE-2025-14835 WP Photo Album Plus <= 9.1.05.008 - Reflected Cross-Site Scripting	Cross-Site Scripting	Versions up to 9.1.05.008	9.1.05.009	CVSS 7.1
CVE-2015-3647 WP Photo Album Plus < 6.1.3 - Cross-Site Scripting	Cross-Site Scripting	Versions before 6.1.3	6.1.3	CVSS 7.1

CVE-2024-31377 Critical 8.7.01.002

CVE-2024-31377 WP Photo Album Plus Remote Code Execution

WP Photo Album Plus <= 8.7.01.001 - Unauthenticated Arbitrary File Upload

CVE-2024-31286 Critical 8.6.03.005

CVE-2024-31286 WP Photo Album Plus Remote Code Execution

WP Photo Album Plus <= 8.6.03.004 - Authenticated (Subscriber+) Arbitrary File Upload

CVE-2008-0939 Critical 1.1

CVE-2008-0939 WP Photo Album Plus SQL Injection

WP Photo Album Plus <= 1.1 - SQL Injection

CVE-2026-39511 High 9.1.08.002

CVE-2026-39511 WP Photo Album Plus SQL Injection

WP Photo Album Plus <= 9.1.08.001 - Unauthenticated SQL Injection

CVE-2024-10958 High 8.9.01.001

CVE-2024-10958 WP Photo Album Plus Vulnerability

WP Photo Album Plus <= 8.8.08.007 - Unauthenticated Arbitrary Shortcode Execution via getshortcodedrenderedfenodelay

CVE-2021-25115 High 8.1.00

CVE-2021-25115 WP Photo Album Plus Stored Cross-Site Scripting

WP Photo Album Plus <= 8.0.10 - Stored Cross-Site Scripting

CVE-2025-14835 High 9.1.05.009

CVE-2025-14835 WP Photo Album Plus Cross-Site Scripting

WP Photo Album Plus <= 9.1.05.008 - Reflected Cross-Site Scripting

CVE-2015-3647 High 6.1.3

CVE-2015-3647 WP Photo Album Plus Cross-Site Scripting

WP Photo Album Plus < 6.1.3 - Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters tracked records for WP Photo Album Plus so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

19 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

3 critical and 5 high severity findings.

Recent CVEs

CVE-2026-39511, CVE-2025-14835 and CVE-2025-8726

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-39511 High Patch path listed

CVE-2026-39511: WP Photo Album Plus <= 9.1.08.001 - Unauthenticated SQL Injection

The WP Photo Album Plus plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 9.1.08.001 due to insufficient escaping on the user supplied parameter and lack...

Published

Apr 13, 2026

Patch Status

9.1.08.002

Review CVE-2026-39511 affected versions

CVE-2025-14835 High Patch path listed

CVE-2025-14835: WP Photo Album Plus <= 9.1.05.008 - Reflected Cross-Site Scripting

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficien...

Published

Jan 06, 2026

Patch Status

9.1.05.009

Review CVE-2025-14835 affected versions

CVE-2025-8726 Medium Patch path listed

CVE-2025-8726: WP Photo Album Plus <= 9.0.11.006 - Authenticated (Subscriber+) Stored Cross-Site Scripting via wppa_user_upload

The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping...

Published

Oct 03, 2025

Patch Status

9.0.11.007

Review CVE-2025-8726 affected versions

Known Vulnerabilities

Reports for WP Photo Album Plus

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-39511

CVE-2026-39511: WP Photo Album Plus <= 9.1.08.001 - Unauthenticated SQL Injection

The WP Photo Album Plus plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 9.1.08.001 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenti...

Published

Apr 13, 2026

Patched Release

9.1.08.002

Affected Versions

Versions up to 9.1.08.001

Next Step

Update to 9.1.08.002 or newer if supported.

Review CVE-2026-39511 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2025-14835

CVE-2025-14835: WP Photo Album Plus <= 9.1.05.008 - Reflected Cross-Site Scripting

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attac...

Published

Jan 06, 2026

Patched Release

9.1.05.009

Affected Versions

Versions up to 9.1.05.008

Next Step

Update to 9.1.05.009 or newer if supported.

Review CVE-2025-14835 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-8726

CVE-2025-8726: WP Photo Album Plus <= 9.0.11.006 - Authenticated (Subscriber+) Stored Cross-Site Scripting via wppa_user_upload

The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping in the wppa_user_upload function. This makes it possible for authenticated attackers, wit...

Published

Oct 03, 2025

Patched Release

9.0.11.007

Affected Versions

Versions up to 9.0.11.006

Next Step

Update to 9.0.11.007 or newer if supported.

Review CVE-2025-8726 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2024-10958

CVE-2024-10958: WP Photo Album Plus <= 8.8.08.007 - Unauthenticated Arbitrary Shortcode Execution via getshortcodedrenderedfenodelay

The The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution via getshortcodedrenderedfenodelay AJAX action in all versions up to, and including, 8.8.08.007 . This is due to the software allowing users to execute an action that does not properly...

Published

Nov 10, 2024

Patched Release

8.9.01.001

Affected Versions

Versions up to 8.8.08.007

Next Step

Update to 8.9.01.001 or newer if supported.

Review CVE-2024-10958 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-9951

CVE-2024-9951: Wordpress Photo Album Plus <= 8.8.05.003 - Reflected Cross-Site Scripting

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wppa-tab' parameter in all versions up to, and including, 8.8.05.003 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attack...

Published

Oct 16, 2024

Patched Release

8.8.07.004

Affected Versions

Versions up to 8.8.05.003

Next Step

Update to 8.8.07.004 or newer if supported.

Review CVE-2024-9951 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-38713

CVE-2024-38713: WP Photo Album Plus <= 8.8.02.002 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 8.8.02.002 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and...

Published

Jul 11, 2024

Patched Release

8.8.02.003

Affected Versions

Versions up to 8.8.02.002

Next Step

Update to 8.8.02.003 or newer if supported.

Review CVE-2024-38713 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-37416

CVE-2024-37416: WP Photo Album Plus <= 8.8.00.002 - Reflected Cross-Site Scripting

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 8.8.00.002 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrip...

Published

Jun 28, 2024

Patched Release

8.8.00.003

Affected Versions

Versions up to 8.8.00.002

Next Step

Update to 8.8.00.003 or newer if supported.

Review CVE-2024-37416 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-4037

CVE-2024-4037: WP Photo Album Plus <= 8.7.02.003 - Unauthenticated Arbitrary Shortcode Execution

The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.7.02.003. This is due to the plugin allowing unauthenticated users to execute an action that does not properly validate a value before running do_sh...

Published

May 23, 2024

Patched Release

8.7.00.004

Affected Versions

Versions up to 8.7.00.003

Next Step

Update to 8.7.00.004 or newer if supported.

Review CVE-2024-4037 fixed version details Open CVE Reference

Plugin Critical Patched: Yes CVE-2024-31377

CVE-2024-31377: WP Photo Album Plus <= 8.7.01.001 - Unauthenticated Arbitrary File Upload

The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the import functionality and no capability check in all versions up to, and including, 8.7.01.001. This makes it possible for unauthenticated attackers to u...

Published

May 07, 2024

Patched Release

8.7.01.002

Affected Versions

Versions up to 8.7.01.001

Next Step

Update to 8.7.01.002 or newer if supported.

Review CVE-2024-31377 fixed version details Open CVE Reference

Plugin Critical Patched: Yes CVE-2024-31286

CVE-2024-31286: WP Photo Album Plus <= 8.6.03.004 - Authenticated (Subscriber+) Arbitrary File Upload

The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wppa_user_upload() function in all versions up to, and including, 8.6.03.004. This makes it possible for authenticated attackers, with subscriber-level...

Published

Apr 05, 2024

Patched Release

8.6.03.005

Affected Versions

Versions up to 8.6.03.004

Next Step

Update to 8.6.03.005 or newer if supported.

Review CVE-2024-31286 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-49812

CVE-2023-49812: WP Photo Album Plus <= 8.5.02.005 - Insecure Direct Object Reference

The WP Photo Album Plus plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.5.02.005 due to missing validation on a user controlled key. This makes it possible for unauthenticated attacker to perform an unauthorized actio...

Published

Dec 05, 2023

Patched Release

8.6.01.005

Affected Versions

Versions up to 8.5.02.005

Next Step

Update to 8.6.01.005 or newer if supported.

Review CVE-2023-49812 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-49774

CVE-2023-49774: WP Photo Album Plus <= 8.5.02.005 - IP Spoofing

The WP Photo Album Plus plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 8.5.02.005. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers ca...

Published

Dec 05, 2023

Patched Release

8.6.01.005

Affected Versions

Versions up to 8.5.02.005

Next Step

Update to 8.6.01.005 or newer if supported.

Review CVE-2023-49774 fixed version details Open CVE Reference