{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/plugin-vulnerability/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-6320"}],"_cs_exploited":false,"_cs_products":["Salon Booking System – Free Version plugin for WordPress \u003c= 10.30.25"],"_cs_severities":["high"],"_cs_tags":["arbitrary-file-read","wordpress","plugin-vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Salon Booking System – Free Version plugin for WordPress, versions up to and including 10.30.25, contains an arbitrary file read vulnerability. This flaw stems from the plugin\u0026rsquo;s public booking flow, where it accepts attacker-controlled file-field values. These values are subsequently used as trusted paths when creating email attachments for booking confirmations. This allows an unauthenticated attacker to supply a path to any file accessible to the web server, triggering its inclusion as an attachment in the booking confirmation email, effectively enabling arbitrary file exfiltration. Exploitation requires no authentication and can be triggered remotely.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker accesses the public booking form of a WordPress site running the vulnerable Salon Booking System plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the booking form, injecting a file path (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e) into a file-field parameter.\u003c/li\u003e\n\u003cli\u003eThe plugin processes the booking request and stores the attacker-supplied file path.\u003c/li\u003e\n\u003cli\u003eThe plugin generates a booking confirmation email.\u003c/li\u003e\n\u003cli\u003eThe plugin uses the stored, attacker-controlled file path to attach the specified file to the confirmation email.\u003c/li\u003e\n\u003cli\u003eThe booking confirmation email, now containing the arbitrary file as an attachment, is sent to the user who initiated the booking (which could be the attacker or an unwitting third party).\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the email (if sent to the attacker) or intercepts it (if sent to a third party) and extracts the attached file.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the contents of the exfiltrated file.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to read arbitrary files from the affected WordPress server. This could lead to the disclosure of sensitive information, such as configuration files, database credentials, or other confidential data. The vulnerability affects versions of the Salon Booking System plugin up to and including 10.30.25. The number of affected WordPress installations is unknown, but could be substantial given the plugin\u0026rsquo;s popularity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Salon Booking System plugin to the latest version to patch CVE-2026-6320.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for suspicious requests containing absolute or relative file paths in file-field parameters, using a detection rule similar to the ones provided below.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for all user-supplied data, especially file paths.\u003c/li\u003e\n\u003cli\u003eReview and restrict file system permissions to limit the files accessible to the web server process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-wordpress-arbitrary-file-read/","summary":"The Salon Booking System WordPress plugin is vulnerable to arbitrary file read, allowing unauthenticated attackers to exfiltrate local files by manipulating file-field values in booking confirmation emails.","title":"Salon Booking System WordPress Plugin Arbitrary File Read Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-arbitrary-file-read/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6963"}],"_cs_exploited":false,"_cs_products":["WP Mail Gateway plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","privilege-escalation","plugin-vulnerability"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WP Mail Gateway plugin, a WordPress extension, contains a vulnerability (CVE-2026-6963) that allows authenticated users with minimal privileges (Subscriber level or higher) to gain administrative access. The flaw resides in the \u003ccode\u003ewmg_save_provider_config\u003c/code\u003e AJAX action, which lacks proper authorization checks. This omission enables attackers to manipulate SMTP settings, redirect outgoing emails, and ultimately trigger password reset emails intended for administrators. The vulnerability affects all versions of the WP Mail Gateway plugin up to and including version 1.8. Successful exploitation grants attackers complete control over the WordPress site, making it a critical security concern for any organization using the vulnerable plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker logs into a WordPress site with a Subscriber-level account or higher.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious AJAX request targeting the \u003ccode\u003ewmg_save_provider_config\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eThis request modifies the SMTP settings, redirecting outgoing emails to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a password reset request for an administrator account.\u003c/li\u003e\n\u003cli\u003eThe password reset email is intercepted by the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the password reset link to gain access to the administrator\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the WordPress dashboard with administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform any administrative action, including installing malicious plugins, modifying site content, or creating new administrator accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6963 allows an attacker to completely compromise a WordPress website.  Even low-privileged users can elevate their access to administrator, giving them full control over the site.  This can lead to data breaches, website defacement, malware deployment, and other malicious activities. The vulnerability affects all installations of the WP Mail Gateway plugin up to version 1.8, potentially impacting thousands of WordPress sites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WP Mail Gateway plugin to a version beyond 1.8 to patch CVE-2026-6963.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress logs for suspicious AJAX requests targeting the \u003ccode\u003ewmg_save_provider_config\u003c/code\u003e action using the Sigma rule provided below. Enable webserver logging to capture HTTP POST requests.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect modifications to WordPress options related to SMTP configuration. Enable relevant logging for registry modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T05:16:01Z","date_published":"2026-05-02T05:16:01Z","id":"/briefs/2026-05-wp-mail-gateway-privesc/","summary":"The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check, allowing authenticated attackers to modify SMTP settings and escalate privileges.","title":"WP Mail Gateway Plugin Vulnerability Leads to Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-wp-mail-gateway-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-7567"}],"_cs_exploited":false,"_cs_products":["Temporary Login plugin"],"_cs_severities":["critical"],"_cs_tags":["authentication bypass","wordpress","plugin vulnerability","cve-2026-7567","cloud"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eCVE-2026-7567 is an authentication bypass vulnerability that affects the Temporary Login plugin for WordPress, specifically versions up to and including 1.0.0. The vulnerability stems from a failure to properly validate the \u0026rsquo;temp-login-token\u0026rsquo; GET parameter within the \u003ccode\u003emaybe_login_temporary_user()\u003c/code\u003e function. By supplying an array as the value for this parameter, attackers can circumvent the intended \u003ccode\u003eempty()\u003c/code\u003e check. This leads to the \u003ccode\u003esanitize_key()\u003c/code\u003e function returning an empty string, which is then used in a database query to fetch users. WordPress ignores empty \u003ccode\u003emeta_value\u003c/code\u003e parameters, causing the query to return all users with the \u003ccode\u003e_temporary_login_token\u003c/code\u003e meta key. Consequently, an unauthenticated attacker can effectively authenticate as any user with an active temporary login session by sending a single, maliciously crafted GET request. This poses a severe risk to website security, as it allows unauthorized access to user accounts and potentially sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Temporary Login plugin (version \u0026lt;= 1.0.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious GET request targeting the WordPress site\u0026rsquo;s login endpoint, including the \u0026rsquo;temp-login-token\u0026rsquo; parameter as an array (e.g., \u003ccode\u003etemp-login-token[]=\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web server receives the GET request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emaybe_login_temporary_user()\u003c/code\u003e function processes the request.\u003c/li\u003e\n\u003cli\u003eDue to improper input validation, the \u003ccode\u003eempty()\u003c/code\u003e check is bypassed when the \u0026rsquo;temp-login-token\u0026rsquo; parameter is an array.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esanitize_key()\u003c/code\u003e processes the array and returns an empty string as the meta_value.\u003c/li\u003e\n\u003cli\u003eWordPress executes a database query using the empty meta_value, effectively retrieving all users with active temporary login tokens.\u003c/li\u003e\n\u003cli\u003eThe attacker is granted unauthorized access to the account of a targeted temporary user, bypassing normal authentication procedures.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7567 allows unauthenticated attackers to bypass login restrictions and gain unauthorized access to WordPress user accounts utilizing the vulnerable Temporary Login plugin. The severity is high, as it allows complete compromise of user accounts without requiring any valid credentials. The impact includes potential data theft, account takeover, website defacement, and other malicious activities, depending on the privileges of the compromised user account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the available patch or upgrade the Temporary Login plugin to a version greater than 1.0.0 to remediate CVE-2026-7567.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WordPress Temporary Login Authentication Bypass Attempt\u003c/code\u003e to detect exploitation attempts by monitoring HTTP requests with array-based \u003ccode\u003etemp-login-token\u003c/code\u003e parameters in the query string.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the web server to reject requests containing array-based parameters where scalar strings are expected.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T10:15:58Z","date_published":"2026-05-01T10:15:58Z","id":"/briefs/2024-01-wordpress-temp-login-auth-bypass/","summary":"The Temporary Login plugin for WordPress versions up to 1.0.0 is vulnerable to authentication bypass due to improper input validation, allowing unauthenticated attackers to log in as arbitrary temporary users by sending a specially crafted GET request.","title":"WordPress Temporary Login Plugin Authentication Bypass (CVE-2026-7567)","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-temp-login-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-4119"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","authorization-bypass","plugin-vulnerability","cve-2026-4119"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Create DB Tables plugin, versions 1.2.1 and earlier, suffers from an authorization bypass vulnerability (CVE-2026-4119). This flaw stems from the plugin\u0026rsquo;s failure to implement capability checks or nonce verification for its admin_post action hooks, specifically those responsible for creating (admin_post_add_table) and deleting (admin_post_delete_db_table) database tables. Because the admin_post hook only requires a user to be logged in, any authenticated user, including those with the lowest Subscriber role, can access these endpoints. This oversight allows malicious actors to create arbitrary database tables or, more critically, delete existing ones, including vital WordPress core tables. The vulnerability was published on 2026-04-22, and given the severity, defenders should immediately address this risk. The affected versions of the plugin should be updated or removed to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker registers an account on a vulnerable WordPress site, gaining Subscriber-level access.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to \u003ccode\u003ewp-admin/admin-post.php\u003c/code\u003e with the action parameter set to \u003ccode\u003eadd_table\u003c/code\u003e or \u003ccode\u003edelete_db_table\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker provides the \u003ccode\u003edb_table\u003c/code\u003e parameter with the name of the table to be deleted, if exploiting the \u003ccode\u003edelete_db_table\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eThe server processes the request without proper authorization checks, because \u003ccode\u003ecurrent_user_can()\u003c/code\u003e and \u003ccode\u003ewp_verify_nonce()\u003c/code\u003e are missing.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecdbt_delete_db_table()\u003c/code\u003e function executes a \u003ccode\u003eDROP TABLE\u003c/code\u003e SQL query based on the user-supplied \u003ccode\u003edb_table\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets a critical WordPress core table like \u003ccode\u003ewp_users\u003c/code\u003e or \u003ccode\u003ewp_options\u003c/code\u003e, the site\u0026rsquo;s functionality will be severely impacted.\u003c/li\u003e\n\u003cli\u003eAlternatively, if exploiting the \u003ccode\u003eadd_table\u003c/code\u003e action, the \u003ccode\u003ecdbt_create_new_table()\u003c/code\u003e function executes a \u003ccode\u003eCREATE TABLE\u003c/code\u003e SQL query, creating an arbitrary database table.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation can lead to complete destruction of the WordPress installation or the introduction of malicious database tables.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows any authenticated user to delete arbitrary database tables, including critical WordPress core tables. This can lead to complete site destruction and data loss. An attacker could delete the \u003ccode\u003ewp_users\u003c/code\u003e table, effectively locking out all administrators and other users, or delete the \u003ccode\u003ewp_options\u003c/code\u003e table, causing the site to revert to its default state or become completely unusable. The CVSS v3.1 base score for this vulnerability is 9.1, highlighting the critical nature of the risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Create DB Tables plugin to a version higher than 1.2.1, where this vulnerability is patched.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003ewp-admin/admin-post.php\u003c/code\u003e with \u003ccode\u003eaction=delete_db_table\u003c/code\u003e or \u003ccode\u003eaction=add_table\u003c/code\u003e (see rule: \u0026ldquo;Detect Unauthorized DB Table Modification\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to block requests to \u003ccode\u003ewp-admin/admin-post.php\u003c/code\u003e with the vulnerable actions unless originating from an administrator (see rule: \u0026ldquo;WAF - Block Unauthorized DB Table Modification\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T09:16:49Z","date_published":"2026-04-22T09:16:49Z","id":"/briefs/2026-04-wordpress-create-db-tables-auth-bypass/","summary":"The Create DB Tables plugin for WordPress versions 1.2.1 and earlier is vulnerable to an authorization bypass, allowing authenticated users to create and delete database tables without proper checks, potentially leading to complete site destruction.","title":"WordPress Create DB Tables Plugin Authorization Bypass Vulnerability (CVE-2026-4119)","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-create-db-tables-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.5,"id":"CVE-2026-34885"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","wordpress","plugin-vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-34885 describes an SQL Injection vulnerability affecting the Media Library Assistant WordPress plugin. This plugin, developed by David Lingren, is vulnerable in versions up to and including 3.34. The vulnerability stems from improper neutralization of special elements used in SQL commands, potentially allowing attackers to inject malicious SQL code. Exploitation could lead to unauthorized data access, modification, or deletion within the WordPress database. Given the widespread use of WordPress and its plugin ecosystem, this vulnerability presents a significant risk to websites utilizing the affected plugin. Successful exploitation could compromise sensitive information, deface websites, or even gain administrative control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a WordPress website using Media Library Assistant version 3.34 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing SQL injection payload in a plugin parameter, such as a search query or media metadata field.\u003c/li\u003e\n\u003cli\u003eThe crafted request is sent to the vulnerable endpoint within the Media Library Assistant plugin.\u003c/li\u003e\n\u003cli\u003eThe plugin fails to properly sanitize or neutralize the SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe unsanitized payload is incorporated into an SQL query executed against the WordPress database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code manipulates the query logic, allowing the attacker to bypass security checks.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive data from the database, such as user credentials, posts, or other stored information.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially modify or delete data, or even gain administrative access to the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could lead to a range of damaging outcomes. Attackers could gain unauthorized access to sensitive data stored within the WordPress database, including user credentials, customer information, and proprietary content. This data could be exfiltrated and sold on the dark web or used for further malicious activities. Website defacement, data modification, and complete site compromise are also potential consequences. The number of affected websites is potentially large, given the popularity of WordPress and its extensive plugin ecosystem.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Media Library Assistant WordPress plugin to a version higher than 3.34 to patch CVE-2026-34885.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SQL Injection Attempts via HTTP Request\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attacks against WordPress plugins.\u003c/li\u003e\n\u003cli\u003eEnable regular security audits of WordPress installations and plugins to identify and address vulnerabilities promptly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T15:17:11Z","date_published":"2026-04-06T15:17:11Z","id":"/briefs/2026-04-mla-sql-injection/","summary":"The Media Library Assistant WordPress plugin through version 3.34 is vulnerable to SQL injection, allowing attackers to manipulate database queries.","title":"Media Library Assistant WordPress Plugin SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-mla-sql-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","authentication-bypass","plugin-vulnerability","cve-2026-4021"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Contest Gallery plugin for WordPress, versions up to and including 28.1.5, is vulnerable to a critical authentication bypass (CVE-2026-4021). This vulnerability stems from how the \u003ccode\u003eusers-registry-check-after-email-or-pin-confirmation.php\u003c/code\u003e script handles email confirmations, combined with an unauthenticated key-based login endpoint in \u003ccode\u003eajax-functions-frontend.php\u003c/code\u003e.  If the \u003ccode\u003eRegMailOptional=1\u003c/code\u003e setting is enabled (non-default), an attacker can register a new user account with a specially…\u003c/p\u003e\n","date_modified":"2026-03-24T00:16:31Z","date_published":"2026-03-24T00:16:31Z","id":"/briefs/2026-03-contest-gallery-auth-bypass/","summary":"CVE-2026-4021 describes an authentication bypass vulnerability in the Contest Gallery plugin for WordPress, allowing unauthenticated attackers to gain admin access by manipulating the user activation key and using an AJAX login endpoint.","title":"Contest Gallery WordPress Plugin Authentication Bypass Vulnerability (CVE-2026-4021)","url":"https://feed.craftedsignal.io/briefs/2026-03-contest-gallery-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Plugin Vulnerability","version":"https://jsonfeed.org/version/1.1"}