CVE-2026-10095 in WP Photo Album Plus Plugininfo

Summary

by MITRE • 07/01/2026

The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtext' parameter in all versions up to, and including, 9.1.13.005 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A contributor-level attacker can embed the malicious [photo] shortcode in a post submitted for review, causing the stored payload to execute when an administrator or any other user views the post.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/01/2026

The WP Photo Album Plus plugin presents a critical stored cross-site scripting vulnerability that affects versions through 9.1.13.005, creating a significant security risk for WordPress installations. This vulnerability stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's handling of the 'subtext' parameter, which allows malicious actors to inject persistent script code into the application's database. The flaw specifically targets authenticated users with contributor-level privileges or higher, making it particularly dangerous as it leverages legitimate user permissions to execute malicious payloads.

The technical implementation of this vulnerability occurs through the improper validation of user input when processing the 'subtext' parameter in photo album entries. When an attacker with contributor access submits a post containing a malicious [photo] shortcode with embedded script code, the plugin fails to properly sanitize the input before storing it in the database. This stored payload then executes whenever any user accesses the affected post, regardless of their permission level or role within the WordPress environment. The vulnerability operates at the application layer and can be exploited through standard HTTP requests without requiring additional attack vectors.

The operational impact of this stored XSS vulnerability extends beyond simple script execution, as it enables attackers to perform session hijacking, deface websites, steal sensitive user data, and potentially escalate privileges within the compromised WordPress installation. Administrators who view posts containing malicious payloads become victims of the attack, making the exploitation particularly insidious since it can occur during routine content review processes. The vulnerability's persistence means that once exploited, the malicious code continues to execute for all future users until the affected posts are manually removed or the plugin is updated.

Organizations should prioritize immediate mitigation by updating to the latest version of WP Photo Album Plus where this vulnerability has been addressed, as no patch exists for versions prior to 9.1.13.005. System administrators should also implement additional security controls including regular monitoring of user submissions, implementing content filtering mechanisms, and conducting periodic security audits of installed plugins. The vulnerability aligns with CWE-79 (Cross-Site Scripting) and represents a specific implementation weakness that enables privilege escalation through legitimate administrative workflows. From an attacker perspective, this flaw maps to ATT&CK technique T1548.002 (Abuse Elevation Control Mechanism) as it allows attackers to leverage their contributor-level privileges to execute arbitrary code with elevated permissions.

This vulnerability demonstrates the critical importance of input validation and output escaping in web applications, particularly within content management systems where user-generated content is processed. The flaw highlights the need for comprehensive security testing of plugin components and proper sanitization of all user inputs before storage or rendering. Organizations using WordPress should implement a robust plugin management strategy that includes regular updates, security scanning, and monitoring for known vulnerabilities in third-party components to prevent exploitation of similar issues across their digital infrastructure.

Responsible

Wordfence

Reservation

05/29/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!