CVE-2025-8726: 
WordPress vulnerability analysis and mitigation

The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to and including 9.0.11.006. This vulnerability was discovered and disclosed on October 3, 2025, and is tracked as CVE-2025-8726. The issue affects the wppa_user_upload function in the plugin, which fails to properly sanitize and escape user input (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the wppa_user_upload function. This security flaw allows authenticated users with Subscriber-level access or higher to inject arbitrary web scripts into photo album descriptions. These malicious scripts can then execute in a victim's browser when viewing the affected content. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (Wordfence).

When exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers who view the compromised photo album descriptions. This could lead to theft of sensitive browser-based information and potential manipulation of the website content for affected users (NVD).

The issue was addressed in version 9.0.11.007 of the WP Photo Album Plus plugin, which improved input sanitization by implementing wp_kses with allowed HTML tags instead of using strip_tags (WordPress Plugin). Users are advised to update to this version or later to protect against this vulnerability.