What the vulnerability does
01Description
WordPress Plugin PICA Photo Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid parameter. Attackers can send GET requests with crafted SQL payloads in the aid parameter to extract sensitive database information including user credentials and table contents.
Explanation of Vulnerability in Simple Terms
02Summary
PICA Photo Gallery contains a SQL injection vulnerability in its database query handling. An attacker can inject malicious SQL commands through user-supplied input to read, modify, or delete database contents without authentication. This affects all versions from 1.0 onwards. Update to a patched version when available from the vendor.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete database records by injecting SQL commands through the application.
Potential impact on your site
04Site Impact
Attackers can steal user data, modify site content, or destroy the database without logging in.
Conditions required to exploit
05Prerequisites
Network access to the application; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 9, 2026
CVE published
June 9, 2026
Record updated