CVE-2024-37416 HIGH

CVE-2024-37416: WordPress WP Photo Album Plus plugin <= 8.8.00.002 - Reflected Cross Site Scripting (XSS) vulnerability

Vendor J.n. Breetvelt A.k.a. Opajaap

Product WP Photo Album Plus

Weakness CWE-79 · XSS

Published July 22, 2024

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus allows Reflected XSS.This issue affects WP Photo Album Plus: from n/a through 8.8.00.002.

Key dates

02Disclosure timeline

July 22, 2024 CVE published

April 28, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-37416

Related vulnerabilities

04Related CVE

CVE-2023-5541 Moodle: xss risk when using csv grade import method CVE-2024-2868 ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) <= 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via WL Universal Product Layout CVE-2024-12260 Ultimate Endpoints With Rest Api <= 2.2.2 - Reflected Cross-Site Scripting CVE-2025-59004 WordPress WC Return products plugin <= 1.5 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2023-5048 WDContactFormBuilder <= 1.0.72 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Identifiers

CVE CVE-2024-37416

CWE CWE-79

CVSS 7.1 / HIGH

Affected versions

Vendor J.n. Breetvelt A.k.a. Opajaap

Product WP Photo Album Plus

Affected ≥ n/a and ≤ 8.8.00.002