Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1941+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
All tags
26 articles

#Plugin Vulnerability

All CosmicBytez Labs articles tagged #Plugin Vulnerability, across news, security advisories, how-to guides, and projects.

  • SecurityJul 17, 2026

    CVE-2026-15103: WPFunnels Plugin Privilege Escalation via Unauthenticated REST Endpoint

    A high-severity privilege escalation flaw in WPFunnels for WordPress allows attackers to update arbitrary site options via an unvalidated REST callback, affecting all versions up to 3.12.8.

  • SecurityJul 11, 2026

    CVE-2026-13353: WordPress WP Ultimate CSV Importer RCE via MappedFields Parameter

    A critical CVSS 8.8 remote code execution vulnerability in WP Ultimate CSV Importer allows unauthenticated attackers to execute arbitrary PHP code on...

  • SecurityJul 10, 2026

    CVE-2026-14894: WordPress Super Forms Plugin Critical Arbitrary File Upload

    A critical unauthenticated arbitrary file upload vulnerability in the Super Forms plugin for WordPress (CVSS 9.8) allows attackers to upload and execute...

  • SecurityJul 10, 2026

    CVE-2026-15158: WordPress Blocksy Companion Arbitrary File Upload (CVSS 9.8)

    A critical arbitrary file upload vulnerability in the Blocksy Companion WordPress plugin (versions up to 2.1.46) allows unauthenticated attackers to...

  • SecurityJul 10, 2026

    CVE-2026-15282: WordPress Instant Appointment Plugin Critical File Upload

    A critical unauthenticated arbitrary file upload flaw (CVSS 9.8) in the Instant Appointment WordPress plugin allows attackers to upload and execute...

  • SecurityJul 8, 2026

    CVE-2026-14487: WordPress Simple Coherent Form Plugin — Critical Unauthenticated File Deletion

    A critical CVSS 9.1 vulnerability in the Simple Coherent Form WordPress plugin allows unauthenticated attackers to delete arbitrary files on the server,...

  • SecurityJul 1, 2026

    CVE-2026-12923: YouTube Showcase WordPress Plugin Arbitrary Function Call

    A high-severity arbitrary function call vulnerability in the YouTube Showcase plugin allows authenticated attackers to invoke arbitrary PHP functions via...

  • SecurityJul 1, 2026

    CVE-2026-9711: Critical SQL Injection in EventON WordPress Plugin (CVSS 9.8)

    A critical unauthenticated SQL injection vulnerability in the EventON WordPress Virtual Event Calendar Plugin affects versions up to 5.0.11, exposing...

  • SecurityJun 28, 2026

    CVE-2026-8095: WordPress Frontend File Manager Plugin Allows Arbitrary File Deletion

    A high-severity authenticated file deletion vulnerability in the nmedia Frontend File Manager Plugin for WordPress allows subscribers to delete any file...

  • SecurityJun 27, 2026

    CVE-2026-54820: Critical SQL Injection in JetBooking WordPress Plugin

    A critical unauthenticated SQL injection vulnerability (CVSS 9.3) in the JetBooking WordPress plugin affects all versions up to 4.0.4.1, potentially...

  • SecurityJun 16, 2026

    CVE-2016-20066: WordPress CP Polls Persistent XSS via File Upload

    WordPress CP Polls plugin version 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through...

  • SecurityJun 16, 2026

    CVE-2026-27053: Critical PHP Object Injection in Broadcast Live Video Plugin

    A critical unauthenticated PHP Object Injection vulnerability in the Broadcast Live Video WordPress plugin (versions < 7.1.3) carries a CVSS score of 9.8...

  • SecurityJun 15, 2026

    CVE-2026-8935: WP Maps Pro Unauthenticated Admin Account Creation (CVSS 9.8)

    A critical unauthenticated vulnerability in the WP Maps Pro WordPress plugin before 6.1.1 allows any visitor to create an administrator account and...

  • SecurityJun 6, 2026

    CVE-2026-7537: MDJM Event Management WordPress Plugin Arbitrary File Upload

    A high-severity arbitrary file upload vulnerability in the MDJM Event Management plugin for WordPress allows authenticated attackers to upload malicious files…

  • SecurityJun 6, 2026

    CVE-2026-7654: PHP Object Injection RCE in WordPress Admin Columns Plugin (≤ 7.0.18)

    A high-severity PHP Object Injection vulnerability in the Admin Columns WordPress plugin (versions up to 7.0.18) allows authenticated attackers to achieve…

  • NewsMay 31, 2026

    WP Maps Pro Bug Exploited to Create Admin Accounts on WordPress Sites

    Hackers are actively exploiting a critical vulnerability in the WP Maps Pro WordPress plugin that allows unauthenticated attackers to create rogue…

  • SecurityMay 30, 2026

    CVE-2026-7459: WordPress Simple History Plugin Account Takeover

    A broken authentication check in the Simple History WordPress plugin (versions up to 5.26.0) allows Subscriber-level users to take over any WordPress...

  • SecurityMay 30, 2026

    CVE-2026-9757: GEO my WP Plugin SQL Injection via Query String Bypass

    The GEO my WP WordPress plugin (versions up to 4.5.5) is vulnerable to unauthenticated SQL injection via the swlatlng and nelatlng parameters, which...

  • SecurityMay 22, 2026

    WP ERP Pro SQL Injection via search_key Parameter

    A CVSS 7.5 SQL injection vulnerability in the WP ERP Pro WordPress plugin (all versions up to 1.5.1) allows unauthenticated attackers to extract sensitive...

  • SecurityMay 17, 2026

    CVE-2026-8719: WordPress AI Engine Plugin Privilege

    A missing WordPress capability check in the AI Engine plugin's MCP OAuth bearer-token path allows any authenticated user to escalate privileges to...

  • SecurityMay 13, 2026

    CVE-2026-2993: SQL Injection in AIWU AI Chatbot WordPress

    A high-severity SQL injection vulnerability (CVE-2026-2993) in the AI Chatbot & Workflow Automation by AIWU WordPress plugin allows unauthenticated...

  • SecurityMay 2, 2026

    CVE-2026-4882: Unauthenticated File Upload in WordPress

    A critical unauthenticated arbitrary file upload vulnerability in the User Registration Advanced Fields plugin for WordPress allows attackers to upload...

  • SecurityMay 2, 2026

    CVE-2026-7458: Authentication Bypass via OTP Flaw in WordPress User Verification Plugin

    A critical authentication bypass in the User Verification by PickPlugins plugin for WordPress allows unauthenticated attackers to bypass OTP verification...

  • SecurityMay 1, 2026

    Critical Authentication Bypass in WordPress Temporary Login

    A critical CVSS 9.8 authentication bypass in the WordPress Temporary Login plugin (versions up to 1.0.0) allows unauthenticated attackers to gain...

  • SecurityApr 24, 2026

    CVE-2026-39440: FunnelFormsPro WordPress Plugin Remote Code

    A critical code injection vulnerability in the FunnelFormsPro WordPress plugin through version 3.8.1 allows remote code inclusion, enabling attackers to...

  • SecurityApr 23, 2026

    CVE-2026-3844 — Breeze Cache WordPress Plugin

    A critical unauthenticated file upload vulnerability in the Breeze Cache WordPress plugin allows attackers to upload arbitrary files to affected servers...