All CosmicBytez Labs articles tagged #WordPress, across news, security advisories, how-to guides, and projects.
A critical unauthenticated remote code execution vulnerability in WordPress core affects all 6.9 and 7.0 installations. WordPress force-pushed emergency patches (6.9.5 / 7.0.2) to sites via its auto-update system.
A high-severity privilege escalation flaw in WPFunnels for WordPress allows attackers to update arbitrary site options via an unvalidated REST callback, affecting all versions up to 3.12.8.
Critical privilege escalation in the Aimogen Pro WordPress plugin (all versions up to 2.8.4) — missing capability check on AI function allows any authenticated user to gain administrator-level access.
The Happy Coders OTP Login for WooCommerce plugin before 2.8 allows unauthenticated attackers to bypass OTP verification and log in as any WordPress user, including administrators.
The miniOrange SAML Single Sign On plugin for WordPress through version 5.4.3 allows unauthenticated attackers to log in as any user via an RSA-to-HMAC algorithm confusion attack against the SAML signature verification logic.
Security firm Intruder built an AI-powered system that combines code slicing with large language models to automatically discover complex software vulnerabilities — including a previously unknown WordPress plugin zero-day.
The User Registration & Membership WordPress plugin before 5.2.2 fails to verify PayPal webhook signatures, allowing unauthenticated attackers to forge payment events and gain free premium memberships.
The Australian Cyber Security Centre has issued an alert about a coordinated global campaign actively exploiting unpatched vulnerabilities in WordPress,...
A critical CVSS 8.8 remote code execution vulnerability in WP Ultimate CSV Importer allows unauthenticated attackers to execute arbitrary PHP code on...
An unprotected 800MB server left open for three weeks exposed the full toolkit of a webshell access brokerage operation targeting 1.4 million domains....
A critical unauthenticated arbitrary file upload vulnerability in the Super Forms plugin for WordPress (CVSS 9.8) allows attackers to upload and execute...
A critical arbitrary file upload vulnerability in the Blocksy Companion WordPress plugin (versions up to 2.1.46) allows unauthenticated attackers to...
A critical unauthenticated arbitrary file upload flaw (CVSS 9.8) in the Instant Appointment WordPress plugin allows attackers to upload and execute...
A critical CVSS 9.8 authorization bypass in the WP Learn Manager WordPress plugin allows unauthenticated attackers to install and activate arbitrary...
A critical CVSS 9.1 vulnerability in the Simple Coherent Form WordPress plugin allows unauthenticated attackers to delete arbitrary files on the server,...
A critical CVSS 9.8 vulnerability in the Eventer WordPress plugin exposes plaintext password reset keys in user meta, allowing unauthenticated attackers...
A local file inclusion vulnerability in the WANotifier WordPress plugin (before v2.6) allows any authenticated subscriber-level user to include and...
A CVSS 9.8 critical SQL injection in the Destekz plugin by Raera - Ankara Web Design allows unauthenticated remote attackers full database access. The...
A CVSS 9.1 critical unauthenticated arbitrary file deletion vulnerability in the Printcart Web to Print Product Designer for WooCommerce plugin affects...
A high-severity arbitrary function call vulnerability in the YouTube Showcase plugin allows authenticated attackers to invoke arbitrary PHP functions via...
A critical unauthenticated SQL injection vulnerability in the EventON WordPress Virtual Event Calendar Plugin affects versions up to 5.0.11, exposing...
A critical CVSS 9.8 vulnerability in the ProfileGrid WordPress plugin allows unauthenticated attackers to take over any user account and escalate...
A CVSS 9.9 critical vulnerability in the Paid Videochat Turnkey Site WordPress plugin allows authenticated performer-role users to delete arbitrary files...
A high-severity authenticated file deletion vulnerability in the nmedia Frontend File Manager Plugin for WordPress allows subscribers to delete any file...
A critical unauthenticated privilege escalation flaw in the WordPress Invoice Generator plugin allows any attacker to take over administrator accounts via...
A critical unauthenticated SQL injection vulnerability (CVSS 9.3) in the JetBooking WordPress plugin affects all versions up to 4.0.4.1, potentially...
A Russian IAB harvests 110M credentials from FortiGate firewalls; the Icarus group drains hundreds of Salesforce orgs via Klue OAuth tokens; a 29-year-old...
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack, with attackers injecting backdoor code into Pro plugin releases...
Active exploitation of CVE-2026-4020 in the Gravity SMTP WordPress plugin has generated over 17 million malicious requests, allowing unauthenticated...
In a major Operation Endgame action, law enforcement and private partners seized 106 SocGholish command-and-control servers and domains, with...
A joint law enforcement operation led by Dutch authorities and including partners from Canada, Germany, and the US has disrupted SocGholish malware...
A critical Local File Inclusion vulnerability in the BetterDocs Pro WordPress plugin (up to v3.8.0) allows unauthenticated attackers to include and...
International law enforcement cleaned nearly 15,000 malware-infected WordPress websites and took down more than 100 servers linked to the SocGholish...
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack that distributed infected releases to paying customers via the...
A critical blind SQL injection vulnerability in The Events Calendar WordPress plugin by StellarWP affects versions 6.15.12 through 6.16.2, allowing...
A critical code injection vulnerability in the RD Station WordPress plugin allows unauthenticated remote code execution through Remote File Inclusion,...
A critical unauthenticated SQL injection vulnerability in GEO my WordPress versions 4.5.5 and earlier allows attackers to extract database contents...
DragonForce hides C2 inside Microsoft Teams relay traffic; a SearchLeak attack weaponizes M365 Copilot for one-click data exfiltration; iRhythm confirms...
New analysis reveals the 'Lorem Ipsum' malware campaign has adopted ClickFix social engineering as its primary delivery mechanism, leveraging compromised...
WordPress CP Polls plugin version 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through...
A critical unauthenticated PHP Object Injection vulnerability in the Broadcast Live Video WordPress plugin (versions < 7.1.3) carries a CVSS score of 9.8...
A critical unauthenticated SQL injection vulnerability (CVSS 9.3) in the InPost Gallery WordPress plugin allows attackers to extract sensitive database...
A high-severity unauthenticated remote code execution vulnerability (CVSS 8.8) in Premmerce Dev Tools for WordPress allows attackers to execute arbitrary...
A critical unauthenticated vulnerability in the WP Maps Pro WordPress plugin before 6.1.1 allows any visitor to create an administrator account and...
The Bookly scheduling plugin for WordPress contains a stored cross-site scripting vulnerability in versions up to 27.2, allowing unauthenticated attackers...
A critical CVSS 9.9 argument injection vulnerability in WordPress Toolkit before 6.11.0 allows remote authenticated users to bypass cross-tenant...
A critical unauthenticated privilege escalation vulnerability in the Doctreat Core WordPress plugin allows attackers to register with elevated roles,...
Hackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro WordPress plugin, enabling them to take complete control of…
A high-severity arbitrary file upload vulnerability in the MDJM Event Management plugin for WordPress allows authenticated attackers to upload malicious files…
A high-severity PHP Object Injection vulnerability in the Admin Columns WordPress plugin (versions up to 7.0.18) allows authenticated attackers to achieve…
A high-severity privilege escalation vulnerability in the Booking Package WordPress plugin allows unauthenticated or low-privileged attackers to take over…
A maximum-severity input validation vulnerability in Product Slider Pro for WooCommerce allows attackers to implant malicious software. Affects all versions…
Hackers are actively exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the widely-used Kirki Customizer Framework plugin for…
The Kirki Freeform Page Builder plugin for WordPress (versions 6.0.0–6.0.6) allows unauthenticated attackers to take over any user account during password…
The Really Simple Security WordPress plugin before 9.5.10.1 fails to enforce the second-factor challenge on two REST API endpoints, allowing attackers with a…
Hackers are actively exploiting a critical vulnerability in the WP Maps Pro WordPress plugin that allows unauthenticated attackers to create rogue…
A critical CVSS 9.1 access control flaw in the WP Travel Pro WordPress plugin allows unauthenticated attackers to delete any user account — including...
A broken authentication check in the Simple History WordPress plugin (versions up to 5.26.0) allows Subscriber-level users to take over any WordPress...
A high-severity remote code execution vulnerability in the Spectra Gutenberg Blocks plugin for WordPress allows authenticated Contributor-level attackers...
The GEO my WP WordPress plugin (versions up to 4.5.5) is vulnerable to unauthenticated SQL injection via the swlatlng and nelatlng parameters, which...
A critical authentication bypass (CVSS 9.8) in the OTP Login With Phone Number WordPress plugin allows unauthenticated attackers to log in as any user due...
A critical unauthenticated privilege escalation flaw in WP Maps Pro for WordPress (CVSS 9.8) allows attackers to create administrator accounts without...
A critical blind SQL injection vulnerability in the WP Directory Kit WordPress plugin allows unauthenticated attackers to exfiltrate the entire WordPress...
A CVSS 7.5 SQL injection vulnerability in the WP ERP Pro WordPress plugin (all versions up to 1.5.1) allows unauthenticated attackers to extract sensitive...
A critical CVSS 9.8 vulnerability in the Avada Builder (fusion-builder) WordPress plugin allows unauthenticated attackers to execute arbitrary PHP...
The Boost plugin for WordPress versions up to 2.0.3 is vulnerable to PHP Object Injection via deserialization of the STYXKEY-BOOST_USER_LOCATION cookie,...
The Fortis for WooCommerce WordPress plugin before version 1.3.1 exposes sensitive API keys to unauthenticated attackers, enabling unauthorized access to...
A missing WordPress capability check in the AI Engine plugin's MCP OAuth bearer-token path allows any authenticated user to escalate privileges to...
Attackers are actively exploiting a critical vulnerability in the Funnel Builder WordPress plugin to inject malicious JavaScript into WooCommerce checkout...
The Form Notify plugin for WordPress is vulnerable to authentication bypass in versions up to and including 1.1.10. Attackers can manipulate...
Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files...
A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript into WooCommerce checkout...
A CVSS 9.1 authorization bypass in InfusedWoo Pro for WordPress lets unauthenticated attackers permanently delete arbitrary data across all installations...
A high-severity SQL injection vulnerability (CVE-2026-2993) in the AI Chatbot & Workflow Automation by AIWU WordPress plugin allows unauthenticated...
TheCartPress WordPress plugin 1.5.3.6 allows unauthenticated attackers to register new administrator accounts by exploiting the AJAX handler with a...
MStore API 2.0.6 for WordPress allows unauthenticated attackers to upload arbitrary PHP files via the REST API config_file endpoint, achieving remote code...
The Custom css-js-php WordPress plugin through version 2.0.7 fails to sanitize user input before using it in a SQL query, and passes the result to dynamic...
The Brizy Page Builder plugin for WordPress contains a critical unauthenticated Stored Cross-Site Scripting flaw in versions up to 2.8.11, enabling...
A critical unauthenticated arbitrary file upload vulnerability in the User Registration Advanced Fields plugin for WordPress allows attackers to upload...
A critical authentication bypass in the User Verification by PickPlugins plugin for WordPress allows unauthenticated attackers to bypass OTP verification...
A critical CVSS 9.8 authentication bypass in the WordPress Temporary Login plugin (versions up to 1.0.0) allows unauthenticated attackers to gain...
WebPros cPanel, WHM, and WP2 (WordPress Squared) contain a critical authentication bypass in the login flow, allowing unauthenticated remote attackers to...
A critical code injection vulnerability in the FunnelFormsPro WordPress plugin through version 3.8.1 allows remote code inclusion, enabling attackers to...
Threat actors are mass-exploiting a critical unauthenticated file upload vulnerability in the Breeze Cache WordPress plugin, uploading PHP webshells to...
A critical unauthenticated file upload vulnerability in the Breeze Cache WordPress plugin allows attackers to upload arbitrary files to affected servers...
A critical CVSS 9.1 authorization bypass in the WordPress Create DB Tables plugin (all versions up to 1.2.1) allows unauthenticated users to create or...
The CMP Coming Soon & Maintenance Plugin for WordPress contains a critical arbitrary file upload flaw that allows subscriber-level authenticated users to...
The Accordion and Accordion Slider WordPress plugin version 1.4.6 was sold to a malicious threat actor who embedded a persistent backdoor, granting...
A critical CVSS 9.8 vulnerability in the Quick Playground WordPress plugin (versions up to 1.3.1) allows unauthenticated attackers to upload arbitrary...
A critical privilege escalation vulnerability in the Users Manager – PN WordPress plugin (v1.1.15 and below) allows unauthenticated attackers to update...
Attackers are actively exploiting a critical unauthenticated arbitrary file upload vulnerability in the Ninja Forms File Uploads premium add-on for...
Storm-1175 runs sub-24-hour Medusa ransomware campaigns using zero-days; the FBI IC3 reports a record $21 billion in US cybercrime losses for 2025; North...
A high-severity authorization flaw in the ProfilePress WordPress plugin (up to v4.16.11) lets unauthenticated or low-privilege users bypass membership...
A high-severity Insecure Direct Object Reference vulnerability in the WCFM Frontend Manager for WooCommerce plugin (up to v6.7.25) lets authenticated...
The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows an editor-level attacker to achieve Remote Code Execution by logging a crafted...
A vulnerability in the Smart Slider 3 WordPress plugin, active on more than 800,000 websites, allows subscriber-level users to read arbitrary files on the...
A Server-Side Request Forgery vulnerability in the Oxygen Theme plugin for WordPress (all versions up to 6.0.8) enables unauthenticated attackers to make...
The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to 1.29.7, allowing authenticated...
A CVSS 9.8 deserialization vulnerability in the Shinetheme Traveler WordPress plugin allows unauthenticated remote attackers to inject arbitrary PHP...
The Tutor LMS Pro WordPress plugin's Social Login addon fails to verify OAuth token email matches the login request, allowing unauthenticated attackers to...
A cross-site request forgery vulnerability in WooCommerce versions 5.4.0 through 10.5.2 allows attackers to abuse the Store API's batch endpoint to...
A critical unauthenticated arbitrary file upload vulnerability in the WPvivid Backup & Migration plugin allows remote code execution on over 900,000...
Maximum severity flaw in Modular DS WordPress plugin allows unauthenticated privilege escalation. All versions through 2.5.1 affected with active...