All CosmicBytez Labs articles tagged #Plugin Vulnerability, across news, security advisories, how-to guides, and projects.
A high-severity privilege escalation flaw in WPFunnels for WordPress allows attackers to update arbitrary site options via an unvalidated REST callback, affecting all versions up to 3.12.8.
A critical CVSS 8.8 remote code execution vulnerability in WP Ultimate CSV Importer allows unauthenticated attackers to execute arbitrary PHP code on...
A critical unauthenticated arbitrary file upload vulnerability in the Super Forms plugin for WordPress (CVSS 9.8) allows attackers to upload and execute...
A critical arbitrary file upload vulnerability in the Blocksy Companion WordPress plugin (versions up to 2.1.46) allows unauthenticated attackers to...
A critical unauthenticated arbitrary file upload flaw (CVSS 9.8) in the Instant Appointment WordPress plugin allows attackers to upload and execute...
A critical CVSS 9.1 vulnerability in the Simple Coherent Form WordPress plugin allows unauthenticated attackers to delete arbitrary files on the server,...
A high-severity arbitrary function call vulnerability in the YouTube Showcase plugin allows authenticated attackers to invoke arbitrary PHP functions via...
A critical unauthenticated SQL injection vulnerability in the EventON WordPress Virtual Event Calendar Plugin affects versions up to 5.0.11, exposing...
A high-severity authenticated file deletion vulnerability in the nmedia Frontend File Manager Plugin for WordPress allows subscribers to delete any file...
A critical unauthenticated SQL injection vulnerability (CVSS 9.3) in the JetBooking WordPress plugin affects all versions up to 4.0.4.1, potentially...
WordPress CP Polls plugin version 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through...
A critical unauthenticated PHP Object Injection vulnerability in the Broadcast Live Video WordPress plugin (versions < 7.1.3) carries a CVSS score of 9.8...
A critical unauthenticated vulnerability in the WP Maps Pro WordPress plugin before 6.1.1 allows any visitor to create an administrator account and...
A high-severity arbitrary file upload vulnerability in the MDJM Event Management plugin for WordPress allows authenticated attackers to upload malicious files…
A high-severity PHP Object Injection vulnerability in the Admin Columns WordPress plugin (versions up to 7.0.18) allows authenticated attackers to achieve…
Hackers are actively exploiting a critical vulnerability in the WP Maps Pro WordPress plugin that allows unauthenticated attackers to create rogue…
A broken authentication check in the Simple History WordPress plugin (versions up to 5.26.0) allows Subscriber-level users to take over any WordPress...
The GEO my WP WordPress plugin (versions up to 4.5.5) is vulnerable to unauthenticated SQL injection via the swlatlng and nelatlng parameters, which...
A CVSS 7.5 SQL injection vulnerability in the WP ERP Pro WordPress plugin (all versions up to 1.5.1) allows unauthenticated attackers to extract sensitive...
A missing WordPress capability check in the AI Engine plugin's MCP OAuth bearer-token path allows any authenticated user to escalate privileges to...
A high-severity SQL injection vulnerability (CVE-2026-2993) in the AI Chatbot & Workflow Automation by AIWU WordPress plugin allows unauthenticated...
A critical unauthenticated arbitrary file upload vulnerability in the User Registration Advanced Fields plugin for WordPress allows attackers to upload...
A critical authentication bypass in the User Verification by PickPlugins plugin for WordPress allows unauthenticated attackers to bypass OTP verification...
A critical CVSS 9.8 authentication bypass in the WordPress Temporary Login plugin (versions up to 1.0.0) allows unauthenticated attackers to gain...
A critical code injection vulnerability in the FunnelFormsPro WordPress plugin through version 3.8.1 allows remote code inclusion, enabling attackers to...
A critical unauthenticated file upload vulnerability in the Breeze Cache WordPress plugin allows attackers to upload arbitrary files to affected servers...