{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/plugin/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-4100"}],"_cs_exploited":false,"_cs_products":["Paid Memberships Pro plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","stripe","webhook","vulnerability","plugin"],"_cs_type":"advisory","_cs_vendors":["Stripe","WordPress"],"content_html":"\u003cp\u003eThe Paid Memberships Pro plugin, a popular WordPress plugin for managing paid subscriptions, contains a vulnerability (CVE-2026-4100) that allows authenticated attackers with minimal privileges (Subscriber-level access) to manipulate Stripe webhook configurations. This flaw exists in versions up to and including 3.6.5 due to missing capability checks on specific AJAX handlers. An attacker exploiting this vulnerability can delete, create, or rebuild the site\u0026rsquo;s Stripe webhook, leading to significant disruptions in payment processing, subscription renewal synchronization, cancellation handling, and management of failed payments. This vulnerability puts revenue streams and customer relationships at risk for any organization using the affected plugin versions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains Subscriber-level access to the WordPress site, either through registration or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious AJAX request targeting the \u003ccode\u003ewp_ajax_pmpro_stripe_create_webhook\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a malicious AJAX request to the \u003ccode\u003ewp_ajax_pmpro_stripe_delete_webhook\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eOr, the attacker crafts a malicious AJAX request to the \u003ccode\u003ewp_ajax_pmpro_stripe_rebuild_webhook\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDue to missing capability checks, the server processes the request without proper authorization.\u003c/li\u003e\n\u003cli\u003eThe Stripe webhook configuration is modified, deleted, or rebuilt based on the attacker\u0026rsquo;s request.\u003c/li\u003e\n\u003cli\u003eLegitimate payment processing and subscription management processes fail due to the altered webhook configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker effectively disrupts the site\u0026rsquo;s ability to collect payments and manage subscriptions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to completely disrupt a WordPress site\u0026rsquo;s payment processing and subscription management functionalities. This can result in significant financial losses due to interrupted sales and subscription renewals. Furthermore, the disruption can damage customer trust and lead to churn as users experience issues with their subscriptions. The vulnerability affects all sites using Paid Memberships Pro plugin versions up to 3.6.5.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Paid Memberships Pro plugin to the latest version to patch CVE-2026-4100.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress web server logs for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003epmpro_stripe_create_webhook\u003c/code\u003e, \u003ccode\u003epmpro_stripe_delete_webhook\u003c/code\u003e, or \u003ccode\u003epmpro_stripe_rebuild_webhook\u003c/code\u003e using the \u0026ldquo;Detect Suspicious PMPro Stripe Webhook AJAX Requests\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions to minimize the number of users with Subscriber-level access as a temporary mitigation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-pmpro-stripe-webhook-vuln/","summary":"The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification of Stripe webhook configurations due to missing capability checks, allowing authenticated attackers with Subscriber-level access to disrupt payment processing.","title":"Paid Memberships Pro Plugin Vulnerability Allows Unauthorized Stripe Webhook Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-pmpro-stripe-webhook-vuln/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4062"}],"_cs_exploited":false,"_cs_products":["Geo Mashup plugin \u003c= 1.13.18"],"_cs_severities":["high"],"_cs_tags":["sqli","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Geo Mashup plugin for WordPress, in versions up to and including 1.13.18, contains a Time-Based SQL Injection vulnerability (CVE-2026-4062). The vulnerability exists within the \u0026lsquo;object_ids\u0026rsquo; and \u0026rsquo;exclude_object_ids\u0026rsquo; parameters. Insufficient escaping of user-supplied input, specifically within the \u003ccode\u003eIN(...)\u003c/code\u003e and \u003ccode\u003eNOT IN(...)\u003c/code\u003e SQL context, coupled with inadequate preparation of the existing SQL query, allows for the injection. The \u003ccode\u003eesc_sql()\u003c/code\u003e function is applied but is rendered ineffective due to its inability to protect against parenthesis or SQL keyword injection within the unquoted \u003ccode\u003eIN(...)\u003c/code\u003e / \u003ccode\u003eNOT IN(...)\u003c/code\u003e context. A numeric-only sanitizer exists in \u003ccode\u003esanitize_query_args()\u003c/code\u003e, but this is only applied in the AJAX code path and not in the \u003ccode\u003erender-map.php\u003c/code\u003e or template tag code paths. This flaw enables unauthenticated attackers to append malicious SQL queries, facilitating the extraction of sensitive information from the WordPress database through a time-based blind SQL injection technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies the vulnerable Geo Mashup plugin running on a WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an endpoint that utilizes the \u0026lsquo;object_ids\u0026rsquo; or \u0026rsquo;exclude_object_ids\u0026rsquo; parameters.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a time-based SQL injection payload into the \u0026lsquo;object_ids\u0026rsquo; or \u0026rsquo;exclude_object_ids\u0026rsquo; parameter. This payload leverages SQL functions like \u003ccode\u003eSLEEP()\u003c/code\u003e or \u003ccode\u003eBENCHMARK()\u003c/code\u003e to introduce delays based on conditional SQL logic.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code fails to properly sanitize the injected SQL code due to the ineffective \u003ccode\u003eesc_sql()\u003c/code\u003e function in the \u003ccode\u003eIN\u003c/code\u003e/\u003ccode\u003eNOT IN\u003c/code\u003e context.\u003c/li\u003e\n\u003cli\u003eThe injected SQL payload is appended to the existing SQL query executed by the Geo Mashup plugin.\u003c/li\u003e\n\u003cli\u003eThe database server executes the combined query, including the injected time-based SQL injection.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors the response time of the HTTP request. A delayed response indicates that the injected SQL logic evaluated to true.\u003c/li\u003e\n\u003cli\u003eBy repeatedly sending requests with different SQL injection payloads, the attacker can extract sensitive information from the database one character at a time.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to the complete compromise of the WordPress database. An attacker can extract sensitive information such as user credentials, API keys, configuration details, and other confidential data. This can result in data breaches, unauthorized access to the WordPress site, and potential further attacks on connected systems. The CVSS v3.1 base score for this vulnerability is 7.5, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Geo Mashup plugin to a version greater than 1.13.18 to remediate CVE-2026-4062.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Geo Mashup Time-Based SQL Injection Attempts\u003c/code\u003e to identify potential exploitation attempts targeting the vulnerable parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL injection payloads in the \u0026lsquo;object_ids\u0026rsquo; or \u0026rsquo;exclude_object_ids\u0026rsquo; parameters to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-geo-mashup-sqli/","summary":"The Geo Mashup WordPress plugin is vulnerable to Time-Based SQL Injection due to insufficient input sanitization, allowing unauthenticated attackers to extract sensitive database information.","title":"Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4062)","url":"https://feed.craftedsignal.io/briefs/2026-05-geo-mashup-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4061"}],"_cs_exploited":false,"_cs_products":["Geo Mashup plugin"],"_cs_severities":["high"],"_cs_tags":["sql-injection","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Geo Mashup plugin for WordPress is vulnerable to time-based SQL injection, as detailed in CVE-2026-4061. This vulnerability affects all versions of the plugin up to and including 1.13.18. The root cause lies in the \u003ccode\u003eSearchResults\u003c/code\u003e hook, where the \u003ccode\u003emap_post_type\u003c/code\u003e parameter is mishandled. Specifically, the code first calls \u003ccode\u003estripslashes_deep($_POST)\u003c/code\u003e, effectively removing WordPress\u0026rsquo;s magic quotes protection. Subsequently, the unsanitized \u003ccode\u003emap_post_type\u003c/code\u003e value is directly concatenated into an \u003ccode\u003eIN(...)\u003c/code\u003e clause without proper escaping using \u003ccode\u003eesc_sql()\u003c/code\u003e or \u003ccode\u003e$wpdb-\u0026gt;prepare()\u003c/code\u003e. While the \u0026lsquo;any\u0026rsquo; branch of the code correctly applies \u003ccode\u003earray_map('esc_sql', ...)\u003c/code\u003e, the alternative branch lacks this crucial sanitization step. Successful exploitation requires the Geo Search feature to be enabled in the plugin\u0026rsquo;s settings. This vulnerability allows unauthenticated attackers to inject malicious SQL queries, potentially leading to the extraction of sensitive database information through time-based blind techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a WordPress site using a vulnerable version of the Geo Mashup plugin (\u0026lt;= 1.13.18) with the Geo Search feature enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003eSearchResults\u003c/code\u003e hook with a specially crafted \u003ccode\u003emap_post_type\u003c/code\u003e parameter containing SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code within the Geo Mashup plugin processes the POST request, removing magic quotes using \u003ccode\u003estripslashes_deep($_POST)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe unsanitized \u003ccode\u003emap_post_type\u003c/code\u003e value is then concatenated directly into an SQL query within an \u003ccode\u003eIN(...)\u003c/code\u003e clause without proper escaping.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code executes within the database query, allowing the attacker to manipulate the query\u0026rsquo;s behavior.\u003c/li\u003e\n\u003cli\u003eThe attacker uses time-based SQL injection techniques (e.g., \u003ccode\u003eIF(condition, SLEEP(5), 0)\u003c/code\u003e) within the injected payload to infer information based on the response time.\u003c/li\u003e\n\u003cli\u003eBy repeatedly sending modified requests and observing the response times, the attacker can extract sensitive data, character by character, from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information such as usernames, passwords, API keys, or other confidential data stored in the WordPress database.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to extract sensitive information from the WordPress database. The severity of the impact depends on the sensitivity of the data stored in the database, but could include exposure of user credentials, confidential business data, or other sensitive information. Because it affects any installation with the Geo Search feature enabled, a large number of websites using the Geo Mashup plugin may be vulnerable. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Geo Mashup plugin to the latest version (later than 1.13.18) to patch CVE-2026-4061.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential exploitation attempts targeting the vulnerable \u003ccode\u003eSearchResults\u003c/code\u003e hook using a malicious \u003ccode\u003emap_post_type\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eReview web server logs for suspicious POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e (common AJAX endpoint in WordPress) containing potentially malicious SQL injection payloads in the \u003ccode\u003emap_post_type\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-geo-mashup-sql-injection/","summary":"A time-based SQL injection vulnerability (CVE-2026-4061) exists in the Geo Mashup WordPress plugin (\u003c= 1.13.18) due to insufficient sanitization of the 'map_post_type' parameter, enabling unauthenticated attackers to extract sensitive information via time-based blind SQL injection if the Geo Search feature is enabled.","title":"Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4061)","url":"https://feed.craftedsignal.io/briefs/2026-05-geo-mashup-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-2052"}],"_cs_exploited":false,"_cs_products":["The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks \u0026 Classic Widgets plugin \u003c= 4.2.2"],"_cs_severities":["critical"],"_cs_tags":["wordpress","rce","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Widget Options – Advanced Conditional Visibility for Gutenberg Blocks \u0026amp; Classic Widgets plugin, versions 4.2.2 and earlier, contains a Remote Code Execution (RCE) vulnerability (CVE-2026-2052). This flaw stems from the plugin\u0026rsquo;s Display Logic feature, which utilizes the \u003ccode\u003eeval()\u003c/code\u003e function to process user-supplied expressions. The plugin\u0026rsquo;s implemented blocklist/allowlist is insufficient, making it bypassable through techniques involving \u003ccode\u003earray_map\u003c/code\u003e with string concatenation. Furthermore, the plugin lacks proper authorization enforcement on the \u003ccode\u003eextended_widget_opts_block\u003c/code\u003e attribute. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject and execute arbitrary code on the underlying server. The vendor partially addressed this vulnerability in version 4.2.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress application as a Contributor or higher-level user.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Widget Options settings within the WordPress admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Display Logic expression designed to execute arbitrary PHP code. This involves bypassing the blocklist/allowlist using techniques such as \u003ccode\u003earray_map\u003c/code\u003e and string concatenation.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious Display Logic expression into the \u003ccode\u003eextended_widget_opts_block\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eThe WordPress application processes the widget options, including the malicious Display Logic expression. Due to the lack of proper sanitization and authorization, the \u003ccode\u003eeval()\u003c/code\u003e function executes the attacker-supplied PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with the permissions of the web server user, potentially allowing the attacker to read or write files, execute system commands, or compromise the entire server.\u003c/li\u003e\n\u003cli\u003eThe attacker may establish persistence by writing a backdoor to a file on the server or by creating a new administrator account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-2052 allows an attacker to execute arbitrary code on the WordPress server. This can lead to complete compromise of the website, including data theft, defacement, and the installation of malware. Since the vulnerability requires Contributor access or higher, the impact is significant if such accounts are compromised through other means (e.g., phishing, credential stuffing). The lack of proper input sanitization and authorization makes this a critical vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u0026ldquo;The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks \u0026amp; Classic Widgets\u0026rdquo; plugin to the latest version to patch CVE-2026-2052.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WordPress Widget Options RCE Attempt\u0026rdquo; to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions to minimize the number of users with Contributor or higher-level access.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity, particularly requests to \u003ccode\u003e/wp-admin/options.php\u003c/code\u003e related to widget options.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T08:16:27Z","date_published":"2026-05-02T08:16:27Z","id":"/briefs/2026-05-wordpress-widget-rce/","summary":"The Widget Options plugin for WordPress is vulnerable to Remote Code Execution (CVE-2026-2052) due to insufficient input sanitization in the Display Logic feature, allowing authenticated attackers with Contributor-level access and above to execute arbitrary code on the server.","title":"WordPress Widget Options Plugin Remote Code Execution Vulnerability (CVE-2026-2052)","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-widget-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-7049"}],"_cs_exploited":false,"_cs_products":["PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress \u003c= 12.5.0.1"],"_cs_severities":["high"],"_cs_tags":["ssrf","wordpress","plugin"],"_cs_type":"threat","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eCVE-2026-7049 is a server-side request forgery (SSRF) vulnerability found in the PixelYourSite Pro WordPress plugin. Specifically, all versions up to and including 12.5.0.1 are affected. This vulnerability allows unauthenticated attackers to send requests to arbitrary internal or external resources, as viewed from the web server. Although the fetched response bodies are not directly returned to the attacker (making it a blind SSRF), the application parses these responses internally, creating opportunities for reconnaissance and potentially for exploiting vulnerable internal services. Successful exploitation could expose sensitive information or allow unauthorized modification of internal systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies the \u003ccode\u003escan_video\u003c/code\u003e parameter as an SSRF entry point.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the WordPress server with the vulnerable PixelYourSite Pro plugin. The request includes the \u003ccode\u003escan_video\u003c/code\u003e parameter set to a URL pointing to an internal resource (e.g., internal IP address or hostname).\u003c/li\u003e\n\u003cli\u003eThe WordPress server receives the malicious request.\u003c/li\u003e\n\u003cli\u003eThe PixelYourSite Pro plugin processes the request and initiates an HTTP request to the URL specified in the \u003ccode\u003escan_video\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe WordPress server makes a request to the internal resource.\u003c/li\u003e\n\u003cli\u003eThe response from the internal resource is received by the WordPress server.\u003c/li\u003e\n\u003cli\u003eThe PixelYourSite Pro plugin parses the response body, potentially revealing information about the internal service.\u003c/li\u003e\n\u003cli\u003eDepending on the targeted internal service and the attacker\u0026rsquo;s crafted request, the attacker might be able to modify information or execute commands on the internal service, even though the response is not directly returned to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7049 allows an unauthenticated attacker to perform reconnaissance of internal network resources. The blind nature of the SSRF limits the attacker\u0026rsquo;s immediate visibility into the response, but internal parsing of the response allows for potential information disclosure and exploitation of vulnerable internal services. The scope of the impact depends heavily on the configuration of the internal network and the services exposed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the PixelYourSite Pro plugin to a version greater than 12.5.0.1 to patch CVE-2026-7049.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious PixelYourSite Pro SSRF Attempts\u003c/code\u003e to monitor for exploitation attempts targeting the \u003ccode\u003escan_video\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eReview and restrict internal network access to sensitive services to mitigate the potential impact of SSRF vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T06:16:04Z","date_published":"2026-05-02T06:16:04Z","id":"/briefs/2026-05-pys-ssrf/","summary":"The PixelYourSite Pro WordPress plugin is vulnerable to server-side request forgery (SSRF), allowing unauthenticated attackers to make arbitrary web requests from the server, potentially querying or modifying internal services.","title":"PixelYourSite Pro WordPress Plugin SSRF Vulnerability (CVE-2026-7049)","url":"https://feed.craftedsignal.io/briefs/2026-05-pys-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-3772"}],"_cs_exploited":false,"_cs_products":["WP Editor plugin \u003c= 1.2.9.2"],"_cs_severities":["high"],"_cs_tags":["csrf","wordpress","plugin","vulnerability"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WP Editor plugin, a WordPress plugin, contains a Cross-Site Request Forgery (CSRF) vulnerability affecting versions up to and including 1.2.9.2. This vulnerability stems from a lack of nonce verification in the \u0026lsquo;add_plugins_page\u0026rsquo; and \u0026lsquo;add_themes_page\u0026rsquo; functions. An unauthenticated attacker can exploit this vulnerability by crafting a malicious request designed to overwrite arbitrary plugin and theme PHP files with attacker-controlled code. The success of this attack hinges on the attacker\u0026rsquo;s ability to deceive a site administrator into triggering the forged request, typically by clicking a specially crafted link. This flaw allows for potential arbitrary code execution on the targeted WordPress site.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable WordPress site running a WP Editor plugin version \u0026lt;= 1.2.9.2.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u0026lsquo;add_plugins_page\u0026rsquo; or \u0026lsquo;add_themes_page\u0026rsquo; functions. This request includes parameters designed to overwrite a specific plugin or theme PHP file with attacker-supplied code.\u003c/li\u003e\n\u003cli\u003eThe attacker social engineers a WordPress administrator into clicking a malicious link or visiting a compromised website containing the forged request. This could be achieved via phishing emails or other deceptive techniques.\u003c/li\u003e\n\u003cli\u003eIf the administrator is logged into the WordPress dashboard, their browser automatically sends the forged request to the vulnerable WordPress site.\u003c/li\u003e\n\u003cli\u003eDue to the missing nonce verification, the WordPress site processes the request without validating its origin.\u003c/li\u003e\n\u003cli\u003eThe target plugin or theme PHP file is overwritten with the attacker\u0026rsquo;s malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code is executed when the plugin or theme is loaded or accessed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the WordPress server, potentially leading to complete site compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this CSRF vulnerability allows an unauthenticated attacker to inject arbitrary PHP code into a WordPress website. This can lead to a full compromise of the website, including data theft, defacement, or the installation of backdoors for persistent access. Given the widespread use of WordPress and the WP Editor plugin, a large number of websites are potentially at risk. Successful attacks can result in significant reputational damage and financial losses for affected website owners.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WP Editor plugin to the latest available version, which includes a fix for CVE-2026-3772.\u003c/li\u003e\n\u003cli\u003eImplement strong CSRF protection measures on all WordPress forms and administrative functions.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect attempts to exploit this vulnerability through suspicious requests to the \u003ccode\u003eadd_plugins_page\u003c/code\u003e or \u003ccode\u003eadd_themes_page\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T12:16:16Z","date_published":"2026-05-01T12:16:16Z","id":"/briefs/2024-01-wp-editor-csrf/","summary":"The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.2.9.2, allowing unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with malicious code by tricking a site administrator into clicking a link.","title":"WP Editor Plugin CSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-wp-editor-csrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-42428"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["vulnerability","plugin","integrity","CVE-2026-42428"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.4.8 are susceptible to a critical vulnerability (CVE-2026-42428) due to the lack of integrity verification for downloaded plugin archives. This flaw allows a malicious actor to install crafted or tampered plugin packages onto a user\u0026rsquo;s system without any validation or warning. Successful exploitation grants the attacker the ability to compromise the OpenClaw assistant environment, potentially leading to arbitrary code execution, data theft, or other malicious activities. The vulnerability was reported on April 28, 2026, and poses a significant risk to users who rely on OpenClaw for their assistant needs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target running a vulnerable version of OpenClaw (prior to 2026.4.8).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious plugin archive containing malicious code or scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker entices the user to download the malicious plugin archive, potentially through social engineering or by hosting it on a compromised website.\u003c/li\u003e\n\u003cli\u003eThe user installs the malicious plugin archive via OpenClaw\u0026rsquo;s plugin installation mechanism.\u003c/li\u003e\n\u003cli\u003eDue to the missing integrity check, OpenClaw installs the plugin without verifying its authenticity or integrity.\u003c/li\u003e\n\u003cli\u003eThe malicious plugin is loaded and executed within the OpenClaw environment.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the OpenClaw assistant environment and executes malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions, such as stealing data, installing malware, or compromising other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-42428 allows attackers to compromise the local OpenClaw assistant environment. The lack of integrity verification means a malicious plugin can execute arbitrary code, potentially leading to data theft, system compromise, or further lateral movement within the network. The severity is high due to the potential for complete system compromise and the relative ease of exploitation, requiring only that a user install a malicious plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.8 or later to patch CVE-2026-42428.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious OpenClaw Plugin Installation\u0026rdquo; to detect the installation of unsigned or suspicious plugins.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of installing plugins from untrusted sources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-plugin-vuln/","summary":"OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives, allowing attackers to install malicious plugins and compromise the local assistant environment.","title":"OpenClaw Plugin Archive Integrity Vulnerability (CVE-2026-42428)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-plugin-vuln/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-4132"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","rce","plugin","cve-2026-4132"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe HTTP Headers plugin for WordPress, versions up to and including 1.19.2, is vulnerable to remote code execution (RCE) due to a file path manipulation vulnerability (CVE-2026-4132). This vulnerability stems from the plugin\u0026rsquo;s insufficient validation of the \u0026lsquo;hh_htpasswd_path\u0026rsquo; option, which controls the location of the .htpasswd file. Furthermore, the \u0026lsquo;hh_www_authenticate_user\u0026rsquo; option, used for setting the username for HTTP Basic Authentication, lacks proper sanitization. This allows attackers with administrator privileges to specify an arbitrary file path for the htpasswd file and inject unsanitized content into it. By crafting a malicious username containing PHP code and setting the htpasswd path to a web-accessible directory, an attacker can execute arbitrary code on the server. This exploit requires administrator-level access to the WordPress dashboard.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the WordPress dashboard with administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the HTTP Headers plugin settings page.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u0026lsquo;hh_htpasswd_path\u0026rsquo; option, setting it to a web-accessible directory (e.g., \u003ccode\u003e/var/www/html/wp-content/uploads/.shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u0026lsquo;hh_www_authenticate_user\u0026rsquo; option, injecting PHP code into the username field (e.g., \u003ccode\u003e\u0026lt;?php system($_GET['cmd']); ?\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eapache_auth_credentials()\u003c/code\u003e function uses sprintf to combine the malicious username with a SHA hash, creating a crafted htpasswd entry.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eupdate_auth_credentials()\u003c/code\u003e function then writes the crafted content, including the injected PHP code, to the attacker-controlled file path using \u003ccode\u003efile_put_contents()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the newly created PHP file via a web browser (e.g., \u003ccode\u003ehttp://example.com/wp-content/uploads/.shell.php?cmd=id\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe injected PHP code executes, allowing the attacker to run arbitrary commands on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants the attacker remote code execution on the affected WordPress server. This can lead to complete compromise of the server, including data theft, website defacement, malware deployment, and further attacks against internal networks. Given the widespread use of WordPress and its plugins, a successful exploit could impact a large number of websites and organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the HTTP Headers plugin to a patched version (if available) to remediate CVE-2026-4132.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to unusual file paths that match the \u0026lsquo;hh_htpasswd_path\u0026rsquo; setting specified in the plugin configuration to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule to detect file creation events in web-accessible directories with PHP extensions that are triggered by the web server process.\u003c/li\u003e\n\u003cli\u003eRestrict access to the WordPress administrator dashboard to only trusted individuals and enforce strong password policies to prevent unauthorized access to plugin settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T09:16:24Z","date_published":"2026-04-22T09:16:24Z","id":"/briefs/2026-04-wordpress-http-headers-rce/","summary":"The HTTP Headers WordPress plugin is vulnerable to remote code execution (RCE) due to insufficient validation of the htpasswd file path and lack of sanitization of the username, allowing authenticated administrators to write arbitrary code to the server.","title":"WordPress HTTP Headers Plugin Remote Code Execution via File Path Manipulation (CVE-2026-4132)","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-http-headers-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-41295"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openclaw","code-execution","trust-boundary","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw before version 2026.4.2 is vulnerable to an improper trust boundary issue. This vulnerability allows an attacker to achieve in-process code execution by exploiting the way OpenClaw handles workspace channel shadows. Specifically, an attacker can clone a workspace and include a malicious plugin. This plugin claims a bundled channel ID, which results in the execution of untrusted code during the built-in channel setup and login process, even before the plugin is explicitly trusted by the user. This poses a significant risk as it bypasses normal trust mechanisms within OpenClaw.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker clones a legitimate OpenClaw workspace.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious plugin designed to exploit the trust boundary vulnerability.\u003c/li\u003e\n\u003cli\u003eThe malicious plugin is configured to claim a bundled channel ID that OpenClaw uses for built-in channels.\u003c/li\u003e\n\u003cli\u003eThe cloned workspace, including the malicious plugin, is distributed to a target user.\u003c/li\u003e\n\u003cli\u003eThe target user opens the cloned workspace in a vulnerable version of OpenClaw (before 2026.4.2).\u003c/li\u003e\n\u003cli\u003eDuring the workspace loading and channel setup process, OpenClaw incorrectly trusts the malicious plugin due to the claimed channel ID.\u003c/li\u003e\n\u003cli\u003eThe malicious plugin executes arbitrary code within the OpenClaw process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control or compromises the user\u0026rsquo;s OpenClaw session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41295 leads to arbitrary code execution within the OpenClaw application. An attacker can leverage this to potentially steal sensitive information, modify workspace data, or escalate privileges on the affected system. The vulnerability impacts all OpenClaw users running versions prior to 2026.4.2 who open a maliciously crafted workspace. The impact is severe, as it allows for immediate code execution without explicit user consent or trust of the malicious plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.2 or later to patch CVE-2026-41295.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation and loading of OpenClaw plugins, specifically those claiming bundled channel IDs, using a process creation rule with a focus on command-line arguments.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted plugins within OpenClaw to mitigate the risk of malicious plugin execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T00:16:29Z","date_published":"2026-04-21T00:16:29Z","id":"/briefs/2026-04-openclaw-trust-boundary/","summary":"OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability (CVE-2026-41295) allowing attackers to execute unintended code by cloning a workspace with a malicious plugin claiming a bundled channel id.","title":"OpenClaw Improper Trust Boundary Vulnerability (CVE-2026-41295)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-trust-boundary/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-5478"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","file-read","file-deletion","cve-2026-5478"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Everest Forms plugin for WordPress, versions 3.4.4 and earlier, contains an arbitrary file read and deletion vulnerability (CVE-2026-5478). This flaw stems from the plugin\u0026rsquo;s improper handling of the \u003ccode\u003eold_files\u003c/code\u003e parameter within form submissions. Specifically, the plugin trusts attacker-controlled data as legitimate server-side upload state and insecurely converts URLs into local filesystem paths without adequate sanitization. This lack of input validation enables unauthenticated attackers to inject path traversal sequences, leading to the disclosure of sensitive files like \u003ccode\u003ewp-config.php\u003c/code\u003e, which contains database credentials and authentication salts. Furthermore, the flawed path resolution is utilized in a post-email cleanup routine, resulting in arbitrary file deletion via the \u003ccode\u003eunlink()\u003c/code\u003e function, potentially causing a denial-of-service condition. Successful exploitation requires a form with a file-upload or image-upload field and the \u0026ldquo;store entry information\u0026rdquo; feature disabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious HTTP POST request to a WordPress page containing an Everest Forms form with a file upload field.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the \u003ccode\u003eold_files\u003c/code\u003e parameter in the POST data, injecting a path traversal payload (e.g., \u003ccode\u003e../../../../wp-config.php\u003c/code\u003e) into its value.\u003c/li\u003e\n\u003cli\u003eThe WordPress application processes the form submission, and the Everest Forms plugin extracts the \u003ccode\u003eold_files\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe plugin\u0026rsquo;s flawed logic converts the attacker-supplied URL into a local file system path using regex-based string replacement without canonicalization or directory boundary enforcement.\u003c/li\u003e\n\u003cli\u003eThe plugin attaches the resolved file (e.g., \u003ccode\u003e/var/www/wordpress/../../../../wp-config.php\u003c/code\u003e) to the notification email.\u003c/li\u003e\n\u003cli\u003eAfter sending the notification email, the post-email cleanup routine utilizes the same flawed path resolution to determine the file to delete.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function is called on the resolved path, leading to the deletion of the targeted file (e.g., \u003ccode\u003ewp-config.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information (database credentials, salts) or causes a denial of service by deleting critical system files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5478 allows unauthenticated attackers to read arbitrary files on the WordPress server, potentially exposing sensitive information like database credentials and authentication salts stored in \u003ccode\u003ewp-config.php\u003c/code\u003e. This could lead to full site compromise, including data theft, defacement, or further malicious activities. Furthermore, the ability to delete arbitrary files enables attackers to cause a denial-of-service condition by removing critical system or application files. The impact is significant as it affects all versions of the Everest Forms plugin up to and including 3.4.4.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Everest Forms plugin to a version higher than 3.4.4 to patch CVE-2026-5478.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Everest Forms Arbitrary File Read Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eEnable web server logging to capture HTTP POST requests, which are crucial for detecting path traversal attempts (cs-uri-query, cs-method in webserver logs).\u003c/li\u003e\n\u003cli\u003eMonitor file deletion events on the WordPress server, especially those initiated by the web server user, using a file integrity monitoring (FIM) solution (file_event logs).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all user-supplied data, especially file paths, to prevent path traversal vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T20:35:20Z","date_published":"2026-04-20T20:35:20Z","id":"/briefs/2026-08-everest-forms-rfi-rce/","summary":"The Everest Forms plugin for WordPress is vulnerable to arbitrary file read and deletion, allowing unauthenticated attackers to access sensitive data or cause denial of service by manipulating the 'old_files' parameter in versions up to 3.4.4.","title":"Everest Forms Plugin Arbitrary File Read and Deletion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-08-everest-forms-rfi-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-3464"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","file-read","file-deletion","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe WP Customer Area plugin, a popular WordPress plugin, is susceptible to an arbitrary file read and deletion vulnerability. This flaw, identified as CVE-2026-3464, resides within the \u0026lsquo;ajax_attach_file\u0026rsquo; function and stems from inadequate file path validation. All versions of the plugin up to and including 8.3.4 are affected. The vulnerability enables authenticated attackers with minimal privileges (e.g., Subscriber), granted access by an administrator, to read arbitrary files on the server, potentially exposing sensitive data. Attackers can also delete arbitrary files, which, in certain cases (such as deleting \u003ccode\u003ewp-config.php\u003c/code\u003e), can pave the way for remote code execution. This vulnerability poses a significant risk to WordPress websites utilizing the WP Customer Area plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to a WordPress site with the WP Customer Area plugin enabled, with privileges granted by an administrator (e.g., as a Subscriber).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u0026lsquo;ajax_attach_file\u0026rsquo; function.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated file path, bypassing input validation.\u003c/li\u003e\n\u003cli\u003eThe plugin, failing to properly sanitize the file path, attempts to read or delete the file specified in the malicious request.\u003c/li\u003e\n\u003cli\u003eIf reading, the contents of the targeted file are returned to the attacker in the HTTP response.\u003c/li\u003e\n\u003cli\u003eIf deleting, the targeted file is removed from the server.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets a sensitive file, such as \u003ccode\u003ewp-config.php\u003c/code\u003e, and successfully deletes it, the WordPress installation becomes unstable and potentially allows for re-installation and control by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the instability to achieve remote code execution, potentially installing a web shell or other malicious code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-3464) allows attackers to read sensitive files, potentially including database credentials, API keys, and other confidential information. Moreover, the ability to delete arbitrary files can lead to denial-of-service conditions or, more critically, remote code execution. The number of affected websites is potentially large, given the popularity of the WP Customer Area plugin. A successful attack can result in complete compromise of the WordPress website and its underlying server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WP Customer Area plugin to a version greater than 8.3.4 to patch CVE-2026-3464.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing suspicious file paths targeting the \u0026lsquo;ajax_attach_file\u0026rsquo; function (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement stricter file path validation on the web server to prevent arbitrary file access.\u003c/li\u003e\n\u003cli\u003eApply the provided Sigma rules to your SIEM to detect and alert on malicious attempts to exploit this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T17:17:07Z","date_published":"2026-04-17T17:17:07Z","id":"/briefs/2026-04-wp-customer-area-file-read-delete/","summary":"The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation, allowing authenticated attackers to read sensitive files or delete critical files leading to potential remote code execution.","title":"WP Customer Area Plugin Arbitrary File Read and Deletion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-wp-customer-area-file-read-delete/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-6372"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","payment-bypass","cve-2026-6372"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6372 is a missing authorization vulnerability affecting the Plisio Accept Cryptocurrencies with Plisio WordPress plugin, specifically versions from initial releases through 2.0.5. Discovered by Patchstack, the vulnerability stems from incorrectly configured access control security levels within the plugin. An attacker can exploit this flaw to bypass payment verification processes, potentially leading to unauthorized transactions or manipulation of payment-related functionalities. Given the increasing adoption of cryptocurrency payments, this vulnerability presents a significant risk to e-commerce sites using the affected plugin. Successful exploitation can result in financial losses and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a WordPress site using the vulnerable Plisio plugin (version \u0026lt;= 2.0.5).\u003c/li\u003e\n\u003cli\u003eAttacker analyzes the plugin\u0026rsquo;s code or intercepts network traffic to identify the specific endpoint or function responsible for payment verification lacking proper authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the vulnerable endpoint, bypassing the intended authentication or authorization mechanisms.\u003c/li\u003e\n\u003cli\u003eThe crafted request modifies payment parameters (e.g., amount, recipient) without proper validation.\u003c/li\u003e\n\u003cli\u003eThe modified request is sent to the server, which processes it without correctly verifying the user\u0026rsquo;s authority.\u003c/li\u003e\n\u003cli\u003eThe server updates the payment status, marking it as \u0026ldquo;paid\u0026rdquo; or \u0026ldquo;verified,\u0026rdquo; even though the actual payment might be incomplete, altered, or entirely missing.\u003c/li\u003e\n\u003cli\u003eThe WordPress site delivers goods or services based on the fraudulently verified payment status.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6372 allows attackers to bypass payment verification processes in e-commerce sites using the Plisio Accept Cryptocurrencies plugin. This can lead to financial losses for the site owner due to unauthorized transactions. The vulnerability affects all installations using versions up to and including 2.0.5. Given the potential for widespread impact on any site accepting cryptocurrency via this plugin, this issue represents a high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Plisio Accept Cryptocurrencies with Plisio plugin to a version greater than 2.0.5 to patch CVE-2026-6372.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Plisio Payment Bypass Attempt\u003c/code\u003e to monitor for exploit attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eExamine web server logs for suspicious POST requests to payment processing endpoints associated with the Plisio plugin, filtering for unexpected parameter modifications (log source: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-plisio-auth-bypass/","summary":"A missing authorization vulnerability in the Plisio Accept Cryptocurrencies with Plisio WordPress plugin (versions up to 2.0.5) allows attackers to bypass payment verification due to incorrectly configured access control security levels.","title":"Plisio Accept Cryptocurrencies Plugin Missing Authorization Vulnerability (CVE-2026-6372)","url":"https://feed.craftedsignal.io/briefs/2026-04-plisio-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-3599"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","sqli","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Riaxe Product Customizer plugin, a WordPress plugin, is susceptible to SQL Injection attacks. This vulnerability resides within the \u003ccode\u003e/wp-json/InkXEProductDesignerLite/add-item-to-cart\u003c/code\u003e REST API endpoint, specifically through the \u0026lsquo;options\u0026rsquo; parameter keys nested within the \u0026lsquo;product_data\u0026rsquo;. All versions of the plugin up to and including 2.1.2 are affected. Due to insufficient input sanitization and inadequate preparation of SQL queries, unauthenticated attackers can inject malicious SQL code. Successful exploitation enables attackers to execute arbitrary SQL queries, potentially leading to sensitive data extraction. This poses a significant risk to WordPress sites utilizing the affected plugin, as attackers could gain access to user credentials, financial information, or other confidential data stored in the database. Defenders should prioritize patching or removing the plugin to mitigate this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version (\u0026lt;=2.1.2) of the Riaxe Product Customizer plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/wp-json/InkXEProductDesignerLite/add-item-to-cart\u003c/code\u003e REST API endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u0026lsquo;product_data\u0026rsquo; parameter containing a manipulated \u0026lsquo;options\u0026rsquo; array.\u003c/li\u003e\n\u003cli\u003eWithin the \u0026lsquo;options\u0026rsquo; array, the attacker injects SQL code into one or more of the parameter keys.\u003c/li\u003e\n\u003cli\u003eThe WordPress server processes the request without properly sanitizing the injected SQL code.\u003c/li\u003e\n\u003cli\u003eThe application constructs a SQL query using the unsanitized input, effectively injecting the malicious code into the query.\u003c/li\u003e\n\u003cli\u003eThe database server executes the attacker-controlled SQL query.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information from the database, such as user credentials, by using the SQL injection vulnerability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-3599) allows unauthenticated attackers to extract sensitive information from the WordPress database. This may include user credentials (usernames, email addresses, and password hashes), customer data, financial information, and other confidential data stored within the database. The impact can range from defacement of the website and data theft, to complete compromise of the WordPress site and its associated server. Due to the widespread use of WordPress and its plugins, this vulnerability poses a significant threat to a potentially large number of websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Riaxe Product Customizer plugin to a version higher than 2.1.2 to patch CVE-2026-3599.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SQL Injection Attempts via Riaxe Product Customizer Plugin\u003c/code\u003e to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the \u003ccode\u003e/wp-json/InkXEProductDesignerLite/add-item-to-cart\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T06:16:17Z","date_published":"2026-04-16T06:16:17Z","id":"/briefs/2024-01-wordpress-sqli/","summary":"The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter within 'product_data' of the `/wp-json/InkXEProductDesignerLite/add-item-to-cart` REST API endpoint, allowing unauthenticated attackers to extract sensitive information from the database.","title":"Riaxe Product Customizer WordPress Plugin SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-3596"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","privilege-escalation","cve-2026-3596","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Riaxe Product Customizer plugin for WordPress, versions 2.1.2 and earlier, contains a critical privilege escalation vulnerability (CVE-2026-3596). This flaw stems from an unauthenticated AJAX action, \u0026lsquo;wp_ajax_nopriv_install-imprint\u0026rsquo;, which is improperly secured. The corresponding function, \u003ccode\u003eink_pd_add_option()\u003c/code\u003e, allows unauthenticated users to modify arbitrary WordPress options by sending POST requests. There are no nonce checks, capability checks, or input validation performed on the \u0026lsquo;option\u0026rsquo; and \u0026lsquo;opt_value\u0026rsquo; parameters, making it trivial to manipulate sensitive site settings. Successful exploitation allows attackers to grant themselves administrative privileges. This vulnerability poses a significant risk to any WordPress site using the affected plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version of the Riaxe Product Customizer plugin (\u0026lt;= 2.1.2).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003einstall-imprint\u003c/code\u003e, triggering the vulnerable AJAX action \u003ccode\u003ewp_ajax_nopriv_install-imprint\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eoption\u003c/code\u003e parameter to \u003ccode\u003edefault_role\u003c/code\u003e and the \u003ccode\u003eopt_value\u003c/code\u003e parameter to \u003ccode\u003eadministrator\u003c/code\u003e within the POST request. This will change the default user role to administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eoption\u003c/code\u003e parameter to \u003ccode\u003eusers_can_register\u003c/code\u003e and the \u003ccode\u003eopt_value\u003c/code\u003e parameter to \u003ccode\u003e1\u003c/code\u003e within the POST request. This enables user registration on the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eink_pd_add_option()\u003c/code\u003e function executes, calling \u003ccode\u003edelete_option()\u003c/code\u003e and \u003ccode\u003eadd_option()\u003c/code\u003e with the attacker-supplied values, effectively updating the WordPress options table.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a new user account on the WordPress site.\u003c/li\u003e\n\u003cli\u003eBecause user registration is enabled and the default user role is set to administrator, the attacker\u0026rsquo;s new account is granted administrator privileges, allowing full control over the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3596 allows unauthenticated attackers to gain complete control over a vulnerable WordPress website. This can lead to website defacement, data theft, malware distribution, and denial of service. Given the widespread use of WordPress, this vulnerability has the potential to affect a large number of websites across various sectors. A successful attack would result in the attacker having the same access as the original website administrator.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately remove the Riaxe Product Customizer plugin from WordPress installations if it is present. This will eliminate the attack vector (plugin removal).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category: \u003ccode\u003ewebserver\u003c/code\u003e, product: \u003ccode\u003elinux\u003c/code\u003e or \u003ccode\u003ewindows\u003c/code\u003e) for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003einstall-imprint\u003c/code\u003e using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eConsider implementing a Web Application Firewall (WAF) rule to block requests matching the exploit pattern described in the Attack Chain.\u003c/li\u003e\n\u003cli\u003eReview WordPress user accounts for any unauthorized administrators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T06:16:15Z","date_published":"2026-04-16T06:16:15Z","id":"/briefs/2026-04-wordpress-privesc/","summary":"The Riaxe Product Customizer plugin for WordPress is vulnerable to privilege escalation, allowing unauthenticated attackers to update arbitrary WordPress options via a publicly accessible AJAX endpoint and escalate privileges to administrator.","title":"Riaxe Product Customizer WordPress Plugin Privilege Escalation Vulnerability (CVE-2026-3596)","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-4365"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","learnpress","data-deletion","unauthorized-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe LearnPress plugin for WordPress, in versions up to and including 4.3.2.8, is susceptible to unauthorized data deletion. The vulnerability stems from a missing capability check on the \u003ccode\u003edelete_question_answer()\u003c/code\u003e function. The plugin exposes a \u003ccode\u003ewp_rest\u003c/code\u003e nonce in public frontend HTML, and this nonce serves as the sole security check for the \u003ccode\u003elp-load-ajax\u003c/code\u003e AJAX dispatcher. As the \u003ccode\u003edelete_question_answer\u003c/code\u003e action lacks capability or ownership validation, unauthenticated attackers can exploit this flaw to delete arbitrary quiz answer options. This is achieved by sending a crafted POST request containing a publicly available nonce. Exploitation does not require any prior authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a LearnPress installation with a vulnerable version (\u0026lt;= 4.3.2.8).\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the public frontend of the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the \u003ccode\u003ewp_rest\u003c/code\u003e nonce from the \u003ccode\u003elpData\u003c/code\u003e variable in the HTML source code. This nonce is used for AJAX requests.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted POST request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003edelete_question_answer\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request also includes the \u003ccode\u003enonce\u003c/code\u003e parameter with the value of the retrieved \u003ccode\u003ewp_rest\u003c/code\u003e nonce.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eanswer_id\u003c/code\u003e parameter set to the ID of the quiz answer option to be deleted.\u003c/li\u003e\n\u003cli\u003eThe server, lacking proper capability checks, processes the request and deletes the specified quiz answer option from the database. This results in data loss and potentially disrupts the functionality of quizzes within the LearnPress plugin.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows unauthenticated attackers to arbitrarily delete quiz answer options within the LearnPress plugin. This can lead to data loss, disruption of quizzes, and potentially compromise the integrity of educational content. The CVSS v3.1 base score for this vulnerability is 9.1, indicating a critical severity. The number of victims and specific sectors targeted are currently unknown, but any website using the vulnerable LearnPress plugin is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the LearnPress plugin to a version greater than 4.3.2.8 to patch CVE-2026-4365.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LearnPress Unauthorized Data Deletion Attempt\u0026rdquo; to your SIEM to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003edelete_question_answer\u003c/code\u003e and investigate suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T02:16:57Z","date_published":"2026-04-14T02:16:57Z","id":"/briefs/2026-04-learnpress-data-deletion/","summary":"The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function, allowing unauthenticated attackers to delete quiz answer options.","title":"LearnPress WordPress Plugin Unauthorized Data Deletion Vulnerability (CVE-2026-4365)","url":"https://feed.craftedsignal.io/briefs/2026-04-learnpress-data-deletion/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-35204"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["helm","path-traversal","vulnerability","plugin","kubernetes"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eHelm, a package manager for Kubernetes charts, is vulnerable to a path traversal issue. Specifically, Helm versions 4.0.0 through 4.1.3 are affected. A maliciously crafted Helm plugin, when installed or updated, can exploit this vulnerability (CVE-2026-35204) to write the plugin\u0026rsquo;s contents to arbitrary locations on the user\u0026rsquo;s filesystem. This can lead to overwriting critical system files or user data, potentially compromising the system\u0026rsquo;s integrity. Helm v4.1.4 resolves this vulnerability by rejecting plugins with non-SemVer versions containing path traversal patterns. Defenders should ensure Helm installations are updated to the patched version or implement workarounds to validate plugin metadata.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Helm plugin. This plugin contains a \u003ccode\u003eplugin.yaml\u003c/code\u003e file with a \u003ccode\u003eversion\u003c/code\u003e field that includes POSIX dot-dot path separators (e.g., \u003ccode\u003e/../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious plugin to potential victims, possibly through public repositories or direct spear phishing.\u003c/li\u003e\n\u003cli\u003eA victim attempts to install or update the Helm plugin using the \u003ccode\u003ehelm plugin install\u003c/code\u003e or \u003ccode\u003ehelm plugin update\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eHelm parses the \u003ccode\u003eplugin.yaml\u003c/code\u003e file and extracts the \u003ccode\u003eversion\u003c/code\u003e field, which contains the path traversal characters.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, Helm incorrectly resolves the file path, allowing the plugin\u0026rsquo;s contents to be written outside the intended plugin directory.\u003c/li\u003e\n\u003cli\u003eThe malicious plugin overwrites arbitrary files on the user\u0026rsquo;s system based on the path specified in the \u003ccode\u003eversion\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eDepending on the files overwritten, the attacker can achieve various malicious objectives, such as gaining persistence, escalating privileges, or executing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by overwriting system startup scripts or configuration files, allowing the malicious code to run automatically on system reboot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to overwrite arbitrary files on the victim\u0026rsquo;s system. This can lead to various detrimental outcomes, including data loss, system instability, privilege escalation, and ultimately, complete system compromise. While the specific number of victims is unknown, any user running a vulnerable version of Helm (4.0.0 - 4.1.3) is at risk. The potential impact includes compromising Kubernetes deployments and sensitive data stored on affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Helm to version 4.1.4 or later to remediate CVE-2026-35204, as this version includes a patch that prevents path traversal during plugin installation.\u003c/li\u003e\n\u003cli\u003eImplement a validation step before installing or updating Helm plugins, checking the \u003ccode\u003eplugin.yaml\u003c/code\u003e file for a \u003ccode\u003eversion:\u003c/code\u003e field containing POSIX dot-dot path separators. This mitigates the risk described in the workaround section of the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Helm Plugin Install with Path Traversal\u0026rdquo; to detect attempts to install plugins with malicious \u003ccode\u003eversion\u003c/code\u003e fields, using file_event logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-helm-path-traversal/","summary":"A path traversal vulnerability in Helm versions 4.0.0 to 4.1.3 allows a malicious plugin to write files to arbitrary locations on the filesystem, leading to potential system compromise.","title":"Helm Plugin Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-helm-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-5809"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","file-deletion","plugin","CVE-2026-5809"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe wpForo Forum plugin, a popular WordPress plugin, is susceptible to an arbitrary file deletion vulnerability (CVE-2026-5809) affecting versions up to and including 3.0.2. The vulnerability stems from insufficient validation of user-supplied data within the \u003ccode\u003etopic_add()\u003c/code\u003e and \u003ccode\u003etopic_edit()\u003c/code\u003e action handlers. Specifically, the plugin improperly handles array values in the \u003ccode\u003e$_REQUEST\u003c/code\u003e data, storing them as postmeta without proper filtering. An authenticated attacker (subscriber-level or higher) can exploit this by injecting a malicious file path into the \u003ccode\u003edata[body][fileurl]\u003c/code\u003e parameter. This injected path is subsequently used in a file deletion function without adequate sanitization, leading to potential deletion of critical system files. This vulnerability allows attackers to potentially cripple the WordPress installation or gain further access to the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with at least subscriber-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003etopic_add()\u003c/code\u003e or \u003ccode\u003etopic_edit()\u003c/code\u003e action handler.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker includes the \u003ccode\u003edata[body][fileurl]\u003c/code\u003e parameter containing the path to the file they wish to delete (e.g., \u003ccode\u003e/var/www/html/wp-config.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe wpForo plugin stores the attacker-supplied \u003ccode\u003efileurl\u003c/code\u003e value as postmeta associated with the forum topic without proper validation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts another request, this time including the \u003ccode\u003ewpftcf_delete[]=body\u003c/code\u003e parameter, targeting the \u003ccode\u003etopic_edit\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eadd_file()\u003c/code\u003e method retrieves the poisoned \u003ccode\u003efileurl\u003c/code\u003e from the stored postmeta record.\u003c/li\u003e\n\u003cli\u003eThe plugin attempts to sanitize the path using \u003ccode\u003ewpforo_fix_upload_dir()\u003c/code\u003e, but this function only modifies paths within the legitimate wpForo upload directory, leaving other paths untouched.\u003c/li\u003e\n\u003cli\u003eThe plugin calls \u003ccode\u003ewp_delete_file()\u003c/code\u003e on the unsanitized path, resulting in the deletion of the targeted file if the PHP process has write permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an authenticated attacker to delete arbitrary files on the server, provided the PHP process has the necessary write permissions. This can lead to a denial of service by deleting core WordPress files or configuration files such as \u003ccode\u003ewp-config.php\u003c/code\u003e. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high severity. This could lead to complete compromise of the WordPress installation and potential further exploitation of the server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the wpForo Forum plugin to a version higher than 3.0.2 to patch CVE-2026-5809.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect wpForo Arbitrary File Deletion Attempt\u0026rdquo; to your SIEM to detect potential exploitation attempts by monitoring HTTP requests to WordPress.\u003c/li\u003e\n\u003cli\u003eImplement stricter file permission controls to limit the PHP process\u0026rsquo;s write access to only necessary directories and files.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests containing the \u003ccode\u003ewpftcf_delete\u003c/code\u003e parameter, as highlighted in the Attack Chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T08:16:05Z","date_published":"2026-04-11T08:16:05Z","id":"/briefs/2026-04-wpforo-file-deletion/","summary":"The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion due to a logic flaw that allows authenticated users to delete arbitrary files writable by the PHP process by manipulating post metadata.","title":"wpForo Forum Plugin Arbitrary File Deletion Vulnerability (CVE-2026-5809)","url":"https://feed.craftedsignal.io/briefs/2026-04-wpforo-file-deletion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-4162"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["wordpress","missing-authorization","plugin","cve-2026-4162"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Gravity SMTP plugin, a WordPress extension facilitating email sending through SMTP, contains a missing authorization vulnerability (CVE-2026-4162) affecting versions 2.1.4 and earlier. This flaw allows authenticated users with minimal subscriber-level permissions to perform administrative actions such as uninstalling and deactivating the plugin, as well as deleting its associated options. The vulnerability stems from the plugin failing to properly validate user authorization before executing sensitive functions. Additionally, the vulnerability can be exploited via a Cross-Site Request Forgery (CSRF) attack. Patches have been released in Gravity SMTP version 2.1.5 to address this security concern. Exploitation of this vulnerability allows low-privileged users to disrupt email functionality and potentially compromise WordPress configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with subscriber-level or higher privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to uninstall the Gravity SMTP plugin, leveraging the missing authorization vulnerability. This request targets the WordPress plugin management endpoint.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a CSRF attack that tricks a privileged user into triggering the malicious HTTP request to uninstall the plugin.\u003c/li\u003e\n\u003cli\u003eThe WordPress server receives the crafted request without proper authorization checks.\u003c/li\u003e\n\u003cli\u003eThe plugin\u0026rsquo;s uninstall function is executed, removing the Gravity SMTP plugin from the WordPress installation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts another HTTP request to delete Gravity SMTP plugin options.\u003c/li\u003e\n\u003cli\u003eThe WordPress server processes the request, and the plugin options are deleted from the database.\u003c/li\u003e\n\u003cli\u003eThe Gravity SMTP plugin is uninstalled and deactivated, and its settings are removed, disrupting the email functionality of the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4162 allows attackers with low-level privileges on a WordPress site to disable email functionality and manipulate plugin settings. While the number of affected installations remains unknown, the impact can be significant for organizations heavily reliant on WordPress for communication or critical business processes, potentially leading to disruption of services, loss of email functionality, and unauthorized access to sensitive data or configurations. The CVSS v3.1 score of 7.1 indicates a high severity, considering the ease of exploitation and the potential for widespread disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gravity SMTP plugin to version 2.1.5 or later to patch CVE-2026-4162.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress access logs for unauthorized requests targeting the plugin management endpoints to detect potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect WordPress Plugin Uninstall via Missing Auth\u003c/code\u003e to identify suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement CSRF protection mechanisms within WordPress plugins to mitigate the risk of CSRF-based exploitation.\u003c/li\u003e\n\u003cli\u003eReview WordPress user roles and permissions to minimize the attack surface and restrict access to sensitive functionalities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T10:16:04Z","date_published":"2026-04-10T10:16:04Z","id":"/briefs/2026-04-gravity-smtp-auth-bypass/","summary":"The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization, allowing authenticated attackers with subscriber-level access or higher to uninstall/deactivate the plugin and delete plugin options, and is also exploitable via Cross-Site Request Forgery.","title":"Gravity SMTP Plugin Missing Authorization Vulnerability (CVE-2026-4162)","url":"https://feed.craftedsignal.io/briefs/2026-04-gravity-smtp-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-34424"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","joomla","remote-code-execution","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSmart Slider 3 Pro version 3.5.1.35, a popular WordPress and Joomla plugin, is vulnerable to remote code execution due to a compromised update system. This vulnerability, tracked as CVE-2026-34424, allows unauthenticated attackers to inject a multi-stage remote access toolkit. The attackers leverage this toolkit to execute arbitrary code and commands, effectively taking control of the affected web server. This vulnerability poses a significant threat to websites using the vulnerable plugin, potentially leading to data theft, website defacement, or use of the server for malicious purposes. Defenders should prioritize patching or removing the affected plugin version immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises the Smart Slider 3 Pro update server.\u003c/li\u003e\n\u003cli\u003eA malicious update is pushed to vulnerable Smart Slider 3 Pro installations (version 3.5.1.35).\u003c/li\u003e\n\u003cli\u003eThe plugin downloads and installs the malicious update, injecting the multi-stage remote access toolkit.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers pre-authentication remote shell execution by sending crafted HTTP headers to the web server.\u003c/li\u003e\n\u003cli\u003eAn authenticated backdoor is established, allowing the attacker to execute arbitrary PHP code or OS commands.\u003c/li\u003e\n\u003cli\u003eThe attacker creates hidden administrator accounts within WordPress or Joomla to maintain persistent access.\u003c/li\u003e\n\u003cli\u003eCredentials and access keys are exfiltrated from the compromised system.\u003c/li\u003e\n\u003cli\u003ePersistence is maintained through multiple injection points, including modifications to must-use plugins and core files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34424 leads to complete compromise of the affected web server. Attackers can gain unauthorized access to sensitive data, including user credentials, database information, and proprietary code. Websites can be defaced, injected with malware, or used as part of a botnet. The vulnerability affects all users of Smart Slider 3 Pro version 3.5.1.35, regardless of the underlying operating system. Given the widespread use of WordPress and Joomla, a large number of websites are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately remove or update Smart Slider 3 Pro to a patched version newer than 3.5.1.35 to remediate CVE-2026-34424.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests with unusual headers indicative of attempted pre-authentication shell execution as described in the Attack Chain.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rules to detect suspicious process creation and file modifications related to the injected toolkit.\u003c/li\u003e\n\u003cli\u003eAudit user accounts for unauthorized administrator accounts as the attacker creates hidden accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T23:17:00Z","date_published":"2026-04-09T23:17:00Z","id":"/briefs/2026-04-smart-slider-rce/","summary":"Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system allowing unauthenticated remote code execution and system takeover.","title":"Smart Slider 3 Pro Compromised Update Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-smart-slider-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-3396"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["woocommerce","sqli","cve-2026-3396","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe WooCommerce Ajax Product Filter (WCAPF) plugin, a WordPress extension, is susceptible to a time-based SQL Injection vulnerability (CVE-2026-3396). This flaw stems from inadequate input sanitization of the \u003ccode\u003epost-author\u003c/code\u003e parameter and insufficient preparation within the existing SQL query structure. Specifically, all versions of the plugin up to and including version 4.2.3 are affected. An unauthenticated attacker can exploit this vulnerability by injecting malicious SQL code into the \u003ccode\u003epost-author\u003c/code\u003e parameter. Successful exploitation allows the attacker to manipulate database queries and extract sensitive information without requiring authentication. This vulnerability poses a significant risk to e-commerce sites using the WCAPF plugin, as attackers could potentially access customer data, administrative credentials, or other confidential information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WooCommerce website using a vulnerable version (\u0026lt;=4.2.3) of the WCAPF plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an endpoint that utilizes the vulnerable \u003ccode\u003epost-author\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes SQL injection payload within the \u003ccode\u003epost-author\u003c/code\u003e parameter, designed to extract data using time-based techniques. For example, the attacker might use a \u003ccode\u003eSLEEP()\u003c/code\u003e function to introduce delays based on conditional database queries.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and passes the unsanitized \u003ccode\u003epost-author\u003c/code\u003e parameter to the database query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code manipulates the original query, causing the database to execute the attacker\u0026rsquo;s malicious commands.\u003c/li\u003e\n\u003cli\u003eBased on the response time (due to the \u003ccode\u003eSLEEP()\u003c/code\u003e function), the attacker infers whether their injected SQL query was successful in retrieving specific data.\u003c/li\u003e\n\u003cli\u003eThe attacker iteratively refines their SQL injection payload to extract sensitive information, such as user credentials or customer details.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the obtained data, potentially using it for identity theft, financial fraud, or further attacks against the compromised website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3396 can lead to the complete compromise of the vulnerable WooCommerce website\u0026rsquo;s database. An attacker could potentially access sensitive customer data, including names, addresses, credit card details, and purchase history. Furthermore, administrative credentials could be stolen, allowing the attacker to gain full control over the website. This can result in significant financial losses, reputational damage, and legal liabilities for the affected e-commerce business. While the exact number of affected websites is unknown, any online store using the WCAPF plugin versions 4.2.3 or earlier is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WCAPF plugin to a version greater than 4.2.3 to patch CVE-2026-3396 (references: CVE-2026-3396).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WooCommerce SQL Injection Attempt\u003c/code\u003e to identify potential exploitation attempts in web server logs (references: Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003epost-author\u003c/code\u003e parameter to prevent SQL injection attacks (references: Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL injection payloads, particularly those targeting WCAPF plugin endpoints (references: Sigma rule, Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T12:16:21Z","date_published":"2026-04-08T12:16:21Z","id":"/briefs/2026-04-woocommerce-sqli/","summary":"The WCAPF - WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection (CVE-2026-3396) due to insufficient escaping and SQL query preparation, allowing unauthenticated attackers to extract sensitive information from the database in versions up to 4.2.3.","title":"WooCommerce Ajax Product Filter Plugin Vulnerable to SQL Injection (CVE-2026-3396)","url":"https://feed.craftedsignal.io/briefs/2026-04-woocommerce-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-4808"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","file-upload","remote-code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Gerador de Certificados – DevApps plugin for WordPress, versions up to and including 1.3.6, contains an arbitrary file upload vulnerability (CVE-2026-4808). This flaw stems from a lack of file type validation within the \u003ccode\u003emoveUploadedFile()\u003c/code\u003e function. Authenticated users with administrator privileges or higher can exploit this vulnerability by uploading arbitrary files to the affected server. Successful exploitation could allow an attacker to execute arbitrary code on the server, leading to a complete system compromise. This vulnerability poses a significant threat to websites using the affected plugin, potentially impacting data confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with administrator-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Gerador de Certificados – DevApps plugin\u0026rsquo;s upload functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious file (e.g., a PHP file) with a disguised extension or no extension.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious file through the plugin\u0026rsquo;s interface, bypassing the missing file type validation in the \u003ccode\u003emoveUploadedFile()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe plugin saves the file to a publicly accessible directory on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the location of the uploaded file.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the uploaded file\u0026rsquo;s location.\u003c/li\u003e\n\u003cli\u003eThe server executes the malicious code within the uploaded file, granting the attacker remote code execution capabilities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers with administrator privileges to upload arbitrary files to the web server. This can lead to remote code execution, potentially allowing the attacker to gain full control of the WordPress website and the underlying server. This could lead to data theft, website defacement, or use of the server for malicious purposes such as hosting phishing sites or launching attacks against other systems. The number of affected sites is potentially very large.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gerador de Certificados – DevApps plugin to the latest version, which includes a fix for CVE-2026-4808.\u003c/li\u003e\n\u003cli\u003eImplement web server configurations to prevent the execution of scripts in upload directories.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and monitor for suspicious file uploads and access attempts to unusual file types.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect attempts to access PHP files within the wp-content/uploads directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T07:16:22Z","date_published":"2026-04-08T07:16:22Z","id":"/briefs/2026-04-wordpress-upload/","summary":"The Gerador de Certificados – DevApps WordPress plugin is vulnerable to arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.","title":"WordPress Plugin Vulnerability: Arbitrary File Upload in Gerador de Certificados – DevApps","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5425"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","cve-2026-5425","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Widgets for Social Photo Feed plugin for WordPress, versions up to and including 1.7.9, contains a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-5425). This vulnerability stems from insufficient input sanitization and output escaping of the \u0026lsquo;feed_data\u0026rsquo; parameter keys. An unauthenticated attacker can exploit this flaw by injecting malicious JavaScript code into the WordPress database. When a user visits a page containing a vulnerable widget, the injected script executes within their browser, potentially leading to session hijacking, account takeover, or other malicious activities. This vulnerability was reported by Wordfence and patched in version 1.8 of the plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe unauthenticated attacker identifies a WordPress site using a vulnerable version (\u0026lt;= 1.7.9) of the Widgets for Social Photo Feed plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the plugin\u0026rsquo;s functionality that handles the \u003ccode\u003efeed_data\u003c/code\u003e parameter. This request contains XSS payload within the parameter keys.\u003c/li\u003e\n\u003cli\u003eThe WordPress server receives the crafted HTTP request. The vulnerable plugin processes the request without proper input sanitization or output escaping.\u003c/li\u003e\n\u003cli\u003eThe malicious XSS payload is stored in the WordPress database, associated with the plugin\u0026rsquo;s settings or data.\u003c/li\u003e\n\u003cli\u003eA legitimate user visits a page on the WordPress site where the affected widget is displayed.\u003c/li\u003e\n\u003cli\u003eThe WordPress server retrieves the plugin data, including the stored XSS payload, from the database.\u003c/li\u003e\n\u003cli\u003eThe server renders the page with the unsanitized XSS payload embedded within the HTML output.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser receives the HTML page containing the malicious script and executes it. This could lead to redirection, information theft, or further compromise of the user\u0026rsquo;s session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a website user\u0026rsquo;s browser. This can result in session hijacking, defacement of the website, redirection to malicious sites, or the theft of sensitive information. While the exact number of vulnerable installations is not available, the widespread use of WordPress plugins makes this a potentially significant threat, particularly for sites that do not promptly apply security updates.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Widgets for Social Photo Feed plugin to version 1.8 or later to patch CVE-2026-5425.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WordPress Social Photo Feed XSS Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to filter out requests containing potentially malicious JavaScript code in the \u003ccode\u003efeed_data\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T09:16:20Z","date_published":"2026-04-04T09:16:20Z","id":"/briefs/2026-04-wordpress-xss/","summary":"The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'feed_data' parameter, allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute when a user accesses the injected page.","title":"WordPress Widgets for Social Photo Feed Plugin Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-3445"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","vulnerability","membership"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe ProfilePress plugin for WordPress, specifically the \u0026ldquo;Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile \u0026amp; Restrict Content\u0026rdquo; version 4.16.11 and earlier, contains a vulnerability (CVE-2026-3445) that allows authenticated attackers to bypass membership payment requirements. This flaw stems from a missing ownership verification on the \u003ccode\u003echange_plan_sub_id\u003c/code\u003e parameter within the \u003ccode\u003eprocess_checkout()\u003c/code\u003e function. An attacker with subscriber-level access can exploit this by referencing another user\u0026rsquo;s active subscription during the checkout process. This manipulation affects proration calculations, ultimately enabling the attacker to obtain paid lifetime membership plans without submitting legitimate payment. This vulnerability is triggered via the \u003ccode\u003eppress_process_checkout\u003c/code\u003e AJAX action, making it critical for defenders to implement appropriate detection and mitigation strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker registers a new account on the WordPress site with the vulnerable ProfilePress plugin installed, obtaining subscriber-level access.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a valid, active subscription ID belonging to another user within the ProfilePress system.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the purchase of a paid membership plan (e.g., a lifetime membership).\u003c/li\u003e\n\u003cli\u003eDuring the checkout process, the attacker intercepts the HTTP request sent to the \u003ccode\u003eppress_process_checkout\u003c/code\u003e AJAX action.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003echange_plan_sub_id\u003c/code\u003e parameter within the request, replacing the expected value with the subscription ID of the other user.\u003c/li\u003e\n\u003cli\u003eThe server-side \u003ccode\u003eprocess_checkout()\u003c/code\u003e function fails to properly validate the ownership of the provided \u003ccode\u003echange_plan_sub_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the manipulated \u003ccode\u003echange_plan_sub_id\u003c/code\u003e, the proration calculations are skewed, resulting in a significantly reduced or zeroed payment amount.\u003c/li\u003e\n\u003cli\u003eThe attacker completes the checkout process without making a legitimate payment and is granted access to the paid membership plan.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3445 allows attackers to bypass payment requirements and gain unauthorized access to premium content and features offered through the ProfilePress plugin. This can result in significant revenue loss for website owners relying on paid memberships. The number of affected websites is potentially large, given the popularity of WordPress and the ProfilePress plugin. This vulnerability could also damage the reputation of the affected website and erode trust among legitimate paying members.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to ProfilePress version 4.16.12 or later to patch CVE-2026-3445 (reference: vulnerability description).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ProfilePress Membership Bypass Attempt\u003c/code\u003e to your SIEM and tune for your environment to detect potential exploitation attempts by monitoring for the use of the \u003ccode\u003eppress_process_checkout\u003c/code\u003e AJAX action with suspicious \u003ccode\u003echange_plan_sub_id\u003c/code\u003e values (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e endpoint with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eppress_process_checkout\u003c/code\u003e to identify potential exploit attempts (reference: Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T09:16:20Z","date_published":"2026-04-04T09:16:20Z","id":"/briefs/2026-04-profilepress-bypass/","summary":"The ProfilePress WordPress plugin before 4.16.12 is vulnerable to an unauthorized membership payment bypass, allowing authenticated attackers to obtain paid memberships without payment by manipulating subscription IDs during checkout.","title":"ProfilePress WordPress Plugin Membership Payment Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-profilepress-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","plugin","cve-2026-4329"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Blackhole for Bad Bots plugin for WordPress, up to and including version 3.8, contains a stored cross-site scripting (XSS) vulnerability. The vulnerability stems from insufficient input sanitization and output escaping of the User-Agent HTTP header when capturing bot data. Specifically, the plugin uses \u003ccode\u003esanitize_text_field()\u003c/code\u003e which strips HTML tags but does not escape HTML entities. This data is then stored using \u003ccode\u003eupdate_option()\u003c/code\u003e and later displayed on the Bad Bots log page. The stored data is output into HTML input value attributes and HTML span content without proper escaping via \u003ccode\u003eesc_attr()\u003c/code\u003e or \u003ccode\u003eesc_html()\u003c/code\u003e. This allows an unauthenticated attacker to inject arbitrary web scripts that are executed when an administrator views the Blackhole Bad Bots admin page, potentially leading to privilege escalation or other malicious actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a request to the WordPress site with a malicious User-Agent header containing XSS payload.\u003c/li\u003e\n\u003cli\u003eThe Blackhole for Bad Bots plugin captures the User-Agent string using \u003ccode\u003esanitize_text_field()\u003c/code\u003e, which inadequately sanitizes the input.\u003c/li\u003e\n\u003cli\u003eThe plugin stores the inadequately sanitized User-Agent string in the WordPress options database using \u003ccode\u003eupdate_option()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA WordPress administrator navigates to the Blackhole Bad Bots admin page.\u003c/li\u003e\n\u003cli\u003eThe plugin retrieves the stored User-Agent strings from the database.\u003c/li\u003e\n\u003cli\u003eThe plugin outputs the stored User-Agent string directly into HTML input value attributes (lines 75-83) without \u003ccode\u003eesc_attr()\u003c/code\u003e and into HTML span content without \u003ccode\u003eesc_html()\u003c/code\u003e on the admin page.\u003c/li\u003e\n\u003cli\u003eThe administrator\u0026rsquo;s browser executes the injected XSS payload.\u003c/li\u003e\n\u003cli\u003eThe XSS payload can perform actions such as stealing the administrator\u0026rsquo;s session cookie, redirecting the administrator to a malicious site, or performing actions on behalf of the administrator.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute in the context of an administrator\u0026rsquo;s browser session. This can lead to various malicious outcomes, including account takeover, data theft, and defacement of the WordPress site. Given the widespread use of WordPress and the Blackhole for Bad Bots plugin, a successful exploit could impact a significant number of websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Blackhole for Bad Bots plugin to a version greater than 3.8 to remediate CVE-2026-4329.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to filter requests containing suspicious User-Agent headers that might exploit CVE-2026-4329.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests with unusual or potentially malicious User-Agent strings to detect potential exploitation attempts related to CVE-2026-4329.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T05:16:40Z","date_published":"2026-03-26T05:16:40Z","id":"/briefs/2024-01-11-wordpress-blackhole-xss/","summary":"The Blackhole for Bad Bots WordPress plugin through version 3.8 is vulnerable to stored cross-site scripting (XSS) via the User-Agent HTTP header, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the plugin's admin page.","title":"Blackhole for Bad Bots WordPress Plugin Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-11-wordpress-blackhole-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe WP Job Portal plugin for WordPress, a widely used plugin for managing job listings, is susceptible to SQL Injection attacks. This vulnerability, identified as CVE-2026-4306, affects all versions up to and including 2.4.8. The flaw stems from the insufficient sanitization of the \u0026lsquo;radius\u0026rsquo; parameter, which is directly incorporated into SQL queries without proper escaping. This lack of input validation enables unauthenticated attackers to inject malicious SQL code into the application\u0026rsquo;s database queries. Successful exploitation could lead to the unauthorized disclosure of sensitive information stored within the WordPress database. Given the popularity of WordPress and the WP Job Portal plugin, a successful attack could impact a large number of websites and expose confidential data, including user credentials, financial details, and other sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious HTTP request targeting the WordPress website running the vulnerable WP Job Portal plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker appends a SQL injection payload to the \u0026lsquo;radius\u0026rsquo; parameter within the HTTP request.\u003c/li\u003e\n\u003cli\u003eThe vulnerable plugin receives the request and incorporates the unsanitized \u0026lsquo;radius\u0026rsquo; parameter into an SQL query within \u003ccode\u003eincludes/ajax.php\u003c/code\u003e or \u003ccode\u003emodules/job/model.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the WordPress database due to the lack of proper input validation and escaping.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the SQL injection to extract sensitive information from the database, such as user credentials, API keys, or other confidential data.\u003c/li\u003e\n\u003cli\u003eThe extracted data may be exfiltrated from the server using various techniques.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially use the compromised data to gain further access to the WordPress site or connected systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL Injection vulnerability (CVE-2026-4306) could lead to the complete compromise of the WordPress database. Attackers could gain access to sensitive information, including user credentials, customer data, and confidential business information. The vulnerability impacts all users running WP Job Portal plugin versions 2.4.8 and earlier. The CVSS v3.1 score is 7.5, indicating a high severity risk. The impact includes unauthorized data access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WP Job Portal plugin to version 2.4.9 or later to patch the SQL Injection vulnerability (CVE-2026-4306).\u003c/li\u003e\n\u003cli\u003eDeploy a web application firewall (WAF) with rules to detect and block SQL Injection attempts targeting the \u0026lsquo;radius\u0026rsquo; parameter in WordPress plugins.\u003c/li\u003e\n\u003cli\u003eEnable detailed logging for your web server (category \u0026ldquo;webserver\u0026rdquo;, product \u0026ldquo;linux|windows\u0026rdquo;) to monitor for suspicious activity and potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-wp-job-portal-sqli/","summary":"The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter, allowing unauthenticated attackers to extract sensitive database information in versions up to 2.4.8.","title":"WP Job Portal Plugin SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-wp-job-portal-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-2892"}],"_cs_exploited":false,"_cs_products":["Otter Blocks plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","purchase-bypass","CVE-2026-2892","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Stripe","WordPress"],"content_html":"\u003cp\u003eThe Otter Blocks plugin, a popular WordPress extension, is susceptible to a purchase verification bypass vulnerability identified as CVE-2026-2892. This flaw affects all versions up to and including 3.1.4. The vulnerability stems from the plugin\u0026rsquo;s reliance on an unsigned cookie, \u0026lsquo;o_stripe_data\u0026rsquo;, to determine Stripe product ownership for unauthenticated users. The \u0026lsquo;get_customer_data\u0026rsquo; method uses this cookie, and the subsequent \u0026lsquo;check_purchase\u0026rsquo; method trusts its contents without proper server-side validation against the Stripe API. This lack of verification enables attackers to gain unauthorized access to purchase-gated content. The target product ID is often exposed in the checkout block\u0026rsquo;s HTML source, further simplifying the exploit. Successful exploitation allows attackers to bypass payment requirements, potentially impacting content creators and businesses relying on the plugin for revenue generation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Otter Blocks plugin (version \u0026lt;= 3.1.4).\u003c/li\u003e\n\u003cli\u003eThe attacker examines the HTML source code of a checkout block on the target site to identify the target product ID.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u0026lsquo;o_stripe_data\u0026rsquo; cookie containing the target product ID.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the forged \u0026lsquo;o_stripe_data\u0026rsquo; cookie in their browser.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the purchase-gated content on the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;get_customer_data\u0026rsquo; method reads the forged \u0026lsquo;o_stripe_data\u0026rsquo; cookie.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;check_purchase\u0026rsquo; method incorrectly validates the forged purchase data without server-side verification against the Stripe API.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the purchase-gated content, bypassing the intended payment requirement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-2892 allows unauthenticated attackers to bypass purchase verification mechanisms implemented by the Otter Blocks plugin. This can lead to unauthorized access to premium content, resulting in revenue loss for content creators and businesses using the plugin. The number of potentially affected websites is significant, given the popularity of WordPress and the Otter Blocks plugin. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Otter Blocks plugin to a version greater than 3.1.4 to patch CVE-2026-2892.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect potential exploitation attempts targeting the vulnerable plugin.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for suspicious cookie manipulation activity, specifically targeting the \u0026lsquo;o_stripe_data\u0026rsquo; cookie.\u003c/li\u003e\n\u003cli\u003eImplement server-side validation of purchase data against the Stripe API to prevent cookie forgery attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-06-24T12:00:00Z","date_published":"2024-06-24T12:00:00Z","id":"/briefs/2026-06-otter-blocks-bypass/","summary":"CVE-2026-2892 is a purchase verification bypass vulnerability in the Otter Blocks plugin for WordPress, affecting versions up to 3.1.4, that allows unauthenticated attackers to access restricted content by forging a cookie used for purchase validation.","title":"Otter Blocks Plugin Purchase Verification Bypass Vulnerability (CVE-2026-2892)","url":"https://feed.craftedsignal.io/briefs/2026-06-otter-blocks-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-3844"}],"_cs_exploited":false,"_cs_products":["Breeze Cache plugin"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","file-upload","rce"],"_cs_type":"advisory","_cs_vendors":["Cloudways"],"content_html":"\u003cp\u003eThe Breeze Cache plugin for WordPress, in versions up to and including 2.4.4, contains an arbitrary file upload vulnerability (CVE-2026-3844). This flaw stems from the lack of file type validation within the \u0026lsquo;fetch_gravatar_from_remote\u0026rsquo; function. An unauthenticated attacker can exploit this vulnerability to upload arbitrary files to the affected WordPress site\u0026rsquo;s server. Successful exploitation could lead to remote code execution on the server. It is important to note that the vulnerability can only be exploited if the \u0026ldquo;Host Files Locally - Gravatars\u0026rdquo; setting is enabled within the Breeze Cache plugin. This setting is disabled by default, reducing the attack surface. Defenders should prioritize identifying potentially compromised systems running vulnerable versions of Breeze Cache with the \u0026ldquo;Host Files Locally - Gravatars\u0026rdquo; option enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site running a vulnerable version (\u0026lt;= 2.4.4) of the Breeze Cache plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker confirms the \u0026ldquo;Host Files Locally - Gravatars\u0026rdquo; option is enabled on the target WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u0026lsquo;fetch_gravatar_from_remote\u0026rsquo; function. This request contains a payload designed to upload an arbitrary file to the server.\u003c/li\u003e\n\u003cli\u003eDue to the missing file type validation, the server accepts the malicious file upload without proper sanitization. The uploaded file can be a PHP file, a web shell, or another executable type.\u003c/li\u003e\n\u003cli\u003eThe attacker determines the location where the file has been saved by the plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the uploaded file\u0026rsquo;s location, triggering its execution on the server.\u003c/li\u003e\n\u003cli\u003eThe malicious file executes, granting the attacker remote code execution capabilities on the web server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as installing malware, stealing sensitive data, or further compromising the server and network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to upload arbitrary files to a vulnerable WordPress server. This can lead to complete compromise of the server, allowing for remote code execution. The attacker can then pivot to other systems, steal sensitive information, or cause significant disruption. While the \u0026ldquo;Host Files Locally - Gravatars\u0026rdquo; option is disabled by default, any instance where this option is enabled is at critical risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Breeze Cache plugin to the latest version to patch CVE-2026-3844.\u003c/li\u003e\n\u003cli\u003eDisable the \u0026ldquo;Host Files Locally - Gravatars\u0026rdquo; setting in the Breeze Cache plugin if it is enabled.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file uploads and requests to unusual file extensions using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eImplement strict file upload policies and validation mechanisms on all web applications to prevent arbitrary file uploads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-02-29T10:00:00Z","date_published":"2024-02-29T10:00:00Z","id":"/briefs/2026-04-breeze-cache-rce/","summary":"The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.","title":"Breeze Cache Plugin Arbitrary File Upload Vulnerability (CVE-2026-3844)","url":"https://feed.craftedsignal.io/briefs/2026-04-breeze-cache-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-6229"}],"_cs_exploited":false,"_cs_products":["Royal Elementor Addons \u003c= 1.7.1057"],"_cs_severities":["high"],"_cs_tags":["wordpress","ssrf","cve-2026-6229","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Royal Elementor Addons plugin, a popular WordPress extension, contains a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-6229) in versions up to and including 1.7.1057. This flaw stems from inadequate validation of user-provided URLs within the \u003ccode\u003erender_csv_data()\u003c/code\u003e function. Attackers can bypass the validation by including \u0026lsquo;docs.google.com/spreadsheets\u0026rsquo; in a query parameter. The vulnerability is triggered because the plugin uses these URLs in \u003ccode\u003efopen()\u003c/code\u003e calls without implementing adequate safeguards to prevent access to internal or private network addresses. This vulnerability enables authenticated attackers with Contributor-level access or higher to craft malicious requests, potentially exposing sensitive internal data. Successful exploitation allows attackers to probe internal network resources, access configuration files, and potentially escalate attacks further.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with Contributor-level access or higher.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the vulnerable \u003ccode\u003erender_csv_data()\u003c/code\u003e function within the Royal Elementor Addons plugin.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a user-supplied URL containing \u0026lsquo;docs.google.com/spreadsheets\u0026rsquo; within a query parameter to bypass initial validation checks.\u003c/li\u003e\n\u003cli\u003eThe plugin\u0026rsquo;s \u003ccode\u003erender_csv_data()\u003c/code\u003e function receives the crafted URL without proper sanitization or validation against internal or private network addresses.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efopen()\u003c/code\u003e function is called with the attacker-controlled URL, initiating an outbound request from the WordPress server.\u003c/li\u003e\n\u003cli\u003eIf the URL points to an internal resource, the WordPress server retrieves the resource content.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the content of the internal resource in the response from the WordPress server.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the retrieved content for sensitive information, such as configuration files, API keys, or internal service details.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-6229) can lead to the exposure of sensitive internal information, potentially impacting all organizations using the Royal Elementor Addons plugin for WordPress version 1.7.1057 and below. This may include internal configuration files, API keys, database credentials, or other sensitive data accessible through internal services. The severity is high due to the potential for attackers to pivot from this vulnerability and further compromise the WordPress server or the internal network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Royal Elementor Addons plugin to a version higher than 1.7.1057 to patch CVE-2026-6229.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Royal Elementor Addons SSRF Attempt via URL Parameter\u0026rdquo; to identify malicious requests targeting the \u003ccode\u003erender_csv_data()\u003c/code\u003e function in your web server logs.\u003c/li\u003e\n\u003cli\u003eImplement strict network segmentation and firewall rules to limit access from the WordPress server to internal resources, mitigating the impact of potential SSRF vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T12:00:00Z","date_published":"2024-01-08T12:00:00Z","id":"/briefs/2024-01-royal-elementor-ssrf/","summary":"The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) allowing authenticated attackers with Contributor-level access or higher to make arbitrary requests and retrieve sensitive information from internal services.","title":"Royal Elementor Addons Plugin SSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-royal-elementor-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-5364"}],"_cs_exploited":false,"_cs_products":["Drag and Drop File Upload for Contact Form 7 plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","file-upload","rce","plugin","CVE-2026-5364"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Drag and Drop File Upload for Contact Form 7 plugin for WordPress, in versions up to and including 1.1.3, contains an arbitrary file upload vulnerability tracked as CVE-2026-5364. The flaw stems from insufficient sanitization of file extensions during the upload process. Specifically, the plugin extracts the file extension before sanitization and allows the file type parameter to be controlled by the attacker. Furthermore, validation occurs on the unsanitized extension, while the file is saved with a sanitized extension, stripping special characters like \u0026lsquo;$\u0026rsquo; during the save. While an .htaccess file and name randomization are present, these restrictions may be bypassable in certain configurations or by exploiting other vulnerabilities. This vulnerability could allow unauthenticated attackers to upload arbitrary PHP files to the web server, potentially leading to remote code execution (RCE).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress website using a vulnerable version (\u0026lt;= 1.1.3) of the \u0026ldquo;Drag and Drop File Upload for Contact Form 7\u0026rdquo; plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the plugin\u0026rsquo;s upload endpoint, typically \u003ccode\u003e/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a file with a manipulated extension, such as \u003ccode\u003eevil.php$.jpg\u003c/code\u003e, where \u003ccode\u003eevil.php\u003c/code\u003e is the malicious PHP payload and \u003ccode\u003e$.jpg\u003c/code\u003e is designed to be sanitized to \u003ccode\u003e.jpg\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003efile type\u003c/code\u003e parameter in the request to reflect the original manipulated file extension (\u003ccode\u003eevil.php$.jpg\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe plugin validates the extension against administrator-configured types but, due to the unsanitized extension and attacker control over the file type parameter, the malicious file passes validation.\u003c/li\u003e\n\u003cli\u003eThe plugin sanitizes the extension, removing the \u003ccode\u003e$\u003c/code\u003e character, resulting in a file saved with the extension \u003ccode\u003e.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access the uploaded PHP file via a direct HTTP request to \u003ccode\u003e/wp-content/uploads/\u0026lt;random_name\u0026gt;.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003e.htaccess\u003c/code\u003e restrictions are bypassed (e.g., due to misconfiguration or another vulnerability), the web server executes the malicious PHP code, granting the attacker remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5364 allows unauthenticated attackers to upload and execute arbitrary PHP code on the target WordPress server. This can lead to complete compromise of the website, including defacement, data theft, and installation of backdoors. While the presence of \u003ccode\u003e.htaccess\u003c/code\u003e and name randomization mitigates the risk, these protections may be bypassed, especially when combined with other vulnerabilities or misconfigurations. Given the widespread use of WordPress and its plugins, this vulnerability poses a significant risk to a large number of websites. The CVSS v3.1 base score is 8.1, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u0026ldquo;Drag and Drop File Upload for Contact Form 7\u0026rdquo; plugin to the latest version (greater than 1.1.3) to patch CVE-2026-5364.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to inspect and block requests containing suspicious file extensions in the POST parameters targeting the plugin\u0026rsquo;s upload endpoint (\u003ccode\u003e/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious File Upload via Drag and Drop CF7\u003c/code\u003e to identify exploitation attempts in web server logs (cs-uri-query).\u003c/li\u003e\n\u003cli\u003eReview and harden \u003ccode\u003e.htaccess\u003c/code\u003e configurations to ensure that PHP execution is restricted in the \u003ccode\u003e/wp-content/uploads/\u003c/code\u003e directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-wordpress-plugin-upload/","summary":"The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to 1.1.3, allowing unauthenticated attackers to upload arbitrary PHP files by manipulating the file type parameter and exploiting extension sanitization vulnerabilities.","title":"WordPress Drag and Drop File Upload Plugin Vulnerable to Arbitrary File Upload (CVE-2026-5364)","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-plugin-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-7647"}],"_cs_exploited":false,"_cs_products":["Profile Builder Pro plugin"],"_cs_severities":["critical"],"_cs_tags":["php-object-injection","wordpress","plugin","rce"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Profile Builder Pro plugin for WordPress is susceptible to a critical PHP Object Injection vulnerability (CVE-2026-7647) affecting all versions up to and including 3.14.5. This flaw stems from the plugin\u0026rsquo;s use of the \u003ccode\u003emaybe_unserialize()\u003c/code\u003e function on the attacker-controlled \u003ccode\u003eargs\u003c/code\u003e POST parameter passed to the \u003ccode\u003ewppb_request_users_pins_action_callback()\u003c/code\u003e AJAX handler. Critically, this handler lacks nonce verification, input validation, and type checking, making it accessible to unauthenticated users via both \u003ccode\u003ewp_ajax_\u003c/code\u003e and \u003ccode\u003ewp_ajax_nopriv_\u003c/code\u003e hooks. Successful exploitation allows remote, unauthenticated attackers to inject arbitrary PHP objects into the application\u0026rsquo;s memory space, potentially leading to remote code execution depending on available classes and application configuration. The vulnerability was published on 2026-05-02.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site running a vulnerable version (\u0026lt;= 3.14.5) of the Profile Builder Pro plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the WordPress AJAX endpoint (\u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003ewppb_request_users_pins_action_callback\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eargs\u003c/code\u003e parameter containing a serialized PHP object designed to trigger arbitrary code execution upon deserialization.\u003c/li\u003e\n\u003cli\u003eThe WordPress server receives the request and invokes the \u003ccode\u003ewppb_request_users_pins_action_callback()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable function calls \u003ccode\u003emaybe_unserialize()\u003c/code\u003e on the attacker-controlled \u003ccode\u003eargs\u003c/code\u003e parameter without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP object is deserialized and injected into the application\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eThe injected object\u0026rsquo;s methods and properties are triggered, leading to arbitrary code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary PHP code on the target WordPress server. This can lead to complete system compromise, including data theft, website defacement, and the installation of backdoors for persistent access. Given the widespread use of WordPress and the Profile Builder Pro plugin, a large number of websites are potentially at risk until the plugin is updated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Profile Builder Pro plugin to the latest available version to patch CVE-2026-7647.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Profile Builder Pro PHP Object Injection Attempt\u003c/code\u003e to detect exploitation attempts targeting the vulnerable AJAX endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003ewppb_request_users_pins_action_callback\u003c/code\u003e and suspicious serialized data in the \u003ccode\u003eargs\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-wordpress-profile-builder-rce/","summary":"An unauthenticated PHP Object Injection vulnerability exists in the Profile Builder Pro WordPress plugin (versions up to 3.14.5) due to the insecure use of `maybe_unserialize()` on the 'args' POST parameter in the `wppb_request_users_pins_action_callback()` AJAX handler, potentially leading to arbitrary code execution.","title":"WordPress Profile Builder Pro Plugin PHP Object Injection Vulnerability (CVE-2026-7647)","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-profile-builder-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5464"}],"_cs_exploited":false,"_cs_products":["ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","rce","cve-2026-5464","exactmetrics"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-5464, exists in the ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin, affecting all versions up to and including 9.1.2. The vulnerability allows authenticated attackers with Editor-level access or higher, who also possess the \u0026rsquo;exactmetrics_view_dashboard\u0026rsquo; capability, to install and activate arbitrary WordPress plugins from attacker-controlled URLs. This is possible due to the exposure of the \u0026lsquo;onboarding_key\u0026rsquo; transient and the lack of proper authorization checks on the \u0026rsquo;exactmetrics_connect_process\u0026rsquo; AJAX endpoint. Successful exploitation can lead to Remote Code Execution (RCE) on the target WordPress site. This poses a significant risk to websites using the vulnerable plugin, as attackers can inject malicious code and gain full control of the affected system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to a WordPress site as an Editor or Administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains the \u0026lsquo;onboarding_key\u0026rsquo; by accessing the reports page, which exposes the transient value to users with the \u0026rsquo;exactmetrics_view_dashboard\u0026rsquo; capability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u0026lsquo;onboarding_key\u0026rsquo; to access the \u0026lsquo;/wp-json/exactmetrics/v1/onboarding/connect-url\u0026rsquo; REST endpoint, receiving a one-time hash (OTH) token.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious plugin ZIP file hosted on an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the \u0026rsquo;exactmetrics_connect_process\u0026rsquo; AJAX endpoint, providing the OTH token and the URL of the malicious plugin ZIP file via the \u0026lsquo;file\u0026rsquo; parameter. This endpoint lacks capability checks and nonce verification.\u003c/li\u003e\n\u003cli\u003eThe ExactMetrics plugin downloads the malicious plugin ZIP file from the attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eThe ExactMetrics plugin installs and activates the malicious plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker gains Remote Code Execution on the WordPress server through the installed malicious plugin.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5464 allows attackers to install arbitrary plugins on vulnerable WordPress sites, leading to Remote Code Execution. This grants the attacker complete control over the compromised website, enabling them to inject malicious code, deface the site, steal sensitive data, or use the site for further malicious activities. The number of affected websites depends on the widespread use of the ExactMetrics plugin. Organizations using this plugin are at risk of significant data breaches and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin to the latest version, which patches CVE-2026-5464.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u0026lsquo;/wp-json/exactmetrics/v1/onboarding/connect-url\u0026rsquo; REST endpoint and the \u0026rsquo;exactmetrics_connect_process\u0026rsquo; AJAX endpoint. Implement the Sigma rule provided below to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication to prevent unauthorized access to WordPress accounts.\u003c/li\u003e\n\u003cli\u003eRestrict the \u0026rsquo;exactmetrics_view_dashboard\u0026rsquo; capability to only the necessary users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-exactmetrics-rce/","summary":"The ExactMetrics plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation via a REST API endpoint, potentially leading to remote code execution by authenticated attackers.","title":"ExactMetrics WordPress Plugin Vulnerability Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-02-exactmetrics-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Plugin","version":"https://jsonfeed.org/version/1.1"}