https://feed.craftedsignal.io/tags/plugin-vulnerability/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 02 May 2026 12:16:16 +0000https://feed.craftedsignal.io/briefs/2026-05-wordpress-arbitrary-file-read/Sat, 02 May 2026 12:16:16 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-wordpress-arbitrary-file-read/The Salon Booking System WordPress plugin is vulnerable to arbitrary file read, allowing unauthenticated attackers to exfiltrate local files by manipulating file-field values in booking confirmation emails.The Salon Booking System – Free Version plugin for WordPress, versions up to and including 10.30.25, contains an arbitrary file read vulnerability. This flaw stems from the plugin’s public booking flow, where it accepts attacker-controlled file-field values. These values are subsequently used as trusted paths when creating email attachments for booking confirmations. This allows an unauthenticated attacker to supply a path to any file accessible to the web server, triggering its inclusion as an attachment in the booking confirmation email, effectively enabling arbitrary file exfiltration. Exploitation requires no authentication and can be triggered remotely.

Attack Chain

1. An unauthenticated attacker accesses the public booking form of a WordPress site running the vulnerable Salon Booking System plugin.
2. The attacker crafts a malicious request to the booking form, injecting a file path (e.g., /etc/passwd) into a file-field parameter.
3. The plugin processes the booking request and stores the attacker-supplied file path.
4. The plugin generates a booking confirmation email.
5. The plugin uses the stored, attacker-controlled file path to attach the specified file to the confirmation email.
6. The booking confirmation email, now containing the arbitrary file as an attachment, is sent to the user who initiated the booking (which could be the attacker or an unwitting third party).
7. The attacker retrieves the email (if sent to the attacker) or intercepts it (if sent to a third party) and extracts the attached file.
8. The attacker gains unauthorized access to the contents of the exfiltrated file.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to read arbitrary files from the affected WordPress server. This could lead to the disclosure of sensitive information, such as configuration files, database credentials, or other confidential data. The vulnerability affects versions of the Salon Booking System plugin up to and including 10.30.25. The number of affected WordPress installations is unknown, but could be substantial given the plugin’s popularity.

Recommendation

• Upgrade the Salon Booking System plugin to the latest version to patch CVE-2026-6320.
• Monitor web server logs (category webserver, product linux) for suspicious requests containing absolute or relative file paths in file-field parameters, using a detection rule similar to the ones provided below.
• Implement strict input validation and sanitization for all user-supplied data, especially file paths.
• Review and restrict file system permissions to limit the files accessible to the web server process.

]]>highadvisoryarbitrary-file-readwordpressplugin-vulnerabilitycvehttps://feed.craftedsignal.io/briefs/2026-05-wp-mail-gateway-privesc/Sat, 02 May 2026 05:16:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-wp-mail-gateway-privesc/The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check, allowing authenticated attackers to modify SMTP settings and escalate privileges.The WP Mail Gateway plugin, a WordPress extension, contains a vulnerability (CVE-2026-6963) that allows authenticated users with minimal privileges (Subscriber level or higher) to gain administrative access. The flaw resides in the wmg_save_provider_config AJAX action, which lacks proper authorization checks. This omission enables attackers to manipulate SMTP settings, redirect outgoing emails, and ultimately trigger password reset emails intended for administrators. The vulnerability affects all versions of the WP Mail Gateway plugin up to and including version 1.8. Successful exploitation grants attackers complete control over the WordPress site, making it a critical security concern for any organization using the vulnerable plugin.

Attack Chain

1. An attacker logs into a WordPress site with a Subscriber-level account or higher.
2. The attacker crafts a malicious AJAX request targeting the wmg_save_provider_config action.
3. This request modifies the SMTP settings, redirecting outgoing emails to an attacker-controlled server.
4. The attacker initiates a password reset request for an administrator account.
5. The password reset email is intercepted by the attacker’s server.
6. The attacker uses the password reset link to gain access to the administrator’s account.
7. The attacker logs into the WordPress dashboard with administrator privileges.
8. The attacker can now perform any administrative action, including installing malicious plugins, modifying site content, or creating new administrator accounts.

Impact

Successful exploitation of CVE-2026-6963 allows an attacker to completely compromise a WordPress website. Even low-privileged users can elevate their access to administrator, giving them full control over the site. This can lead to data breaches, website defacement, malware deployment, and other malicious activities. The vulnerability affects all installations of the WP Mail Gateway plugin up to version 1.8, potentially impacting thousands of WordPress sites.

Recommendation

• Upgrade the WP Mail Gateway plugin to a version beyond 1.8 to patch CVE-2026-6963.
• Monitor WordPress logs for suspicious AJAX requests targeting the wmg_save_provider_config action using the Sigma rule provided below. Enable webserver logging to capture HTTP POST requests.
• Implement the provided Sigma rule to detect modifications to WordPress options related to SMTP configuration. Enable relevant logging for registry modifications.

]]>highadvisorywordpressprivilege-escalationplugin-vulnerabilityhttps://feed.craftedsignal.io/briefs/2024-01-wordpress-temp-login-auth-bypass/Fri, 01 May 2026 10:15:58 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-wordpress-temp-login-auth-bypass/The Temporary Login plugin for WordPress versions up to 1.0.0 is vulnerable to authentication bypass due to improper input validation, allowing unauthenticated attackers to log in as arbitrary temporary users by sending a specially crafted GET request.CVE-2026-7567 is an authentication bypass vulnerability that affects the Temporary Login plugin for WordPress, specifically versions up to and including 1.0.0. The vulnerability stems from a failure to properly validate the ’temp-login-token’ GET parameter within the maybe_login_temporary_user() function. By supplying an array as the value for this parameter, attackers can circumvent the intended empty() check. This leads to the sanitize_key() function returning an empty string, which is then used in a database query to fetch users. WordPress ignores empty meta_value parameters, causing the query to return all users with the _temporary_login_token meta key. Consequently, an unauthenticated attacker can effectively authenticate as any user with an active temporary login session by sending a single, maliciously crafted GET request. This poses a severe risk to website security, as it allows unauthorized access to user accounts and potentially sensitive data.

Attack Chain

1. An unauthenticated attacker identifies a WordPress site using the vulnerable Temporary Login plugin (version <= 1.0.0).
2. The attacker crafts a malicious GET request targeting the WordPress site’s login endpoint, including the ’temp-login-token’ parameter as an array (e.g., temp-login-token[]=).
3. The web server receives the GET request.
4. The maybe_login_temporary_user() function processes the request.
5. Due to improper input validation, the empty() check is bypassed when the ’temp-login-token’ parameter is an array.
6. sanitize_key() processes the array and returns an empty string as the meta_value.
7. WordPress executes a database query using the empty meta_value, effectively retrieving all users with active temporary login tokens.
8. The attacker is granted unauthorized access to the account of a targeted temporary user, bypassing normal authentication procedures.

Impact

Successful exploitation of CVE-2026-7567 allows unauthenticated attackers to bypass login restrictions and gain unauthorized access to WordPress user accounts utilizing the vulnerable Temporary Login plugin. The severity is high, as it allows complete compromise of user accounts without requiring any valid credentials. The impact includes potential data theft, account takeover, website defacement, and other malicious activities, depending on the privileges of the compromised user account.

Recommendation

• Apply the available patch or upgrade the Temporary Login plugin to a version greater than 1.0.0 to remediate CVE-2026-7567.
• Deploy the Sigma rule Detect WordPress Temporary Login Authentication Bypass Attempt to detect exploitation attempts by monitoring HTTP requests with array-based temp-login-token parameters in the query string.
• Implement input validation on the web server to reject requests containing array-based parameters where scalar strings are expected.

]]>criticaladvisoryauthentication bypasswordpressplugin vulnerabilitycve-2026-7567cloudhttps://feed.craftedsignal.io/briefs/2026-04-wordpress-create-db-tables-auth-bypass/Wed, 22 Apr 2026 09:16:49 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-wordpress-create-db-tables-auth-bypass/The Create DB Tables plugin for WordPress versions 1.2.1 and earlier is vulnerable to an authorization bypass, allowing authenticated users to create and delete database tables without proper checks, potentially leading to complete site destruction.The Create DB Tables plugin, versions 1.2.1 and earlier, suffers from an authorization bypass vulnerability (CVE-2026-4119). This flaw stems from the plugin’s failure to implement capability checks or nonce verification for its admin_post action hooks, specifically those responsible for creating (admin_post_add_table) and deleting (admin_post_delete_db_table) database tables. Because the admin_post hook only requires a user to be logged in, any authenticated user, including those with the lowest Subscriber role, can access these endpoints. This oversight allows malicious actors to create arbitrary database tables or, more critically, delete existing ones, including vital WordPress core tables. The vulnerability was published on 2026-04-22, and given the severity, defenders should immediately address this risk. The affected versions of the plugin should be updated or removed to prevent potential exploitation.

Attack Chain

1. An attacker registers an account on a vulnerable WordPress site, gaining Subscriber-level access.
2. The attacker crafts a POST request to wp-admin/admin-post.php with the action parameter set to add_table or delete_db_table.
3. The attacker provides the db_table parameter with the name of the table to be deleted, if exploiting the delete_db_table action.
4. The server processes the request without proper authorization checks, because current_user_can() and wp_verify_nonce() are missing.
5. The cdbt_delete_db_table() function executes a DROP TABLE SQL query based on the user-supplied db_table parameter.
6. If the attacker targets a critical WordPress core table like wp_users or wp_options, the site’s functionality will be severely impacted.
7. Alternatively, if exploiting the add_table action, the cdbt_create_new_table() function executes a CREATE TABLE SQL query, creating an arbitrary database table.
8. Successful exploitation can lead to complete destruction of the WordPress installation or the introduction of malicious database tables.

Impact

Successful exploitation of this vulnerability allows any authenticated user to delete arbitrary database tables, including critical WordPress core tables. This can lead to complete site destruction and data loss. An attacker could delete the wp_users table, effectively locking out all administrators and other users, or delete the wp_options table, causing the site to revert to its default state or become completely unusable. The CVSS v3.1 base score for this vulnerability is 9.1, highlighting the critical nature of the risk.

Recommendation

• Immediately update the Create DB Tables plugin to a version higher than 1.2.1, where this vulnerability is patched.
• Monitor web server logs for POST requests to wp-admin/admin-post.php with action=delete_db_table or action=add_table (see rule: “Detect Unauthorized DB Table Modification”).
• Implement a Web Application Firewall (WAF) rule to block requests to wp-admin/admin-post.php with the vulnerable actions unless originating from an administrator (see rule: “WAF - Block Unauthorized DB Table Modification”).

]]>criticaladvisorywordpressauthorization-bypassplugin-vulnerabilitycve-2026-4119https://feed.craftedsignal.io/briefs/2026-04-mla-sql-injection/Mon, 06 Apr 2026 15:17:11 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-mla-sql-injection/The Media Library Assistant WordPress plugin through version 3.34 is vulnerable to SQL injection, allowing attackers to manipulate database queries.CVE-2026-34885 describes an SQL Injection vulnerability affecting the Media Library Assistant WordPress plugin. This plugin, developed by David Lingren, is vulnerable in versions up to and including 3.34. The vulnerability stems from improper neutralization of special elements used in SQL commands, potentially allowing attackers to inject malicious SQL code. Exploitation could lead to unauthorized data access, modification, or deletion within the WordPress database. Given the widespread use of WordPress and its plugin ecosystem, this vulnerability presents a significant risk to websites utilizing the affected plugin. Successful exploitation could compromise sensitive information, deface websites, or even gain administrative control.

Attack Chain

1. An attacker identifies a WordPress website using Media Library Assistant version 3.34 or earlier.
2. The attacker crafts a malicious HTTP request containing SQL injection payload in a plugin parameter, such as a search query or media metadata field.
3. The crafted request is sent to the vulnerable endpoint within the Media Library Assistant plugin.
4. The plugin fails to properly sanitize or neutralize the SQL injection payload.
5. The unsanitized payload is incorporated into an SQL query executed against the WordPress database.
6. The injected SQL code manipulates the query logic, allowing the attacker to bypass security checks.
7. The attacker extracts sensitive data from the database, such as user credentials, posts, or other stored information.
8. The attacker could potentially modify or delete data, or even gain administrative access to the WordPress site.

Impact

Successful exploitation of this SQL injection vulnerability could lead to a range of damaging outcomes. Attackers could gain unauthorized access to sensitive data stored within the WordPress database, including user credentials, customer information, and proprietary content. This data could be exfiltrated and sold on the dark web or used for further malicious activities. Website defacement, data modification, and complete site compromise are also potential consequences. The number of affected websites is potentially large, given the popularity of WordPress and its extensive plugin ecosystem.

Recommendation

• Upgrade the Media Library Assistant WordPress plugin to a version higher than 3.34 to patch CVE-2026-34885.
• Deploy the Sigma rule Detect SQL Injection Attempts via HTTP Request to identify potential exploitation attempts in web server logs.
• Implement a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attacks against WordPress plugins.
• Enable regular security audits of WordPress installations and plugins to identify and address vulnerabilities promptly.

]]>highadvisorysql-injectionwordpressplugin-vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-03-contest-gallery-auth-bypass/Tue, 24 Mar 2026 00:16:31 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-contest-gallery-auth-bypass/CVE-2026-4021 describes an authentication bypass vulnerability in the Contest Gallery plugin for WordPress, allowing unauthenticated attackers to gain admin access by manipulating the user activation key and using an AJAX login endpoint.The Contest Gallery plugin for WordPress, versions up to and including 28.1.5, is vulnerable to a critical authentication bypass (CVE-2026-4021). This vulnerability stems from how the users-registry-check-after-email-or-pin-confirmation.php script handles email confirmations, combined with an unauthenticated key-based login endpoint in ajax-functions-frontend.php. If the RegMailOptional=1 setting is enabled (non-default), an attacker can register a new user account with a specially…

]]>criticaladvisorywordpressauthentication-bypassplugin-vulnerabilitycve-2026-4021