{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8726", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-08T01:09:06.550Z", "datePublished": "2025-10-04T02:24:35.924Z", "dateUpdated": "2026-04-08T16:54:20.055Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:20.055Z"}, "affected": [{"vendor": "opajaap", "product": "WP Photo Album Plus", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "9.0.11.006", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping in the wppa_user_upload function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the photo album descriptions that execute in a victim's browser."}], "title": "WP Photo Album Plus <= 9.0.11.006 - Authenticated (Subscriber+) Stored Cross-Site Scripting via wppa_user_upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/575b11a3-9fa4-4ee0-8f19-7d53e6c1785f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.0.09.003/wppa-functions.php#L4977"}, {"url": "https://plugins.trac.wordpress.org/changeset/3349261/wp-photo-album-plus"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "timeline": [{"time": "2025-07-30T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-08-23T18:26:54.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-03T14:09:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-06T14:18:06.976655Z", "id": "CVE-2025-8726", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-06T14:18:39.543Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8726", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-06T14:18:06.976655Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-06T14:18:35.492Z"}}], "cna": {"title": "WP Photo Album Plus <= 9.0.11.006 - Authenticated (Subscriber+) Stored Cross-Site Scripting via wppa_user_upload", "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "opajaap", "product": "WP Photo Album Plus", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "9.0.11.006"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-30T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-08-23T18:26:54.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-03T14:09:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/575b11a3-9fa4-4ee0-8f19-7d53e6c1785f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.0.09.003/wppa-functions.php#L4977"}, {"url": "https://plugins.trac.wordpress.org/changeset/3349261/wp-photo-album-plus"}], "descriptions": [{"lang": "en", "value": "The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping in the wppa_user_upload function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the photo album descriptions that execute in a victim's browser."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-04T02:24:35.924Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8726", "state": "PUBLISHED", "dateUpdated": "2025-10-06T14:18:39.543Z", "dateReserved": "2025-08-08T01:09:06.550Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-04T02:24:35.924Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping in the wppa_user_upload function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the photo album descriptions that execute in a victim's browser."}], "id": "CVE-2025-8726", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-04T03:15:38.123", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.0.09.003/wppa-functions.php#L4977"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3349261/wp-photo-album-plus"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/575b11a3-9fa4-4ee0-8f19-7d53e6c1785f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:31:01.681322+00:00", "value": {"mitigation_remediation": ["Upgrade the WP Photo Album Plus plugin to the latest version that resolves the stored XSS issue, or uninstall the plugin if an update is not available.", "Review subscriber permissions and temporarily remove or disable the wppa_user_upload capability for Subscriber\u2011level users until a patch is applied.", "Verify that all user\u2011generated content in the plugin is properly sanitized and escaped, following WordPress best practices, and monitor the plugin vendor\u2019s security advisories for future fixes."], "summary": {"action": "Immediate Patch", "impact": "Stored XSS"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all versions of the WP Photo Album Plus plugin up to and including 9.0.11.006. The product is distributed by the vendor opajaap under the name WP Photo Album Plus for WordPress. Users running any of those affected releases on their sites are susceptible.", "description_and_impact": "The WP Photo Album Plus plugin for WordPress is vulnerable to stored cross\u2011site scripting because the wppa_user_upload function does not adequately sanitize or escape user input. The flaw permits authenticated users with Subscriber or higher privileges to insert malicious JavaScript into photo album descriptions, which will then execute in the browsers of any user who views the album. This can lead to session hijacking, credential theft, or defacement, and represents a classic client\u2011side injection (CWE\u201179).", "risk_and_exploitability": "The CVSS v3.1 score for this issue is 5.4, indicating moderate severity. The EPSS score is less than 1%, suggesting that immediate exploitation is currently unlikely. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires an attacker to authenticate as a user with Subscriber or higher privileges and use the wppa_user_upload feature to inject JavaScript into photo album descriptions. The stored payload is then delivered to any visitor, enabling client\u2011side attacks when the album is viewed."}}}}, "created": "2025-10-06T14:42:03.252060+00:00", "updated": "2026-04-21T02:45:25.935318+00:00", "vendors": ["opajaap", "opajaap$PRODUCT$wp_photo_album_plus", "wordpress", "wordpress$PRODUCT$wordpress"]}