Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1941+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
All tags
103 articles

#WordPress

All CosmicBytez Labs articles tagged #WordPress, across news, security advisories, how-to guides, and projects.

  • NewsJul 17, 2026

    New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

    A critical unauthenticated remote code execution vulnerability in WordPress core affects all 6.9 and 7.0 installations. WordPress force-pushed emergency patches (6.9.5 / 7.0.2) to sites via its auto-update system.

  • SecurityJul 17, 2026

    CVE-2026-15103: WPFunnels Plugin Privilege Escalation via Unauthenticated REST Endpoint

    A high-severity privilege escalation flaw in WPFunnels for WordPress allows attackers to update arbitrary site options via an unvalidated REST callback, affecting all versions up to 3.12.8.

  • SecurityJul 17, 2026

    CVE-2026-15982: WordPress Aimogen Pro Plugin Privilege Escalation (CVSS 9.8)

    Critical privilege escalation in the Aimogen Pro WordPress plugin (all versions up to 2.8.4) — missing capability check on AI function allows any authenticated user to gain administrator-level access.

  • SecurityJul 16, 2026

    CVE-2026-12492: WooCommerce OTP Login Plugin Auth Bypass — Full Admin Takeover

    The Happy Coders OTP Login for WooCommerce plugin before 2.8 allows unauthenticated attackers to bypass OTP verification and log in as any WordPress user, including administrators.

  • SecurityJul 16, 2026

    CVE-2026-15013: WordPress SAML SSO Plugin — Algorithm Confusion Auth Bypass

    The miniOrange SAML Single Sign On plugin for WordPress through version 5.4.3 allows unauthenticated attackers to log in as any user via an RSA-to-HMAC algorithm confusion attack against the SAML signature verification logic.

  • NewsJul 15, 2026

    We Built a Vulnerability Vending Machine: AI Tokens In, Zero-Days Out

    Security firm Intruder built an AI-powered system that combines code slicing with large language models to automatically discover complex software vulnerabilities — including a previously unknown WordPress plugin zero-day.

  • SecurityJul 13, 2026

    CVE-2026-11964: WordPress User Registration Plugin PayPal Webhook Bypass

    The User Registration & Membership WordPress plugin before 5.2.2 fails to verify PayPal webhook signatures, allowing unauthenticated attackers to forge payment events and gain free premium memberships.

  • NewsJul 11, 2026

    Australia Warns of Global Campaign Targeting Vulnerable CMS Platforms

    The Australian Cyber Security Centre has issued an alert about a coordinated global campaign actively exploiting unpatched vulnerabilities in WordPress,...

  • SecurityJul 11, 2026

    CVE-2026-13353: WordPress WP Ultimate CSV Importer RCE via MappedFields Parameter

    A critical CVSS 8.8 remote code execution vulnerability in WP Ultimate CSV Importer allows unauthenticated attackers to execute arbitrary PHP code on...

  • NewsJul 10, 2026

    Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites

    An unprotected 800MB server left open for three weeks exposed the full toolkit of a webshell access brokerage operation targeting 1.4 million domains....

  • SecurityJul 10, 2026

    CVE-2026-14894: WordPress Super Forms Plugin Critical Arbitrary File Upload

    A critical unauthenticated arbitrary file upload vulnerability in the Super Forms plugin for WordPress (CVSS 9.8) allows attackers to upload and execute...

  • SecurityJul 10, 2026

    CVE-2026-15158: WordPress Blocksy Companion Arbitrary File Upload (CVSS 9.8)

    A critical arbitrary file upload vulnerability in the Blocksy Companion WordPress plugin (versions up to 2.1.46) allows unauthenticated attackers to...

  • SecurityJul 10, 2026

    CVE-2026-15282: WordPress Instant Appointment Plugin Critical File Upload

    A critical unauthenticated arbitrary file upload flaw (CVSS 9.8) in the Instant Appointment WordPress plugin allows attackers to upload and execute...

  • SecurityJul 8, 2026

    CVE-2026-12153: WP Learn Manager Plugin — Unauthenticated Authorization Bypass Allows Plugin Installation

    A critical CVSS 9.8 authorization bypass in the WP Learn Manager WordPress plugin allows unauthenticated attackers to install and activate arbitrary...

  • SecurityJul 8, 2026

    CVE-2026-14487: WordPress Simple Coherent Form Plugin — Critical Unauthenticated File Deletion

    A critical CVSS 9.1 vulnerability in the Simple Coherent Form WordPress plugin allows unauthenticated attackers to delete arbitrary files on the server,...

  • SecurityJul 8, 2026

    CVE-2026-9701: WordPress Eventer Plugin — Insecure Password Reset Enables Account Takeover

    A critical CVSS 9.8 vulnerability in the Eventer WordPress plugin exposes plaintext password reset keys in user meta, allowing unauthenticated attackers...

  • SecurityJul 6, 2026

    CVE-2024-6228: WordPress WANotifier Plugin Local File Inclusion

    A local file inclusion vulnerability in the WANotifier WordPress plugin (before v2.6) allows any authenticated subscriber-level user to include and...

  • SecurityJul 4, 2026

    CVE-2026-4321: Critical SQL Injection in Raera Destekz Plugin (No Patch Available)

    A CVSS 9.8 critical SQL injection in the Destekz plugin by Raera - Ankara Web Design allows unauthenticated remote attackers full database access. The...

  • SecurityJul 3, 2026

    CVE-2026-9725: Critical WordPress WooCommerce Plugin File Deletion

    A CVSS 9.1 critical unauthenticated arbitrary file deletion vulnerability in the Printcart Web to Print Product Designer for WooCommerce plugin affects...

  • SecurityJul 1, 2026

    CVE-2026-12923: YouTube Showcase WordPress Plugin Arbitrary Function Call

    A high-severity arbitrary function call vulnerability in the YouTube Showcase plugin allows authenticated attackers to invoke arbitrary PHP functions via...

  • SecurityJul 1, 2026

    CVE-2026-9711: Critical SQL Injection in EventON WordPress Plugin (CVSS 9.8)

    A critical unauthenticated SQL injection vulnerability in the EventON WordPress Virtual Event Calendar Plugin affects versions up to 5.0.11, exposing...

  • SecurityJun 30, 2026

    CVE-2026-12073: ProfileGrid WordPress Plugin Critical Privilege Escalation

    A critical CVSS 9.8 vulnerability in the ProfileGrid WordPress plugin allows unauthenticated attackers to take over any user account and escalate...

  • SecurityJun 30, 2026

    CVE-2026-57331: Critical Arbitrary File Deletion in Paid Videochat Turnkey Site

    A CVSS 9.9 critical vulnerability in the Paid Videochat Turnkey Site WordPress plugin allows authenticated performer-role users to delete arbitrary files...

  • SecurityJun 28, 2026

    CVE-2026-8095: WordPress Frontend File Manager Plugin Allows Arbitrary File Deletion

    A high-severity authenticated file deletion vulnerability in the nmedia Frontend File Manager Plugin for WordPress allows subscribers to delete any file...

  • SecurityJun 27, 2026

    CVE-2026-12415: WordPress Invoice Generator Privilege Escalation (CVSS 9.8)

    A critical unauthenticated privilege escalation flaw in the WordPress Invoice Generator plugin allows any attacker to take over administrator accounts via...

  • SecurityJun 27, 2026

    CVE-2026-54820: Critical SQL Injection in JetBooking WordPress Plugin

    A critical unauthenticated SQL injection vulnerability (CVSS 9.3) in the JetBooking WordPress plugin affects all versions up to 4.0.4.1, potentially...

  • NewsletterJun 23, 2026

    June 23 Digest: FortiBleed, Klue/Salesforce Supply Chain, Squidbleed, GitHub Actions Fix

    A Russian IAB harvests 110M credentials from FortiGate firewalls; the Icarus group drains hundreds of Salesforce orgs via Klue OAuth tokens; a 29-year-old...

  • NewsJun 22, 2026

    ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack

    Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack, with attackers injecting backdoor code into Pro plugin releases...

  • NewsJun 21, 2026

    Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

    Active exploitation of CVE-2026-4020 in the Gravity SMTP WordPress plugin has generated over 17 million malicious requests, allowing unauthenticated...

  • NewsJun 19, 2026

    15,000 WordPress Websites Cleaned Up in SocGholish Botnet Takedown

    In a major Operation Endgame action, law enforcement and private partners seized 106 SocGholish command-and-control servers and domains, with...

  • NewsJun 19, 2026

    Operation Endgame Disrupts SocGholish Servers, Cleans 14,971 WordPress Sites

    A joint law enforcement operation led by Dutch authorities and including partners from Canada, Germany, and the US has disrupted SocGholish malware...

  • SecurityJun 19, 2026

    CVE-2026-7515: BetterDocs Pro WordPress Plugin — Unauthenticated Local File Inclusion

    A critical Local File Inclusion vulnerability in the BetterDocs Pro WordPress plugin (up to v3.8.0) allows unauthenticated attackers to include and...

  • NewsJun 18, 2026

    Police Cleans Nearly 15,000 SocGholish-Infected Sites Tied to Evil Corp

    International law enforcement cleaned nearly 15,000 malware-infected WordPress websites and took down more than 100 servers linked to the SocGholish...

  • NewsJun 18, 2026

    ShapedPlugin Update Flow Hacked to Infect WordPress Sites

    Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack that distributed infected releases to paying customers via the...

  • SecurityJun 17, 2026

    CVE-2026-49772: The Events Calendar Blind SQL Injection (CVSS 9.3)

    A critical blind SQL injection vulnerability in The Events Calendar WordPress plugin by StellarWP affects versions 6.15.12 through 6.16.2, allowing...

  • SecurityJun 17, 2026

    CVE-2026-49774: RD Station WordPress Plugin Remote Code Injection (CVSS 9.9)

    A critical code injection vulnerability in the RD Station WordPress plugin allows unauthenticated remote code execution through Remote File Inclusion,...

  • SecurityJun 17, 2026

    CVE-2026-52715: GEO my WordPress Unauthenticated SQL Injection (CVSS 9.3)

    A critical unauthenticated SQL injection vulnerability in GEO my WordPress versions 4.5.5 and earlier allows attackers to extract database contents...

  • NewsletterJun 17, 2026

    June 17 Digest: Teams C2 Evasion, Copilot Data Theft, iRhythm Breach, cPanel KEV

    DragonForce hides C2 inside Microsoft Teams relay traffic; a SearchLeak attack weaponizes M365 Copilot for one-click data exfiltration; iRhythm confirms...

  • NewsJun 16, 2026

    'Lorem Ipsum' Malware Pivots to ClickFix Delivery via WordPress

    New analysis reveals the 'Lorem Ipsum' malware campaign has adopted ClickFix social engineering as its primary delivery mechanism, leveraging compromised...

  • SecurityJun 16, 2026

    CVE-2016-20066: WordPress CP Polls Persistent XSS via File Upload

    WordPress CP Polls plugin version 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through...

  • SecurityJun 16, 2026

    CVE-2026-27053: Critical PHP Object Injection in Broadcast Live Video Plugin

    A critical unauthenticated PHP Object Injection vulnerability in the Broadcast Live Video WordPress plugin (versions < 7.1.3) carries a CVSS score of 9.8...

  • SecurityJun 16, 2026

    CVE-2026-39574: Critical SQL Injection in InPost Gallery WordPress Plugin

    A critical unauthenticated SQL injection vulnerability (CVSS 9.3) in the InPost Gallery WordPress plugin allows attackers to extract sensitive database...

  • SecurityJun 16, 2026

    CVE-2026-6933: Unauthenticated RCE in Premmerce Dev Tools WordPress Plugin

    A high-severity unauthenticated remote code execution vulnerability (CVSS 8.8) in Premmerce Dev Tools for WordPress allows attackers to execute arbitrary...

  • SecurityJun 15, 2026

    CVE-2026-8935: WP Maps Pro Unauthenticated Admin Account Creation (CVSS 9.8)

    A critical unauthenticated vulnerability in the WP Maps Pro WordPress plugin before 6.1.1 allows any visitor to create an administrator account and...

  • SecurityJun 14, 2026

    CVE-2026-5513: Bookly WordPress Plugin Stored XSS via Cookie

    The Bookly scheduling plugin for WordPress contains a stored cross-site scripting vulnerability in versions up to 27.2, allowing unauthenticated attackers...

  • SecurityJun 12, 2026

    CVE-2026-47365: WordPress Toolkit Argument Injection in cPanel & WHM

    A critical CVSS 9.9 argument injection vulnerability in WordPress Toolkit before 6.11.0 allows remote authenticated users to bypass cross-tenant...

  • SecurityJun 11, 2026

    CVE-2025-6254: WordPress Doctreat Core Plugin Privilege Escalation (CVSS 9.8)

    A critical unauthenticated privilege escalation vulnerability in the Doctreat Core WordPress plugin allows attackers to register with elevated roles,...

  • NewsJun 6, 2026

    Critical Everest Forms Pro Flaw Exploited to Take Over WordPress Sites

    Hackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro WordPress plugin, enabling them to take complete control of…

  • SecurityJun 6, 2026

    CVE-2026-7537: MDJM Event Management WordPress Plugin Arbitrary File Upload

    A high-severity arbitrary file upload vulnerability in the MDJM Event Management plugin for WordPress allows authenticated attackers to upload malicious files…

  • SecurityJun 6, 2026

    CVE-2026-7654: PHP Object Injection RCE in WordPress Admin Columns Plugin (≤ 7.0.18)

    A high-severity PHP Object Injection vulnerability in the Admin Columns WordPress plugin (versions up to 7.0.18) allows authenticated attackers to achieve…

  • SecurityJun 6, 2026

    CVE-2026-9851: WordPress Booking Package Plugin Privilege Escalation via Account Takeover

    A high-severity privilege escalation vulnerability in the Booking Package WordPress plugin allows unauthenticated or low-privileged attackers to take over…

  • SecurityJun 5, 2026

    CVE-2026-49777: CVSS 10 Flaw in WooCommerce Product Slider Pro Enables Malware Implantation

    A maximum-severity input validation vulnerability in Product Slider Pro for WooCommerce allows attackers to implant malicious software. Affects all versions…

  • NewsJun 3, 2026

    Critical Kirki Flaw Exploited to Hijack WordPress Admin Accounts

    Hackers are actively exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the widely-used Kirki Customizer Framework plugin for…

  • SecurityJun 2, 2026

    CVE-2026-8206: Kirki WordPress Plugin Critical Privilege Escalation via Account Takeover

    The Kirki Freeform Page Builder plugin for WordPress (versions 6.0.0–6.0.6) allows unauthenticated attackers to take over any user account during password…

  • SecurityJun 2, 2026

    CVE-2026-8293: Really Simple Security WordPress Plugin 2FA Authentication Bypass

    The Really Simple Security WordPress plugin before 9.5.10.1 fails to enforce the second-factor challenge on two REST API endpoints, allowing attackers with a…

  • NewsMay 31, 2026

    WP Maps Pro Bug Exploited to Create Admin Accounts on WordPress Sites

    Hackers are actively exploiting a critical vulnerability in the WP Maps Pro WordPress plugin that allows unauthenticated attackers to create rogue…

  • SecurityMay 30, 2026

    CVE-2026-4290: WP Travel Pro Arbitrary User Deletion via Broken REST API Access Control

    A critical CVSS 9.1 access control flaw in the WP Travel Pro WordPress plugin allows unauthenticated attackers to delete any user account — including...

  • SecurityMay 30, 2026

    CVE-2026-7459: WordPress Simple History Plugin Account Takeover

    A broken authentication check in the Simple History WordPress plugin (versions up to 5.26.0) allows Subscriber-level users to take over any WordPress...

  • SecurityMay 30, 2026

    CVE-2026-7465: RCE in Spectra Gutenberg Blocks WordPress Plugin (CVSS 8.8)

    A high-severity remote code execution vulnerability in the Spectra Gutenberg Blocks plugin for WordPress allows authenticated Contributor-level attackers...

  • SecurityMay 30, 2026

    CVE-2026-9757: GEO my WP Plugin SQL Injection via Query String Bypass

    The GEO my WP WordPress plugin (versions up to 4.5.5) is vulnerable to unauthenticated SQL injection via the swlatlng and nelatlng parameters, which...

  • SecurityMay 29, 2026

    CVE-2026-3655: OTP Login WordPress Plugin Auth Bypass via Firebase Session Mismatch

    A critical authentication bypass (CVSS 9.8) in the OTP Login With Phone Number WordPress plugin allows unauthenticated attackers to log in as any user due...

  • SecurityMay 29, 2026

    CVE-2026-8732: WP Maps Pro Privilege Escalation via Admin Account Creation

    A critical unauthenticated privilege escalation flaw in WP Maps Pro for WordPress (CVSS 9.8) allows attackers to create administrator accounts without...

  • SecurityMay 22, 2026

    CVE-2026-39531: WP Directory Kit Blind SQL Injection (CVSS

    A critical blind SQL injection vulnerability in the WP Directory Kit WordPress plugin allows unauthenticated attackers to exfiltrate the entire WordPress...

  • SecurityMay 22, 2026

    WP ERP Pro SQL Injection via search_key Parameter

    A CVSS 7.5 SQL injection vulnerability in the WP ERP Pro WordPress plugin (all versions up to 1.5.1) allows unauthenticated attackers to extract sensitive...

  • SecurityMay 21, 2026

    CVE-2026-6279: Avada Builder Unauthenticated RCE via PHP

    A critical CVSS 9.8 vulnerability in the Avada Builder (fusion-builder) WordPress plugin allows unauthenticated attackers to execute arbitrary PHP...

  • SecurityMay 20, 2026

    CVE-2026-7637: WordPress Boost Plugin PHP Object Injection

    The Boost plugin for WordPress versions up to 2.0.3 is vulnerable to PHP Object Injection via deserialization of the STYXKEY-BOOST_USER_LOCATION cookie,...

  • SecurityMay 19, 2026

    CVE-2025-15609: Fortis for WooCommerce Plugin Leaks API

    The Fortis for WooCommerce WordPress plugin before version 1.3.1 exposes sensitive API keys to unauthenticated attackers, enabling unauthorized access to...

  • SecurityMay 17, 2026

    CVE-2026-8719: WordPress AI Engine Plugin Privilege

    A missing WordPress capability check in the AI Engine plugin's MCP OAuth bearer-token path allows any authenticated user to escalate privileges to...

  • NewsMay 16, 2026

    Funnel Builder Flaw Under Active Exploitation Enables

    Attackers are actively exploiting a critical vulnerability in the Funnel Builder WordPress plugin to inject malicious JavaScript into WooCommerce checkout...

  • SecurityMay 16, 2026

    WordPress Form Notify Plugin Auth Bypass via LINE OAuth

    The Form Notify plugin for WordPress is vulnerable to authentication bypass in versions up to and including 1.1.10. Attackers can manipulate...

  • NewsMay 15, 2026

    Avada Builder WordPress Plugin Flaws Allow Site Credential

    Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files...

  • NewsMay 15, 2026

    Funnel Builder WordPress Plugin Bug Exploited to Steal

    A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript into WooCommerce checkout...

  • SecurityMay 15, 2026

    Critical Auth Bypass in InfusedWoo Pro Enables

    A CVSS 9.1 authorization bypass in InfusedWoo Pro for WordPress lets unauthenticated attackers permanently delete arbitrary data across all installations...

  • SecurityMay 13, 2026

    CVE-2026-2993: SQL Injection in AIWU AI Chatbot WordPress

    A high-severity SQL injection vulnerability (CVE-2026-2993) in the AI Chatbot & Workflow Automation by AIWU WordPress plugin allows unauthenticated...

  • SecurityMay 11, 2026

    CVE-2021-47932: WordPress TheCartPress 1.5.3.6 Privilege

    TheCartPress WordPress plugin 1.5.3.6 allows unauthenticated attackers to register new administrator accounts by exploiting the AJAX handler with a...

  • SecurityMay 11, 2026

    CVE-2021-47933: WordPress MStore API 2.0.6 Arbitrary File

    MStore API 2.0.6 for WordPress allows unauthenticated attackers to upload arbitrary PHP files via the REST API config_file endpoint, achieving remote code...

  • SecurityMay 11, 2026

    CVE-2026-6433: WordPress Plugin SQLi Enables

    The Custom css-js-php WordPress plugin through version 2.0.7 fails to sanitize user input before using it in a SQL query, and passes the result to dynamic...

  • SecurityMay 3, 2026

    CVE-2026-5324: WordPress Brizy Page Builder Unauthenticated

    The Brizy Page Builder plugin for WordPress contains a critical unauthenticated Stored Cross-Site Scripting flaw in versions up to 2.8.11, enabling...

  • SecurityMay 2, 2026

    CVE-2026-4882: Unauthenticated File Upload in WordPress

    A critical unauthenticated arbitrary file upload vulnerability in the User Registration Advanced Fields plugin for WordPress allows attackers to upload...

  • SecurityMay 2, 2026

    CVE-2026-7458: Authentication Bypass via OTP Flaw in WordPress User Verification Plugin

    A critical authentication bypass in the User Verification by PickPlugins plugin for WordPress allows unauthenticated attackers to bypass OTP verification...

  • SecurityMay 1, 2026

    Critical Authentication Bypass in WordPress Temporary Login

    A critical CVSS 9.8 authentication bypass in the WordPress Temporary Login plugin (versions up to 1.0.0) allows unauthenticated attackers to gain...

  • SecurityApr 30, 2026

    CVE-2026-41940: WebPros cPanel & WHM and WP2 Missing

    WebPros cPanel, WHM, and WP2 (WordPress Squared) contain a critical authentication bypass in the login flow, allowing unauthenticated remote attackers to...

  • SecurityApr 24, 2026

    CVE-2026-39440: FunnelFormsPro WordPress Plugin Remote Code

    A critical code injection vulnerability in the FunnelFormsPro WordPress plugin through version 3.8.1 allows remote code inclusion, enabling attackers to...

  • NewsApr 23, 2026

    Hackers Actively Exploiting Breeze Cache File Upload Bug in WordPress Attacks

    Threat actors are mass-exploiting a critical unauthenticated file upload vulnerability in the Breeze Cache WordPress plugin, uploading PHP webshells to...

  • SecurityApr 23, 2026

    CVE-2026-3844 — Breeze Cache WordPress Plugin

    A critical unauthenticated file upload vulnerability in the Breeze Cache WordPress plugin allows attackers to upload arbitrary files to affected servers...

  • SecurityApr 23, 2026

    CVE-2026-4119: WordPress Create DB Tables Plugin

    A critical CVSS 9.1 authorization bypass in the WordPress Create DB Tables plugin (all versions up to 1.2.1) allows unauthenticated users to create or...

  • SecurityApr 18, 2026

    CVE-2026-6518: WordPress CMP Plugin Arbitrary File Upload

    The CMP Coming Soon & Maintenance Plugin for WordPress contains a critical arbitrary file upload flaw that allows subscriber-level authenticated users to...

  • SecurityApr 17, 2026

    CVE-2026-6443: WordPress Accordion Plugin Backdoor in Version 1.4.6

    The Accordion and Accordion Slider WordPress plugin version 1.4.6 was sold to a malicious threat actor who embedded a persistent backdoor, granting...

  • SecurityApr 9, 2026

    CVE-2026-1830: WordPress Quick Playground Plugin RCE via Unauthenticated File Upload

    A critical CVSS 9.8 vulnerability in the Quick Playground WordPress plugin (versions up to 1.3.1) allows unauthenticated attackers to upload arbitrary...

  • SecurityApr 8, 2026

    CVE-2026-4003: WordPress Users Manager PN Plugin Privilege

    A critical privilege escalation vulnerability in the Users Manager – PN WordPress plugin (v1.1.15 and below) allows unauthenticated attackers to update...

  • NewsApr 7, 2026

    Hackers Exploit Critical Flaw in Ninja Forms WordPress

    Attackers are actively exploiting a critical unauthenticated arbitrary file upload vulnerability in the Ninja Forms File Uploads premium add-on for...

  • NewsletterApr 7, 2026

    Apr 7 Digest: Medusa Ransomware Surge, FBI $21B Record

    Storm-1175 runs sub-24-hour Medusa ransomware campaigns using zero-days; the FBI IC3 reports a record $21 billion in US cybercrime losses for 2025; North...

  • SecurityApr 4, 2026

    CVE-2026-3445: ProfilePress WordPress Plugin Allows

    A high-severity authorization flaw in the ProfilePress WordPress plugin (up to v4.16.11) lets unauthenticated or low-privilege users bypass membership...

  • SecurityApr 4, 2026

    CVE-2026-4896: WCFM WooCommerce Plugin IDOR Allows

    A high-severity Insecure Direct Object Reference vulnerability in the WCFM Frontend Manager for WooCommerce plugin (up to v6.7.25) lets authenticated...

  • SecurityApr 2, 2026

    CVE-2026-1540: Spam Protect CF7 WordPress Plugin PHP Log RCE

    The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows an editor-level attacker to achieve Remote Code Execution by logging a crafted...

  • NewsMar 29, 2026

    File Read Flaw in Smart Slider Plugin Impacts 500K

    A vulnerability in the Smart Slider 3 WordPress plugin, active on more than 800,000 websites, allows subscriber-level users to read arbitrary files on the...

  • SecurityMar 28, 2026

    CVE-2025-12886: Oxygen Theme SSRF Allows Unauthenticated

    A Server-Side Request Forgery vulnerability in the Oxygen Theme plugin for WordPress (all versions up to 6.0.8) enables unauthenticated attackers to make...

  • SecurityMar 22, 2026

    CVE-2026-3629: WordPress User Import Plugin Privilege

    The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to 1.29.7, allowing authenticated...

  • SecurityMar 19, 2026

    CVE-2026-25449: Critical Object Injection in Shinetheme

    A CVSS 9.8 deserialization vulnerability in the Shinetheme Traveler WordPress plugin allows unauthenticated remote attackers to inject arbitrary PHP...

  • SecurityMar 11, 2026

    Critical Auth Bypass in Tutor LMS Pro Exposes 30,000+

    The Tutor LMS Pro WordPress plugin's Social Login addon fails to verify OAuth token email matches the login request, allowing unauthenticated attackers to...

  • SecurityMar 7, 2026

    CVE-2026-3589: WooCommerce CSRF Flaw Allows Unauthenticated

    A cross-site request forgery vulnerability in WooCommerce versions 5.4.0 through 10.5.2 allows attackers to abuse the Store API's batch endpoint to...

  • SecurityFeb 12, 2026

    Critical RCE in WPvivid Backup Plugin Threatens 900,000+

    A critical unauthenticated arbitrary file upload vulnerability in the WPvivid Backup & Migration plugin allows remote code execution on over 900,000...

  • SecurityJan 25, 2026

    WordPress Plugin Vulnerability (CVSS 10.0) Under Active

    Maximum severity flaw in Modular DS WordPress plugin allows unauthenticated privilege escalation. All versions through 2.5.1 affected with active...