CVE-2026-39511: WordPress WP Photo Album Plus plugin <= 9.1.08.001 - SQL Injection vulnerability
Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated SQL injection vulnerability affects the WP Photo Album Plus WordPress plugin at version 9.1.08.001 and earlier. The flaw is reachable over the network with no authentication or user interaction required, making it trivially exploitable by any remote attacker. Successful exploitation gives an attacker read access to the underlying database and causes limited availability impact to the service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-39511 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines. Coverage extends to custom-built images that bundle the WP Photo Album Plus plugin.
AvailableTriage is available using the CVSS v3.1 score of 9.3 (CRITICAL) and the associated vector, weighted against each environment's compliance policy to reflect organizational risk thresholds. Findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version becomes available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation.
- AuthenticationNot required
No account or session credential of any kind is needed; the injection point is accessible to unauthenticated requests.
- Victim interactionNot required
The attacker sends a crafted request directly to the server; no user action or social engineering is involved.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.
Blast Radius
- Reads arbitrary database contents, including WordPress user credentials, password hashes, email addresses, session tokens, and any data stored by other installed plugins.
- Exfiltrates data from tables outside the WordPress schema if the database user has cross-schema read privileges, due to the Changed Scope (S:C) token in the CVSS vector.
- Causes limited disruption to the availability of the affected service, consistent with the A:L impact rating.
How HarborGuard Handles This
Available on HarborGuard: this CVE is flagged as CRITICAL (9.3) with no published fix, so the platform monitors the Patchstack advisory and upstream plugin repository on every ingest cycle. The moment an upstream fix is released, a patched-image rebuild at the fix version becomes available; for customers with auto-remediation enabled, this triggers a rebuild, an automated regression test run, and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy rules that restrict public access to affected WordPress endpoints, web application firewall rules targeting SQL injection patterns in query parameters, and disabling or removing the WP Photo Album Plus plugin in environments where it is not actively needed.
- Jacob N. Breetvelt / WP Photo Album Plus≤ 9.1.08.001
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L