Plugin — CraftedSignal Threat Feed

Paid Memberships Pro Plugin Vulnerability Allows Unauthorized Stripe Webhook Modification

hello@craftedsignal.io — Sat, 02 May 2026 12:16:16 +0000

The Paid Memberships Pro plugin, a popular WordPress plugin for managing paid subscriptions, contains a vulnerability (CVE-2026-4100) that allows authenticated attackers with minimal privileges (Subscriber-level access) to manipulate Stripe webhook configurations. This flaw exists in versions up to and including 3.6.5 due to missing capability checks on specific AJAX handlers. An attacker exploiting this vulnerability can delete, create, or rebuild the site’s Stripe webhook, leading to significant disruptions in payment processing, subscription renewal synchronization, cancellation handling, and management of failed payments. This vulnerability puts revenue streams and customer relationships at risk for any organization using the affected plugin versions.

Attack Chain

An attacker gains Subscriber-level access to the WordPress site, either through registration or compromised credentials.
The attacker crafts a malicious AJAX request targeting the wp_ajax_pmpro_stripe_create_webhook endpoint.
Alternatively, the attacker crafts a malicious AJAX request to the wp_ajax_pmpro_stripe_delete_webhook endpoint.
Or, the attacker crafts a malicious AJAX request to the wp_ajax_pmpro_stripe_rebuild_webhook endpoint.
Due to missing capability checks, the server processes the request without proper authorization.
The Stripe webhook configuration is modified, deleted, or rebuilt based on the attacker’s request.
Legitimate payment processing and subscription management processes fail due to the altered webhook configuration.
The attacker effectively disrupts the site’s ability to collect payments and manage subscriptions.

Impact

Successful exploitation of this vulnerability allows an attacker to completely disrupt a WordPress site’s payment processing and subscription management functionalities. This can result in significant financial losses due to interrupted sales and subscription renewals. Furthermore, the disruption can damage customer trust and lead to churn as users experience issues with their subscriptions. The vulnerability affects all sites using Paid Memberships Pro plugin versions up to 3.6.5.

Recommendation

Immediately update the Paid Memberships Pro plugin to the latest version to patch CVE-2026-4100.
Monitor WordPress web server logs for POST requests to /wp-admin/admin-ajax.php with the action parameter set to pmpro_stripe_create_webhook, pmpro_stripe_delete_webhook, or pmpro_stripe_rebuild_webhook using the “Detect Suspicious PMPro Stripe Webhook AJAX Requests” Sigma rule.
Review user roles and permissions to minimize the number of users with Subscriber-level access as a temporary mitigation.

Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4062)

hello@craftedsignal.io — Sat, 02 May 2026 12:16:16 +0000

The Geo Mashup plugin for WordPress, in versions up to and including 1.13.18, contains a Time-Based SQL Injection vulnerability (CVE-2026-4062). The vulnerability exists within the ‘object_ids’ and ’exclude_object_ids’ parameters. Insufficient escaping of user-supplied input, specifically within the IN(...) and NOT IN(...) SQL context, coupled with inadequate preparation of the existing SQL query, allows for the injection. The esc_sql() function is applied but is rendered ineffective due to its inability to protect against parenthesis or SQL keyword injection within the unquoted IN(...) / NOT IN(...) context. A numeric-only sanitizer exists in sanitize_query_args(), but this is only applied in the AJAX code path and not in the render-map.php or template tag code paths. This flaw enables unauthenticated attackers to append malicious SQL queries, facilitating the extraction of sensitive information from the WordPress database through a time-based blind SQL injection technique.

Attack Chain

An unauthenticated attacker identifies the vulnerable Geo Mashup plugin running on a WordPress site.
The attacker crafts a malicious HTTP request targeting an endpoint that utilizes the ‘object_ids’ or ’exclude_object_ids’ parameters.
The attacker injects a time-based SQL injection payload into the ‘object_ids’ or ’exclude_object_ids’ parameter. This payload leverages SQL functions like SLEEP() or BENCHMARK() to introduce delays based on conditional SQL logic.
The vulnerable code fails to properly sanitize the injected SQL code due to the ineffective esc_sql() function in the IN/NOT IN context.
The injected SQL payload is appended to the existing SQL query executed by the Geo Mashup plugin.
The database server executes the combined query, including the injected time-based SQL injection.
The attacker monitors the response time of the HTTP request. A delayed response indicates that the injected SQL logic evaluated to true.
By repeatedly sending requests with different SQL injection payloads, the attacker can extract sensitive information from the database one character at a time.

Impact

Successful exploitation of this vulnerability can lead to the complete compromise of the WordPress database. An attacker can extract sensitive information such as user credentials, API keys, configuration details, and other confidential data. This can result in data breaches, unauthorized access to the WordPress site, and potential further attacks on connected systems. The CVSS v3.1 base score for this vulnerability is 7.5, indicating a high severity.

Recommendation

Upgrade the Geo Mashup plugin to a version greater than 1.13.18 to remediate CVE-2026-4062.
Deploy the Sigma rule Detect Geo Mashup Time-Based SQL Injection Attempts to identify potential exploitation attempts targeting the vulnerable parameters.
Monitor web server logs for suspicious requests containing SQL injection payloads in the ‘object_ids’ or ’exclude_object_ids’ parameters to detect exploitation attempts.

Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4061)

hello@craftedsignal.io — Sat, 02 May 2026 12:16:16 +0000

The Geo Mashup plugin for WordPress is vulnerable to time-based SQL injection, as detailed in CVE-2026-4061. This vulnerability affects all versions of the plugin up to and including 1.13.18. The root cause lies in the SearchResults hook, where the map_post_type parameter is mishandled. Specifically, the code first calls stripslashes_deep($_POST), effectively removing WordPress’s magic quotes protection. Subsequently, the unsanitized map_post_type value is directly concatenated into an IN(...) clause without proper escaping using esc_sql() or $wpdb->prepare(). While the ‘any’ branch of the code correctly applies array_map('esc_sql', ...), the alternative branch lacks this crucial sanitization step. Successful exploitation requires the Geo Search feature to be enabled in the plugin’s settings. This vulnerability allows unauthenticated attackers to inject malicious SQL queries, potentially leading to the extraction of sensitive database information through time-based blind techniques.

Attack Chain

The attacker identifies a WordPress site using a vulnerable version of the Geo Mashup plugin (<= 1.13.18) with the Geo Search feature enabled.
The attacker crafts a malicious HTTP POST request targeting the SearchResults hook with a specially crafted map_post_type parameter containing SQL injection payload.
The vulnerable code within the Geo Mashup plugin processes the POST request, removing magic quotes using stripslashes_deep($_POST).
The unsanitized map_post_type value is then concatenated directly into an SQL query within an IN(...) clause without proper escaping.
The injected SQL code executes within the database query, allowing the attacker to manipulate the query’s behavior.
The attacker uses time-based SQL injection techniques (e.g., IF(condition, SLEEP(5), 0)) within the injected payload to infer information based on the response time.
By repeatedly sending modified requests and observing the response times, the attacker can extract sensitive data, character by character, from the database.
The attacker extracts sensitive information such as usernames, passwords, API keys, or other confidential data stored in the WordPress database.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to extract sensitive information from the WordPress database. The severity of the impact depends on the sensitivity of the data stored in the database, but could include exposure of user credentials, confidential business data, or other sensitive information. Because it affects any installation with the Geo Search feature enabled, a large number of websites using the Geo Mashup plugin may be vulnerable. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.

Recommendation

Upgrade the Geo Mashup plugin to the latest version (later than 1.13.18) to patch CVE-2026-4061.
Deploy the provided Sigma rule to detect potential exploitation attempts targeting the vulnerable SearchResults hook using a malicious map_post_type parameter.
Review web server logs for suspicious POST requests to /wp-admin/admin-ajax.php (common AJAX endpoint in WordPress) containing potentially malicious SQL injection payloads in the map_post_type parameter.

WordPress Widget Options Plugin Remote Code Execution Vulnerability (CVE-2026-2052)

hello@craftedsignal.io — Sat, 02 May 2026 08:16:27 +0000

The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin, versions 4.2.2 and earlier, contains a Remote Code Execution (RCE) vulnerability (CVE-2026-2052). This flaw stems from the plugin’s Display Logic feature, which utilizes the eval() function to process user-supplied expressions. The plugin’s implemented blocklist/allowlist is insufficient, making it bypassable through techniques involving array_map with string concatenation. Furthermore, the plugin lacks proper authorization enforcement on the extended_widget_opts_block attribute. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject and execute arbitrary code on the underlying server. The vendor partially addressed this vulnerability in version 4.2.0.

Attack Chain

An attacker authenticates to the WordPress application as a Contributor or higher-level user.
The attacker navigates to the Widget Options settings within the WordPress admin panel.
The attacker crafts a malicious Display Logic expression designed to execute arbitrary PHP code. This involves bypassing the blocklist/allowlist using techniques such as array_map and string concatenation.
The attacker injects the malicious Display Logic expression into the extended_widget_opts_block attribute.
The WordPress application processes the widget options, including the malicious Display Logic expression. Due to the lack of proper sanitization and authorization, the eval() function executes the attacker-supplied PHP code.
The attacker’s code executes with the permissions of the web server user, potentially allowing the attacker to read or write files, execute system commands, or compromise the entire server.
The attacker may establish persistence by writing a backdoor to a file on the server or by creating a new administrator account.

Impact

Successful exploitation of CVE-2026-2052 allows an attacker to execute arbitrary code on the WordPress server. This can lead to complete compromise of the website, including data theft, defacement, and the installation of malware. Since the vulnerability requires Contributor access or higher, the impact is significant if such accounts are compromised through other means (e.g., phishing, credential stuffing). The lack of proper input sanitization and authorization makes this a critical vulnerability.

Recommendation

Upgrade the “The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets” plugin to the latest version to patch CVE-2026-2052.
Deploy the Sigma rule “Detect WordPress Widget Options RCE Attempt” to your SIEM to detect exploitation attempts.
Review user roles and permissions to minimize the number of users with Contributor or higher-level access.
Monitor web server logs for unusual activity, particularly requests to /wp-admin/options.php related to widget options.

PixelYourSite Pro WordPress Plugin SSRF Vulnerability (CVE-2026-7049)

hello@craftedsignal.io — Sat, 02 May 2026 06:16:04 +0000

CVE-2026-7049 is a server-side request forgery (SSRF) vulnerability found in the PixelYourSite Pro WordPress plugin. Specifically, all versions up to and including 12.5.0.1 are affected. This vulnerability allows unauthenticated attackers to send requests to arbitrary internal or external resources, as viewed from the web server. Although the fetched response bodies are not directly returned to the attacker (making it a blind SSRF), the application parses these responses internally, creating opportunities for reconnaissance and potentially for exploiting vulnerable internal services. Successful exploitation could expose sensitive information or allow unauthorized modification of internal systems.

Attack Chain

An unauthenticated attacker identifies the scan_video parameter as an SSRF entry point.
The attacker crafts a malicious HTTP request targeting the WordPress server with the vulnerable PixelYourSite Pro plugin. The request includes the scan_video parameter set to a URL pointing to an internal resource (e.g., internal IP address or hostname).
The WordPress server receives the malicious request.
The PixelYourSite Pro plugin processes the request and initiates an HTTP request to the URL specified in the scan_video parameter.
The WordPress server makes a request to the internal resource.
The response from the internal resource is received by the WordPress server.
The PixelYourSite Pro plugin parses the response body, potentially revealing information about the internal service.
Depending on the targeted internal service and the attacker’s crafted request, the attacker might be able to modify information or execute commands on the internal service, even though the response is not directly returned to the attacker.

Impact

Successful exploitation of CVE-2026-7049 allows an unauthenticated attacker to perform reconnaissance of internal network resources. The blind nature of the SSRF limits the attacker’s immediate visibility into the response, but internal parsing of the response allows for potential information disclosure and exploitation of vulnerable internal services. The scope of the impact depends heavily on the configuration of the internal network and the services exposed.

Recommendation

Upgrade the PixelYourSite Pro plugin to a version greater than 12.5.0.1 to patch CVE-2026-7049.
Deploy the Sigma rule Detect Suspicious PixelYourSite Pro SSRF Attempts to monitor for exploitation attempts targeting the scan_video parameter.
Review and restrict internal network access to sensitive services to mitigate the potential impact of SSRF vulnerabilities.

WP Editor Plugin CSRF Vulnerability

hello@craftedsignal.io — Fri, 01 May 2026 12:16:16 +0000

The WP Editor plugin, a WordPress plugin, contains a Cross-Site Request Forgery (CSRF) vulnerability affecting versions up to and including 1.2.9.2. This vulnerability stems from a lack of nonce verification in the ‘add_plugins_page’ and ‘add_themes_page’ functions. An unauthenticated attacker can exploit this vulnerability by crafting a malicious request designed to overwrite arbitrary plugin and theme PHP files with attacker-controlled code. The success of this attack hinges on the attacker’s ability to deceive a site administrator into triggering the forged request, typically by clicking a specially crafted link. This flaw allows for potential arbitrary code execution on the targeted WordPress site.

Attack Chain

The attacker identifies a vulnerable WordPress site running a WP Editor plugin version <= 1.2.9.2.
The attacker crafts a malicious HTTP request targeting the ‘add_plugins_page’ or ‘add_themes_page’ functions. This request includes parameters designed to overwrite a specific plugin or theme PHP file with attacker-supplied code.
The attacker social engineers a WordPress administrator into clicking a malicious link or visiting a compromised website containing the forged request. This could be achieved via phishing emails or other deceptive techniques.
If the administrator is logged into the WordPress dashboard, their browser automatically sends the forged request to the vulnerable WordPress site.
Due to the missing nonce verification, the WordPress site processes the request without validating its origin.
The target plugin or theme PHP file is overwritten with the attacker’s malicious code.
The attacker’s code is executed when the plugin or theme is loaded or accessed.
The attacker achieves arbitrary code execution on the WordPress server, potentially leading to complete site compromise.

Impact

Successful exploitation of this CSRF vulnerability allows an unauthenticated attacker to inject arbitrary PHP code into a WordPress website. This can lead to a full compromise of the website, including data theft, defacement, or the installation of backdoors for persistent access. Given the widespread use of WordPress and the WP Editor plugin, a large number of websites are potentially at risk. Successful attacks can result in significant reputational damage and financial losses for affected website owners.

Recommendation

Upgrade the WP Editor plugin to the latest available version, which includes a fix for CVE-2026-3772.
Implement strong CSRF protection measures on all WordPress forms and administrative functions.
Deploy the provided Sigma rule to detect attempts to exploit this vulnerability through suspicious requests to the add_plugins_page or add_themes_page endpoints.

OpenClaw Plugin Archive Integrity Vulnerability (CVE-2026-42428)

hello@craftedsignal.io — Wed, 29 Apr 2026 12:00:00 +0000

OpenClaw versions prior to 2026.4.8 are susceptible to a critical vulnerability (CVE-2026-42428) due to the lack of integrity verification for downloaded plugin archives. This flaw allows a malicious actor to install crafted or tampered plugin packages onto a user’s system without any validation or warning. Successful exploitation grants the attacker the ability to compromise the OpenClaw assistant environment, potentially leading to arbitrary code execution, data theft, or other malicious activities. The vulnerability was reported on April 28, 2026, and poses a significant risk to users who rely on OpenClaw for their assistant needs.

Attack Chain

The attacker identifies a target running a vulnerable version of OpenClaw (prior to 2026.4.8).
The attacker crafts a malicious plugin archive containing malicious code or scripts.
The attacker entices the user to download the malicious plugin archive, potentially through social engineering or by hosting it on a compromised website.
The user installs the malicious plugin archive via OpenClaw’s plugin installation mechanism.
Due to the missing integrity check, OpenClaw installs the plugin without verifying its authenticity or integrity.
The malicious plugin is loaded and executed within the OpenClaw environment.
The attacker gains control over the OpenClaw assistant environment and executes malicious code.
The attacker performs unauthorized actions, such as stealing data, installing malware, or compromising other systems.

Impact

Successful exploitation of CVE-2026-42428 allows attackers to compromise the local OpenClaw assistant environment. The lack of integrity verification means a malicious plugin can execute arbitrary code, potentially leading to data theft, system compromise, or further lateral movement within the network. The severity is high due to the potential for complete system compromise and the relative ease of exploitation, requiring only that a user install a malicious plugin.

Recommendation

Upgrade OpenClaw to version 2026.4.8 or later to patch CVE-2026-42428.
Deploy the Sigma rule “Detect Suspicious OpenClaw Plugin Installation” to detect the installation of unsigned or suspicious plugins.
Educate users about the risks of installing plugins from untrusted sources.

WordPress HTTP Headers Plugin Remote Code Execution via File Path Manipulation (CVE-2026-4132)

hello@craftedsignal.io — Wed, 22 Apr 2026 09:16:24 +0000

The HTTP Headers plugin for WordPress, versions up to and including 1.19.2, is vulnerable to remote code execution (RCE) due to a file path manipulation vulnerability (CVE-2026-4132). This vulnerability stems from the plugin’s insufficient validation of the ‘hh_htpasswd_path’ option, which controls the location of the .htpasswd file. Furthermore, the ‘hh_www_authenticate_user’ option, used for setting the username for HTTP Basic Authentication, lacks proper sanitization. This allows attackers with administrator privileges to specify an arbitrary file path for the htpasswd file and inject unsanitized content into it. By crafting a malicious username containing PHP code and setting the htpasswd path to a web-accessible directory, an attacker can execute arbitrary code on the server. This exploit requires administrator-level access to the WordPress dashboard.

Attack Chain

The attacker authenticates to the WordPress dashboard with administrator privileges.
The attacker navigates to the HTTP Headers plugin settings page.
The attacker modifies the ‘hh_htpasswd_path’ option, setting it to a web-accessible directory (e.g., /var/www/html/wp-content/uploads/.shell.php).
The attacker modifies the ‘hh_www_authenticate_user’ option, injecting PHP code into the username field (e.g., ).
The apache_auth_credentials() function uses sprintf to combine the malicious username with a SHA hash, creating a crafted htpasswd entry.
The update_auth_credentials() function then writes the crafted content, including the injected PHP code, to the attacker-controlled file path using file_put_contents().
The attacker accesses the newly created PHP file via a web browser (e.g., http://example.com/wp-content/uploads/.shell.php?cmd=id).
The injected PHP code executes, allowing the attacker to run arbitrary commands on the server.

Impact

Successful exploitation of this vulnerability grants the attacker remote code execution on the affected WordPress server. This can lead to complete compromise of the server, including data theft, website defacement, malware deployment, and further attacks against internal networks. Given the widespread use of WordPress and its plugins, a successful exploit could impact a large number of websites and organizations.

Recommendation

Immediately update the HTTP Headers plugin to a patched version (if available) to remediate CVE-2026-4132.
Monitor web server logs for requests to unusual file paths that match the ‘hh_htpasswd_path’ setting specified in the plugin configuration to detect potential exploitation attempts.
Implement the Sigma rule to detect file creation events in web-accessible directories with PHP extensions that are triggered by the web server process.
Restrict access to the WordPress administrator dashboard to only trusted individuals and enforce strong password policies to prevent unauthorized access to plugin settings.

OpenClaw Improper Trust Boundary Vulnerability (CVE-2026-41295)

hello@craftedsignal.io — Tue, 21 Apr 2026 00:16:29 +0000

OpenClaw before version 2026.4.2 is vulnerable to an improper trust boundary issue. This vulnerability allows an attacker to achieve in-process code execution by exploiting the way OpenClaw handles workspace channel shadows. Specifically, an attacker can clone a workspace and include a malicious plugin. This plugin claims a bundled channel ID, which results in the execution of untrusted code during the built-in channel setup and login process, even before the plugin is explicitly trusted by the user. This poses a significant risk as it bypasses normal trust mechanisms within OpenClaw.

Attack Chain

Attacker clones a legitimate OpenClaw workspace.
Attacker crafts a malicious plugin designed to exploit the trust boundary vulnerability.
The malicious plugin is configured to claim a bundled channel ID that OpenClaw uses for built-in channels.
The cloned workspace, including the malicious plugin, is distributed to a target user.
The target user opens the cloned workspace in a vulnerable version of OpenClaw (before 2026.4.2).
During the workspace loading and channel setup process, OpenClaw incorrectly trusts the malicious plugin due to the claimed channel ID.
The malicious plugin executes arbitrary code within the OpenClaw process.
The attacker gains control or compromises the user’s OpenClaw session.

Impact

Successful exploitation of CVE-2026-41295 leads to arbitrary code execution within the OpenClaw application. An attacker can leverage this to potentially steal sensitive information, modify workspace data, or escalate privileges on the affected system. The vulnerability impacts all OpenClaw users running versions prior to 2026.4.2 who open a maliciously crafted workspace. The impact is severe, as it allows for immediate code execution without explicit user consent or trust of the malicious plugin.

Recommendation

Upgrade OpenClaw to version 2026.4.2 or later to patch CVE-2026-41295.
Monitor for the creation and loading of OpenClaw plugins, specifically those claiming bundled channel IDs, using a process creation rule with a focus on command-line arguments.
Implement application control policies to restrict the execution of unsigned or untrusted plugins within OpenClaw to mitigate the risk of malicious plugin execution.

Everest Forms Plugin Arbitrary File Read and Deletion Vulnerability

hello@craftedsignal.io — Mon, 20 Apr 2026 20:35:20 +0000

The Everest Forms plugin for WordPress, versions 3.4.4 and earlier, contains an arbitrary file read and deletion vulnerability (CVE-2026-5478). This flaw stems from the plugin’s improper handling of the old_files parameter within form submissions. Specifically, the plugin trusts attacker-controlled data as legitimate server-side upload state and insecurely converts URLs into local filesystem paths without adequate sanitization. This lack of input validation enables unauthenticated attackers to inject path traversal sequences, leading to the disclosure of sensitive files like wp-config.php, which contains database credentials and authentication salts. Furthermore, the flawed path resolution is utilized in a post-email cleanup routine, resulting in arbitrary file deletion via the unlink() function, potentially causing a denial-of-service condition. Successful exploitation requires a form with a file-upload or image-upload field and the “store entry information” feature disabled.

Attack Chain

An unauthenticated attacker crafts a malicious HTTP POST request to a WordPress page containing an Everest Forms form with a file upload field.
The attacker includes the old_files parameter in the POST data, injecting a path traversal payload (e.g., ../../../../wp-config.php) into its value.
The WordPress application processes the form submission, and the Everest Forms plugin extracts the old_files parameter.
The plugin’s flawed logic converts the attacker-supplied URL into a local file system path using regex-based string replacement without canonicalization or directory boundary enforcement.
The plugin attaches the resolved file (e.g., /var/www/wordpress/../../../../wp-config.php) to the notification email.
After sending the notification email, the post-email cleanup routine utilizes the same flawed path resolution to determine the file to delete.
The unlink() function is called on the resolved path, leading to the deletion of the targeted file (e.g., wp-config.php).
The attacker gains access to sensitive information (database credentials, salts) or causes a denial of service by deleting critical system files.

Impact

Successful exploitation of CVE-2026-5478 allows unauthenticated attackers to read arbitrary files on the WordPress server, potentially exposing sensitive information like database credentials and authentication salts stored in wp-config.php. This could lead to full site compromise, including data theft, defacement, or further malicious activities. Furthermore, the ability to delete arbitrary files enables attackers to cause a denial-of-service condition by removing critical system or application files. The impact is significant as it affects all versions of the Everest Forms plugin up to and including 3.4.4.

Recommendation

Immediately update the Everest Forms plugin to a version higher than 3.4.4 to patch CVE-2026-5478.
Deploy the Sigma rule “Detect Everest Forms Arbitrary File Read Attempt” to identify potential exploitation attempts in web server logs.
Enable web server logging to capture HTTP POST requests, which are crucial for detecting path traversal attempts (cs-uri-query, cs-method in webserver logs).
Monitor file deletion events on the WordPress server, especially those initiated by the web server user, using a file integrity monitoring (FIM) solution (file_event logs).
Implement input validation and sanitization for all user-supplied data, especially file paths, to prevent path traversal vulnerabilities.

WP Customer Area Plugin Arbitrary File Read and Deletion Vulnerability

hello@craftedsignal.io — Fri, 17 Apr 2026 17:17:07 +0000

The WP Customer Area plugin, a popular WordPress plugin, is susceptible to an arbitrary file read and deletion vulnerability. This flaw, identified as CVE-2026-3464, resides within the ‘ajax_attach_file’ function and stems from inadequate file path validation. All versions of the plugin up to and including 8.3.4 are affected. The vulnerability enables authenticated attackers with minimal privileges (e.g., Subscriber), granted access by an administrator, to read arbitrary files on the server, potentially exposing sensitive data. Attackers can also delete arbitrary files, which, in certain cases (such as deleting wp-config.php), can pave the way for remote code execution. This vulnerability poses a significant risk to WordPress websites utilizing the WP Customer Area plugin.

Attack Chain

An attacker gains authenticated access to a WordPress site with the WP Customer Area plugin enabled, with privileges granted by an administrator (e.g., as a Subscriber).
The attacker crafts a malicious HTTP request targeting the ‘ajax_attach_file’ function.
The crafted request includes a manipulated file path, bypassing input validation.
The plugin, failing to properly sanitize the file path, attempts to read or delete the file specified in the malicious request.
If reading, the contents of the targeted file are returned to the attacker in the HTTP response.
If deleting, the targeted file is removed from the server.
If the attacker targets a sensitive file, such as wp-config.php, and successfully deletes it, the WordPress installation becomes unstable and potentially allows for re-installation and control by the attacker.
The attacker exploits the instability to achieve remote code execution, potentially installing a web shell or other malicious code.

Impact

Successful exploitation of this vulnerability (CVE-2026-3464) allows attackers to read sensitive files, potentially including database credentials, API keys, and other confidential information. Moreover, the ability to delete arbitrary files can lead to denial-of-service conditions or, more critically, remote code execution. The number of affected websites is potentially large, given the popularity of the WP Customer Area plugin. A successful attack can result in complete compromise of the WordPress website and its underlying server.

Recommendation

Upgrade the WP Customer Area plugin to a version greater than 8.3.4 to patch CVE-2026-3464.
Monitor web server logs for requests containing suspicious file paths targeting the ‘ajax_attach_file’ function (see Sigma rule below).
Implement stricter file path validation on the web server to prevent arbitrary file access.
Apply the provided Sigma rules to your SIEM to detect and alert on malicious attempts to exploit this vulnerability.

Plisio Accept Cryptocurrencies Plugin Missing Authorization Vulnerability (CVE-2026-6372)

hello@craftedsignal.io — Thu, 16 Apr 2026 12:00:00 +0000

CVE-2026-6372 is a missing authorization vulnerability affecting the Plisio Accept Cryptocurrencies with Plisio WordPress plugin, specifically versions from initial releases through 2.0.5. Discovered by Patchstack, the vulnerability stems from incorrectly configured access control security levels within the plugin. An attacker can exploit this flaw to bypass payment verification processes, potentially leading to unauthorized transactions or manipulation of payment-related functionalities. Given the increasing adoption of cryptocurrency payments, this vulnerability presents a significant risk to e-commerce sites using the affected plugin. Successful exploitation can result in financial losses and reputational damage.

Attack Chain

Attacker identifies a WordPress site using the vulnerable Plisio plugin (version <= 2.0.5).
Attacker analyzes the plugin’s code or intercepts network traffic to identify the specific endpoint or function responsible for payment verification lacking proper authorization checks.
The attacker crafts a malicious HTTP request to the vulnerable endpoint, bypassing the intended authentication or authorization mechanisms.
The crafted request modifies payment parameters (e.g., amount, recipient) without proper validation.
The modified request is sent to the server, which processes it without correctly verifying the user’s authority.
The server updates the payment status, marking it as “paid” or “verified,” even though the actual payment might be incomplete, altered, or entirely missing.
The WordPress site delivers goods or services based on the fraudulently verified payment status.

Impact

Successful exploitation of CVE-2026-6372 allows attackers to bypass payment verification processes in e-commerce sites using the Plisio Accept Cryptocurrencies plugin. This can lead to financial losses for the site owner due to unauthorized transactions. The vulnerability affects all installations using versions up to and including 2.0.5. Given the potential for widespread impact on any site accepting cryptocurrency via this plugin, this issue represents a high risk.

Recommendation

Upgrade the Plisio Accept Cryptocurrencies with Plisio plugin to a version greater than 2.0.5 to patch CVE-2026-6372.
Deploy the Sigma rule Detect Plisio Payment Bypass Attempt to monitor for exploit attempts targeting the vulnerable endpoint.
Examine web server logs for suspicious POST requests to payment processing endpoints associated with the Plisio plugin, filtering for unexpected parameter modifications (log source: webserver).

Riaxe Product Customizer WordPress Plugin SQL Injection Vulnerability

hello@craftedsignal.io — Thu, 16 Apr 2026 06:16:17 +0000

The Riaxe Product Customizer plugin, a WordPress plugin, is susceptible to SQL Injection attacks. This vulnerability resides within the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint, specifically through the ‘options’ parameter keys nested within the ‘product_data’. All versions of the plugin up to and including 2.1.2 are affected. Due to insufficient input sanitization and inadequate preparation of SQL queries, unauthenticated attackers can inject malicious SQL code. Successful exploitation enables attackers to execute arbitrary SQL queries, potentially leading to sensitive data extraction. This poses a significant risk to WordPress sites utilizing the affected plugin, as attackers could gain access to user credentials, financial information, or other confidential data stored in the database. Defenders should prioritize patching or removing the plugin to mitigate this threat.

Attack Chain

An unauthenticated attacker identifies a WordPress site using a vulnerable version (<=2.1.2) of the Riaxe Product Customizer plugin.
The attacker crafts a malicious HTTP POST request targeting the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint.
The crafted request includes a ‘product_data’ parameter containing a manipulated ‘options’ array.
Within the ‘options’ array, the attacker injects SQL code into one or more of the parameter keys.
The WordPress server processes the request without properly sanitizing the injected SQL code.
The application constructs a SQL query using the unsanitized input, effectively injecting the malicious code into the query.
The database server executes the attacker-controlled SQL query.
The attacker extracts sensitive information from the database, such as user credentials, by using the SQL injection vulnerability.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-3599) allows unauthenticated attackers to extract sensitive information from the WordPress database. This may include user credentials (usernames, email addresses, and password hashes), customer data, financial information, and other confidential data stored within the database. The impact can range from defacement of the website and data theft, to complete compromise of the WordPress site and its associated server. Due to the widespread use of WordPress and its plugins, this vulnerability poses a significant threat to a potentially large number of websites.

Recommendation

Upgrade the Riaxe Product Customizer plugin to a version higher than 2.1.2 to patch CVE-2026-3599.
Deploy the Sigma rule Detect SQL Injection Attempts via Riaxe Product Customizer Plugin to your SIEM to detect exploitation attempts.
Monitor web server logs for suspicious POST requests to the /wp-json/InkXEProductDesignerLite/add-item-to-cart endpoint.

Riaxe Product Customizer WordPress Plugin Privilege Escalation Vulnerability (CVE-2026-3596)

hello@craftedsignal.io — Thu, 16 Apr 2026 06:16:15 +0000

The Riaxe Product Customizer plugin for WordPress, versions 2.1.2 and earlier, contains a critical privilege escalation vulnerability (CVE-2026-3596). This flaw stems from an unauthenticated AJAX action, ‘wp_ajax_nopriv_install-imprint’, which is improperly secured. The corresponding function, ink_pd_add_option(), allows unauthenticated users to modify arbitrary WordPress options by sending POST requests. There are no nonce checks, capability checks, or input validation performed on the ‘option’ and ‘opt_value’ parameters, making it trivial to manipulate sensitive site settings. Successful exploitation allows attackers to grant themselves administrative privileges. This vulnerability poses a significant risk to any WordPress site using the affected plugin.

Attack Chain

An unauthenticated attacker identifies a WordPress site using a vulnerable version of the Riaxe Product Customizer plugin (<= 2.1.2).
The attacker crafts a malicious HTTP POST request targeting the /wp-admin/admin-ajax.php endpoint.
The POST request includes the action parameter set to install-imprint, triggering the vulnerable AJAX action wp_ajax_nopriv_install-imprint.
The attacker sets the option parameter to default_role and the opt_value parameter to administrator within the POST request. This will change the default user role to administrator.
The attacker sets the option parameter to users_can_register and the opt_value parameter to 1 within the POST request. This enables user registration on the WordPress site.
The ink_pd_add_option() function executes, calling delete_option() and add_option() with the attacker-supplied values, effectively updating the WordPress options table.
The attacker registers a new user account on the WordPress site.
Because user registration is enabled and the default user role is set to administrator, the attacker’s new account is granted administrator privileges, allowing full control over the WordPress site.

Impact

Successful exploitation of CVE-2026-3596 allows unauthenticated attackers to gain complete control over a vulnerable WordPress website. This can lead to website defacement, data theft, malware distribution, and denial of service. Given the widespread use of WordPress, this vulnerability has the potential to affect a large number of websites across various sectors. A successful attack would result in the attacker having the same access as the original website administrator.

Recommendation

Immediately remove the Riaxe Product Customizer plugin from WordPress installations if it is present. This will eliminate the attack vector (plugin removal).
Monitor web server logs (category: webserver, product: linux or windows) for POST requests to /wp-admin/admin-ajax.php with the action parameter set to install-imprint using the Sigma rule provided below.
Consider implementing a Web Application Firewall (WAF) rule to block requests matching the exploit pattern described in the Attack Chain.
Review WordPress user accounts for any unauthorized administrators.

LearnPress WordPress Plugin Unauthorized Data Deletion Vulnerability (CVE-2026-4365)

hello@craftedsignal.io — Tue, 14 Apr 2026 02:16:57 +0000

The LearnPress plugin for WordPress, in versions up to and including 4.3.2.8, is susceptible to unauthorized data deletion. The vulnerability stems from a missing capability check on the delete_question_answer() function. The plugin exposes a wp_rest nonce in public frontend HTML, and this nonce serves as the sole security check for the lp-load-ajax AJAX dispatcher. As the delete_question_answer action lacks capability or ownership validation, unauthenticated attackers can exploit this flaw to delete arbitrary quiz answer options. This is achieved by sending a crafted POST request containing a publicly available nonce. Exploitation does not require any prior authentication.

Attack Chain

An unauthenticated attacker identifies a LearnPress installation with a vulnerable version (<= 4.3.2.8).
The attacker accesses the public frontend of the WordPress site.
The attacker retrieves the wp_rest nonce from the lpData variable in the HTML source code. This nonce is used for AJAX requests.
The attacker crafts a POST request to the wp-admin/admin-ajax.php endpoint.
The crafted POST request includes the action parameter set to delete_question_answer.
The request also includes the nonce parameter with the value of the retrieved wp_rest nonce.
The request includes the answer_id parameter set to the ID of the quiz answer option to be deleted.
The server, lacking proper capability checks, processes the request and deletes the specified quiz answer option from the database. This results in data loss and potentially disrupts the functionality of quizzes within the LearnPress plugin.

Impact

Successful exploitation allows unauthenticated attackers to arbitrarily delete quiz answer options within the LearnPress plugin. This can lead to data loss, disruption of quizzes, and potentially compromise the integrity of educational content. The CVSS v3.1 base score for this vulnerability is 9.1, indicating a critical severity. The number of victims and specific sectors targeted are currently unknown, but any website using the vulnerable LearnPress plugin is at risk.

Recommendation

Upgrade the LearnPress plugin to a version greater than 4.3.2.8 to patch CVE-2026-4365.
Deploy the Sigma rule “Detect LearnPress Unauthorized Data Deletion Attempt” to your SIEM to identify potential exploitation attempts.
Monitor web server logs for POST requests to wp-admin/admin-ajax.php with the action parameter set to delete_question_answer and investigate suspicious activity.

Helm Plugin Path Traversal Vulnerability

hello@craftedsignal.io — Sat, 11 Apr 2026 12:00:00 +0000

Helm, a package manager for Kubernetes charts, is vulnerable to a path traversal issue. Specifically, Helm versions 4.0.0 through 4.1.3 are affected. A maliciously crafted Helm plugin, when installed or updated, can exploit this vulnerability (CVE-2026-35204) to write the plugin’s contents to arbitrary locations on the user’s filesystem. This can lead to overwriting critical system files or user data, potentially compromising the system’s integrity. Helm v4.1.4 resolves this vulnerability by rejecting plugins with non-SemVer versions containing path traversal patterns. Defenders should ensure Helm installations are updated to the patched version or implement workarounds to validate plugin metadata.

Attack Chain

An attacker crafts a malicious Helm plugin. This plugin contains a plugin.yaml file with a version field that includes POSIX dot-dot path separators (e.g., /../).
The attacker distributes the malicious plugin to potential victims, possibly through public repositories or direct spear phishing.
A victim attempts to install or update the Helm plugin using the helm plugin install or helm plugin update command.
Helm parses the plugin.yaml file and extracts the version field, which contains the path traversal characters.
Due to the vulnerability, Helm incorrectly resolves the file path, allowing the plugin’s contents to be written outside the intended plugin directory.
The malicious plugin overwrites arbitrary files on the user’s system based on the path specified in the version field.
Depending on the files overwritten, the attacker can achieve various malicious objectives, such as gaining persistence, escalating privileges, or executing arbitrary code.
The attacker achieves persistence by overwriting system startup scripts or configuration files, allowing the malicious code to run automatically on system reboot.

Impact

Successful exploitation of this vulnerability allows attackers to overwrite arbitrary files on the victim’s system. This can lead to various detrimental outcomes, including data loss, system instability, privilege escalation, and ultimately, complete system compromise. While the specific number of victims is unknown, any user running a vulnerable version of Helm (4.0.0 - 4.1.3) is at risk. The potential impact includes compromising Kubernetes deployments and sensitive data stored on affected systems.

Recommendation

Upgrade Helm to version 4.1.4 or later to remediate CVE-2026-35204, as this version includes a patch that prevents path traversal during plugin installation.
Implement a validation step before installing or updating Helm plugins, checking the plugin.yaml file for a version: field containing POSIX dot-dot path separators. This mitigates the risk described in the workaround section of the advisory.
Deploy the Sigma rule “Helm Plugin Install with Path Traversal” to detect attempts to install plugins with malicious version fields, using file_event logs.

wpForo Forum Plugin Arbitrary File Deletion Vulnerability (CVE-2026-5809)

hello@craftedsignal.io — Sat, 11 Apr 2026 08:16:05 +0000

The wpForo Forum plugin, a popular WordPress plugin, is susceptible to an arbitrary file deletion vulnerability (CVE-2026-5809) affecting versions up to and including 3.0.2. The vulnerability stems from insufficient validation of user-supplied data within the topic_add() and topic_edit() action handlers. Specifically, the plugin improperly handles array values in the $_REQUEST data, storing them as postmeta without proper filtering. An authenticated attacker (subscriber-level or higher) can exploit this by injecting a malicious file path into the data[body][fileurl] parameter. This injected path is subsequently used in a file deletion function without adequate sanitization, leading to potential deletion of critical system files. This vulnerability allows attackers to potentially cripple the WordPress installation or gain further access to the server.

Attack Chain

An attacker authenticates to the WordPress site with at least subscriber-level privileges.
The attacker crafts a malicious HTTP request targeting the topic_add() or topic_edit() action handler.
Within the request, the attacker includes the data[body][fileurl] parameter containing the path to the file they wish to delete (e.g., /var/www/html/wp-config.php).
The wpForo plugin stores the attacker-supplied fileurl value as postmeta associated with the forum topic without proper validation.
The attacker crafts another request, this time including the wpftcf_delete[]=body parameter, targeting the topic_edit action.
The add_file() method retrieves the poisoned fileurl from the stored postmeta record.
The plugin attempts to sanitize the path using wpforo_fix_upload_dir(), but this function only modifies paths within the legitimate wpForo upload directory, leaving other paths untouched.
The plugin calls wp_delete_file() on the unsanitized path, resulting in the deletion of the targeted file if the PHP process has write permissions.

Impact

Successful exploitation of this vulnerability allows an authenticated attacker to delete arbitrary files on the server, provided the PHP process has the necessary write permissions. This can lead to a denial of service by deleting core WordPress files or configuration files such as wp-config.php. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high severity. This could lead to complete compromise of the WordPress installation and potential further exploitation of the server.

Recommendation

Upgrade the wpForo Forum plugin to a version higher than 3.0.2 to patch CVE-2026-5809.
Deploy the Sigma rule “Detect wpForo Arbitrary File Deletion Attempt” to your SIEM to detect potential exploitation attempts by monitoring HTTP requests to WordPress.
Implement stricter file permission controls to limit the PHP process’s write access to only necessary directories and files.
Monitor web server logs for suspicious POST requests containing the wpftcf_delete parameter, as highlighted in the Attack Chain.

Gravity SMTP Plugin Missing Authorization Vulnerability (CVE-2026-4162)

hello@craftedsignal.io — Fri, 10 Apr 2026 10:16:04 +0000

The Gravity SMTP plugin, a WordPress extension facilitating email sending through SMTP, contains a missing authorization vulnerability (CVE-2026-4162) affecting versions 2.1.4 and earlier. This flaw allows authenticated users with minimal subscriber-level permissions to perform administrative actions such as uninstalling and deactivating the plugin, as well as deleting its associated options. The vulnerability stems from the plugin failing to properly validate user authorization before executing sensitive functions. Additionally, the vulnerability can be exploited via a Cross-Site Request Forgery (CSRF) attack. Patches have been released in Gravity SMTP version 2.1.5 to address this security concern. Exploitation of this vulnerability allows low-privileged users to disrupt email functionality and potentially compromise WordPress configurations.

Attack Chain

An attacker authenticates to the WordPress site with subscriber-level or higher privileges.
The attacker crafts a malicious HTTP request to uninstall the Gravity SMTP plugin, leveraging the missing authorization vulnerability. This request targets the WordPress plugin management endpoint.
Alternatively, the attacker crafts a CSRF attack that tricks a privileged user into triggering the malicious HTTP request to uninstall the plugin.
The WordPress server receives the crafted request without proper authorization checks.
The plugin’s uninstall function is executed, removing the Gravity SMTP plugin from the WordPress installation.
The attacker crafts another HTTP request to delete Gravity SMTP plugin options.
The WordPress server processes the request, and the plugin options are deleted from the database.
The Gravity SMTP plugin is uninstalled and deactivated, and its settings are removed, disrupting the email functionality of the WordPress site.

Impact

Successful exploitation of CVE-2026-4162 allows attackers with low-level privileges on a WordPress site to disable email functionality and manipulate plugin settings. While the number of affected installations remains unknown, the impact can be significant for organizations heavily reliant on WordPress for communication or critical business processes, potentially leading to disruption of services, loss of email functionality, and unauthorized access to sensitive data or configurations. The CVSS v3.1 score of 7.1 indicates a high severity, considering the ease of exploitation and the potential for widespread disruption.

Recommendation

Upgrade the Gravity SMTP plugin to version 2.1.5 or later to patch CVE-2026-4162.
Monitor WordPress access logs for unauthorized requests targeting the plugin management endpoints to detect potential exploitation attempts. Deploy the Sigma rule Detect WordPress Plugin Uninstall via Missing Auth to identify suspicious activity.
Implement CSRF protection mechanisms within WordPress plugins to mitigate the risk of CSRF-based exploitation.
Review WordPress user roles and permissions to minimize the attack surface and restrict access to sensitive functionalities.

Smart Slider 3 Pro Compromised Update Leads to Remote Code Execution

hello@craftedsignal.io — Thu, 09 Apr 2026 23:17:00 +0000

Smart Slider 3 Pro version 3.5.1.35, a popular WordPress and Joomla plugin, is vulnerable to remote code execution due to a compromised update system. This vulnerability, tracked as CVE-2026-34424, allows unauthenticated attackers to inject a multi-stage remote access toolkit. The attackers leverage this toolkit to execute arbitrary code and commands, effectively taking control of the affected web server. This vulnerability poses a significant threat to websites using the vulnerable plugin, potentially leading to data theft, website defacement, or use of the server for malicious purposes. Defenders should prioritize patching or removing the affected plugin version immediately.

Attack Chain

The attacker compromises the Smart Slider 3 Pro update server.
A malicious update is pushed to vulnerable Smart Slider 3 Pro installations (version 3.5.1.35).
The plugin downloads and installs the malicious update, injecting the multi-stage remote access toolkit.
The attacker triggers pre-authentication remote shell execution by sending crafted HTTP headers to the web server.
An authenticated backdoor is established, allowing the attacker to execute arbitrary PHP code or OS commands.
The attacker creates hidden administrator accounts within WordPress or Joomla to maintain persistent access.
Credentials and access keys are exfiltrated from the compromised system.
Persistence is maintained through multiple injection points, including modifications to must-use plugins and core files.

Impact

Successful exploitation of CVE-2026-34424 leads to complete compromise of the affected web server. Attackers can gain unauthorized access to sensitive data, including user credentials, database information, and proprietary code. Websites can be defaced, injected with malware, or used as part of a botnet. The vulnerability affects all users of Smart Slider 3 Pro version 3.5.1.35, regardless of the underlying operating system. Given the widespread use of WordPress and Joomla, a large number of websites are potentially at risk.

Recommendation

Immediately remove or update Smart Slider 3 Pro to a patched version newer than 3.5.1.35 to remediate CVE-2026-34424.
Monitor web server logs for suspicious HTTP requests with unusual headers indicative of attempted pre-authentication shell execution as described in the Attack Chain.
Implement the provided Sigma rules to detect suspicious process creation and file modifications related to the injected toolkit.
Audit user accounts for unauthorized administrator accounts as the attacker creates hidden accounts.

WooCommerce Ajax Product Filter Plugin Vulnerable to SQL Injection (CVE-2026-3396)

hello@craftedsignal.io — Wed, 08 Apr 2026 12:16:21 +0000

The WooCommerce Ajax Product Filter (WCAPF) plugin, a WordPress extension, is susceptible to a time-based SQL Injection vulnerability (CVE-2026-3396). This flaw stems from inadequate input sanitization of the post-author parameter and insufficient preparation within the existing SQL query structure. Specifically, all versions of the plugin up to and including version 4.2.3 are affected. An unauthenticated attacker can exploit this vulnerability by injecting malicious SQL code into the post-author parameter. Successful exploitation allows the attacker to manipulate database queries and extract sensitive information without requiring authentication. This vulnerability poses a significant risk to e-commerce sites using the WCAPF plugin, as attackers could potentially access customer data, administrative credentials, or other confidential information.

Attack Chain

An unauthenticated attacker identifies a WooCommerce website using a vulnerable version (<=4.2.3) of the WCAPF plugin.
The attacker crafts a malicious HTTP request targeting an endpoint that utilizes the vulnerable post-author parameter.
The crafted request includes SQL injection payload within the post-author parameter, designed to extract data using time-based techniques. For example, the attacker might use a SLEEP() function to introduce delays based on conditional database queries.
The web server processes the request and passes the unsanitized post-author parameter to the database query.
The injected SQL code manipulates the original query, causing the database to execute the attacker’s malicious commands.
Based on the response time (due to the SLEEP() function), the attacker infers whether their injected SQL query was successful in retrieving specific data.
The attacker iteratively refines their SQL injection payload to extract sensitive information, such as user credentials or customer details.
The attacker exfiltrates the obtained data, potentially using it for identity theft, financial fraud, or further attacks against the compromised website.

Impact

Successful exploitation of CVE-2026-3396 can lead to the complete compromise of the vulnerable WooCommerce website’s database. An attacker could potentially access sensitive customer data, including names, addresses, credit card details, and purchase history. Furthermore, administrative credentials could be stolen, allowing the attacker to gain full control over the website. This can result in significant financial losses, reputational damage, and legal liabilities for the affected e-commerce business. While the exact number of affected websites is unknown, any online store using the WCAPF plugin versions 4.2.3 or earlier is potentially at risk.

Recommendation

Upgrade the WCAPF plugin to a version greater than 4.2.3 to patch CVE-2026-3396 (references: CVE-2026-3396).
Deploy the Sigma rule Detect WooCommerce SQL Injection Attempt to identify potential exploitation attempts in web server logs (references: Sigma rule).
Implement input validation and sanitization on the post-author parameter to prevent SQL injection attacks (references: Attack Chain).
Monitor web server logs for suspicious requests containing SQL injection payloads, particularly those targeting WCAPF plugin endpoints (references: Sigma rule, Attack Chain).

WordPress Plugin Vulnerability: Arbitrary File Upload in Gerador de Certificados – DevApps

hello@craftedsignal.io — Wed, 08 Apr 2026 07:16:22 +0000

The Gerador de Certificados – DevApps plugin for WordPress, versions up to and including 1.3.6, contains an arbitrary file upload vulnerability (CVE-2026-4808). This flaw stems from a lack of file type validation within the moveUploadedFile() function. Authenticated users with administrator privileges or higher can exploit this vulnerability by uploading arbitrary files to the affected server. Successful exploitation could allow an attacker to execute arbitrary code on the server, leading to a complete system compromise. This vulnerability poses a significant threat to websites using the affected plugin, potentially impacting data confidentiality, integrity, and availability.

Attack Chain

An attacker authenticates to the WordPress site with administrator-level privileges.
The attacker navigates to the Gerador de Certificados – DevApps plugin’s upload functionality.
The attacker crafts a malicious file (e.g., a PHP file) with a disguised extension or no extension.
The attacker uploads the malicious file through the plugin’s interface, bypassing the missing file type validation in the moveUploadedFile() function.
The plugin saves the file to a publicly accessible directory on the server.
The attacker identifies the location of the uploaded file.
The attacker sends an HTTP request to the uploaded file’s location.
The server executes the malicious code within the uploaded file, granting the attacker remote code execution capabilities.

Impact

Successful exploitation of this vulnerability allows attackers with administrator privileges to upload arbitrary files to the web server. This can lead to remote code execution, potentially allowing the attacker to gain full control of the WordPress website and the underlying server. This could lead to data theft, website defacement, or use of the server for malicious purposes such as hosting phishing sites or launching attacks against other systems. The number of affected sites is potentially very large.

Recommendation

Upgrade the Gerador de Certificados – DevApps plugin to the latest version, which includes a fix for CVE-2026-4808.
Implement web server configurations to prevent the execution of scripts in upload directories.
Enable web server logging and monitor for suspicious file uploads and access attempts to unusual file types.
Deploy the Sigma rule to detect attempts to access PHP files within the wp-content/uploads directory.

WordPress Widgets for Social Photo Feed Plugin Stored XSS Vulnerability

hello@craftedsignal.io — Sat, 04 Apr 2026 09:16:20 +0000

The Widgets for Social Photo Feed plugin for WordPress, versions up to and including 1.7.9, contains a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-5425). This vulnerability stems from insufficient input sanitization and output escaping of the ‘feed_data’ parameter keys. An unauthenticated attacker can exploit this flaw by injecting malicious JavaScript code into the WordPress database. When a user visits a page containing a vulnerable widget, the injected script executes within their browser, potentially leading to session hijacking, account takeover, or other malicious activities. This vulnerability was reported by Wordfence and patched in version 1.8 of the plugin.

Attack Chain

The unauthenticated attacker identifies a WordPress site using a vulnerable version (<= 1.7.9) of the Widgets for Social Photo Feed plugin.
The attacker crafts a malicious HTTP request targeting the plugin’s functionality that handles the feed_data parameter. This request contains XSS payload within the parameter keys.
The WordPress server receives the crafted HTTP request. The vulnerable plugin processes the request without proper input sanitization or output escaping.
The malicious XSS payload is stored in the WordPress database, associated with the plugin’s settings or data.
A legitimate user visits a page on the WordPress site where the affected widget is displayed.
The WordPress server retrieves the plugin data, including the stored XSS payload, from the database.
The server renders the page with the unsanitized XSS payload embedded within the HTML output.
The user’s browser receives the HTML page containing the malicious script and executes it. This could lead to redirection, information theft, or further compromise of the user’s session.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a website user’s browser. This can result in session hijacking, defacement of the website, redirection to malicious sites, or the theft of sensitive information. While the exact number of vulnerable installations is not available, the widespread use of WordPress plugins makes this a potentially significant threat, particularly for sites that do not promptly apply security updates.

Recommendation

Upgrade the Widgets for Social Photo Feed plugin to version 1.8 or later to patch CVE-2026-5425.
Deploy the Sigma rule Detect WordPress Social Photo Feed XSS Attempt to identify exploitation attempts in web server logs.
Implement a web application firewall (WAF) rule to filter out requests containing potentially malicious JavaScript code in the feed_data parameter.

ProfilePress WordPress Plugin Membership Payment Bypass Vulnerability

hello@craftedsignal.io — Sat, 04 Apr 2026 09:16:20 +0000

The ProfilePress plugin for WordPress, specifically the “Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content” version 4.16.11 and earlier, contains a vulnerability (CVE-2026-3445) that allows authenticated attackers to bypass membership payment requirements. This flaw stems from a missing ownership verification on the change_plan_sub_id parameter within the process_checkout() function. An attacker with subscriber-level access can exploit this by referencing another user’s active subscription during the checkout process. This manipulation affects proration calculations, ultimately enabling the attacker to obtain paid lifetime membership plans without submitting legitimate payment. This vulnerability is triggered via the ppress_process_checkout AJAX action, making it critical for defenders to implement appropriate detection and mitigation strategies.

Attack Chain

An attacker registers a new account on the WordPress site with the vulnerable ProfilePress plugin installed, obtaining subscriber-level access.
The attacker identifies a valid, active subscription ID belonging to another user within the ProfilePress system.
The attacker initiates the purchase of a paid membership plan (e.g., a lifetime membership).
During the checkout process, the attacker intercepts the HTTP request sent to the ppress_process_checkout AJAX action.
The attacker modifies the change_plan_sub_id parameter within the request, replacing the expected value with the subscription ID of the other user.
The server-side process_checkout() function fails to properly validate the ownership of the provided change_plan_sub_id.
Due to the manipulated change_plan_sub_id, the proration calculations are skewed, resulting in a significantly reduced or zeroed payment amount.
The attacker completes the checkout process without making a legitimate payment and is granted access to the paid membership plan.

Impact

Successful exploitation of CVE-2026-3445 allows attackers to bypass payment requirements and gain unauthorized access to premium content and features offered through the ProfilePress plugin. This can result in significant revenue loss for website owners relying on paid memberships. The number of affected websites is potentially large, given the popularity of WordPress and the ProfilePress plugin. This vulnerability could also damage the reputation of the affected website and erode trust among legitimate paying members.

Recommendation

Upgrade to ProfilePress version 4.16.12 or later to patch CVE-2026-3445 (reference: vulnerability description).
Deploy the Sigma rule Detect ProfilePress Membership Bypass Attempt to your SIEM and tune for your environment to detect potential exploitation attempts by monitoring for the use of the ppress_process_checkout AJAX action with suspicious change_plan_sub_id values (reference: Sigma rule).
Monitor web server logs for POST requests to the /wp-admin/admin-ajax.php endpoint with the action parameter set to ppress_process_checkout to identify potential exploit attempts (reference: Attack Chain).

Blackhole for Bad Bots WordPress Plugin Stored XSS Vulnerability

hello@craftedsignal.io — Thu, 26 Mar 2026 05:16:40 +0000

The Blackhole for Bad Bots plugin for WordPress, up to and including version 3.8, contains a stored cross-site scripting (XSS) vulnerability. The vulnerability stems from insufficient input sanitization and output escaping of the User-Agent HTTP header when capturing bot data. Specifically, the plugin uses sanitize_text_field() which strips HTML tags but does not escape HTML entities. This data is then stored using update_option() and later displayed on the Bad Bots log page. The stored data is output into HTML input value attributes and HTML span content without proper escaping via esc_attr() or esc_html(). This allows an unauthenticated attacker to inject arbitrary web scripts that are executed when an administrator views the Blackhole Bad Bots admin page, potentially leading to privilege escalation or other malicious actions.

Attack Chain

An unauthenticated attacker sends a request to the WordPress site with a malicious User-Agent header containing XSS payload.
The Blackhole for Bad Bots plugin captures the User-Agent string using sanitize_text_field(), which inadequately sanitizes the input.
The plugin stores the inadequately sanitized User-Agent string in the WordPress options database using update_option().
A WordPress administrator navigates to the Blackhole Bad Bots admin page.
The plugin retrieves the stored User-Agent strings from the database.
The plugin outputs the stored User-Agent string directly into HTML input value attributes (lines 75-83) without esc_attr() and into HTML span content without esc_html() on the admin page.
The administrator’s browser executes the injected XSS payload.
The XSS payload can perform actions such as stealing the administrator’s session cookie, redirecting the administrator to a malicious site, or performing actions on behalf of the administrator.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute in the context of an administrator’s browser session. This can lead to various malicious outcomes, including account takeover, data theft, and defacement of the WordPress site. Given the widespread use of WordPress and the Blackhole for Bad Bots plugin, a successful exploit could impact a significant number of websites.

Recommendation

Upgrade the Blackhole for Bad Bots plugin to a version greater than 3.8 to remediate CVE-2026-4329.
Implement a Web Application Firewall (WAF) rule to filter requests containing suspicious User-Agent headers that might exploit CVE-2026-4329.
Monitor web server logs for requests with unusual or potentially malicious User-Agent strings to detect potential exploitation attempts related to CVE-2026-4329.

WP Job Portal Plugin SQL Injection Vulnerability

hello@craftedsignal.io — Tue, 24 Mar 2026 12:00:00 +0000

The WP Job Portal plugin for WordPress, a widely used plugin for managing job listings, is susceptible to SQL Injection attacks. This vulnerability, identified as CVE-2026-4306, affects all versions up to and including 2.4.8. The flaw stems from the insufficient sanitization of the ‘radius’ parameter, which is directly incorporated into SQL queries without proper escaping. This lack of input validation enables unauthenticated attackers to inject malicious SQL code into the application’s database queries. Successful exploitation could lead to the unauthorized disclosure of sensitive information stored within the WordPress database. Given the popularity of WordPress and the WP Job Portal plugin, a successful attack could impact a large number of websites and expose confidential data, including user credentials, financial details, and other sensitive information.

Attack Chain

An unauthenticated attacker crafts a malicious HTTP request targeting the WordPress website running the vulnerable WP Job Portal plugin.
The attacker appends a SQL injection payload to the ‘radius’ parameter within the HTTP request.
The vulnerable plugin receives the request and incorporates the unsanitized ‘radius’ parameter into an SQL query within includes/ajax.php or modules/job/model.php.
The injected SQL code is executed against the WordPress database due to the lack of proper input validation and escaping.
The attacker leverages the SQL injection to extract sensitive information from the database, such as user credentials, API keys, or other confidential data.
The extracted data may be exfiltrated from the server using various techniques.
The attacker could potentially use the compromised data to gain further access to the WordPress site or connected systems.

Impact

Successful exploitation of this SQL Injection vulnerability (CVE-2026-4306) could lead to the complete compromise of the WordPress database. Attackers could gain access to sensitive information, including user credentials, customer data, and confidential business information. The vulnerability impacts all users running WP Job Portal plugin versions 2.4.8 and earlier. The CVSS v3.1 score is 7.5, indicating a high severity risk. The impact includes unauthorized data access.

Recommendation

Upgrade the WP Job Portal plugin to version 2.4.9 or later to patch the SQL Injection vulnerability (CVE-2026-4306).
Deploy a web application firewall (WAF) with rules to detect and block SQL Injection attempts targeting the ‘radius’ parameter in WordPress plugins.
Enable detailed logging for your web server (category “webserver”, product “linux|windows”) to monitor for suspicious activity and potential exploitation attempts.

Otter Blocks Plugin Purchase Verification Bypass Vulnerability (CVE-2026-2892)

hello@craftedsignal.io — Mon, 24 Jun 2024 12:00:00 +0000

The Otter Blocks plugin, a popular WordPress extension, is susceptible to a purchase verification bypass vulnerability identified as CVE-2026-2892. This flaw affects all versions up to and including 3.1.4. The vulnerability stems from the plugin’s reliance on an unsigned cookie, ‘o_stripe_data’, to determine Stripe product ownership for unauthenticated users. The ‘get_customer_data’ method uses this cookie, and the subsequent ‘check_purchase’ method trusts its contents without proper server-side validation against the Stripe API. This lack of verification enables attackers to gain unauthorized access to purchase-gated content. The target product ID is often exposed in the checkout block’s HTML source, further simplifying the exploit. Successful exploitation allows attackers to bypass payment requirements, potentially impacting content creators and businesses relying on the plugin for revenue generation.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable Otter Blocks plugin (version <= 3.1.4).
The attacker examines the HTML source code of a checkout block on the target site to identify the target product ID.
The attacker crafts a malicious ‘o_stripe_data’ cookie containing the target product ID.
The attacker sets the forged ‘o_stripe_data’ cookie in their browser.
The attacker navigates to the purchase-gated content on the WordPress site.
The ‘get_customer_data’ method reads the forged ‘o_stripe_data’ cookie.
The ‘check_purchase’ method incorrectly validates the forged purchase data without server-side verification against the Stripe API.
The attacker gains unauthorized access to the purchase-gated content, bypassing the intended payment requirement.

Impact

Successful exploitation of CVE-2026-2892 allows unauthenticated attackers to bypass purchase verification mechanisms implemented by the Otter Blocks plugin. This can lead to unauthorized access to premium content, resulting in revenue loss for content creators and businesses using the plugin. The number of potentially affected websites is significant, given the popularity of WordPress and the Otter Blocks plugin. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.

Recommendation

Upgrade the Otter Blocks plugin to a version greater than 3.1.4 to patch CVE-2026-2892.
Deploy the provided Sigma rules to detect potential exploitation attempts targeting the vulnerable plugin.
Monitor web server logs (category webserver, product linux) for suspicious cookie manipulation activity, specifically targeting the ‘o_stripe_data’ cookie.
Implement server-side validation of purchase data against the Stripe API to prevent cookie forgery attacks.

Breeze Cache Plugin Arbitrary File Upload Vulnerability (CVE-2026-3844)

hello@craftedsignal.io — Thu, 29 Feb 2024 10:00:00 +0000

The Breeze Cache plugin for WordPress, in versions up to and including 2.4.4, contains an arbitrary file upload vulnerability (CVE-2026-3844). This flaw stems from the lack of file type validation within the ‘fetch_gravatar_from_remote’ function. An unauthenticated attacker can exploit this vulnerability to upload arbitrary files to the affected WordPress site’s server. Successful exploitation could lead to remote code execution on the server. It is important to note that the vulnerability can only be exploited if the “Host Files Locally - Gravatars” setting is enabled within the Breeze Cache plugin. This setting is disabled by default, reducing the attack surface. Defenders should prioritize identifying potentially compromised systems running vulnerable versions of Breeze Cache with the “Host Files Locally - Gravatars” option enabled.

Attack Chain

An unauthenticated attacker identifies a WordPress site running a vulnerable version (<= 2.4.4) of the Breeze Cache plugin.
The attacker confirms the “Host Files Locally - Gravatars” option is enabled on the target WordPress site.
The attacker crafts a malicious HTTP request targeting the ‘fetch_gravatar_from_remote’ function. This request contains a payload designed to upload an arbitrary file to the server.
Due to the missing file type validation, the server accepts the malicious file upload without proper sanitization. The uploaded file can be a PHP file, a web shell, or another executable type.
The attacker determines the location where the file has been saved by the plugin.
The attacker sends an HTTP request to the uploaded file’s location, triggering its execution on the server.
The malicious file executes, granting the attacker remote code execution capabilities on the web server.
The attacker can then perform actions such as installing malware, stealing sensitive data, or further compromising the server and network.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to upload arbitrary files to a vulnerable WordPress server. This can lead to complete compromise of the server, allowing for remote code execution. The attacker can then pivot to other systems, steal sensitive information, or cause significant disruption. While the “Host Files Locally - Gravatars” option is disabled by default, any instance where this option is enabled is at critical risk.

Recommendation

Upgrade the Breeze Cache plugin to the latest version to patch CVE-2026-3844.
Disable the “Host Files Locally - Gravatars” setting in the Breeze Cache plugin if it is enabled.
Deploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts.
Monitor web server logs for suspicious file uploads and requests to unusual file extensions using the provided Sigma rules.
Implement strict file upload policies and validation mechanisms on all web applications to prevent arbitrary file uploads.

Royal Elementor Addons Plugin SSRF Vulnerability

hello@craftedsignal.io — Mon, 08 Jan 2024 12:00:00 +0000

The Royal Elementor Addons plugin, a popular WordPress extension, contains a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-6229) in versions up to and including 1.7.1057. This flaw stems from inadequate validation of user-provided URLs within the render_csv_data() function. Attackers can bypass the validation by including ‘docs.google.com/spreadsheets’ in a query parameter. The vulnerability is triggered because the plugin uses these URLs in fopen() calls without implementing adequate safeguards to prevent access to internal or private network addresses. This vulnerability enables authenticated attackers with Contributor-level access or higher to craft malicious requests, potentially exposing sensitive internal data. Successful exploitation allows attackers to probe internal network resources, access configuration files, and potentially escalate attacks further.

Attack Chain

An attacker authenticates to the WordPress site with Contributor-level access or higher.
The attacker crafts a malicious HTTP request targeting the vulnerable render_csv_data() function within the Royal Elementor Addons plugin.
The malicious request includes a user-supplied URL containing ‘docs.google.com/spreadsheets’ within a query parameter to bypass initial validation checks.
The plugin’s render_csv_data() function receives the crafted URL without proper sanitization or validation against internal or private network addresses.
The fopen() function is called with the attacker-controlled URL, initiating an outbound request from the WordPress server.
If the URL points to an internal resource, the WordPress server retrieves the resource content.
The attacker receives the content of the internal resource in the response from the WordPress server.
The attacker analyzes the retrieved content for sensitive information, such as configuration files, API keys, or internal service details.

Impact

Successful exploitation of this SSRF vulnerability (CVE-2026-6229) can lead to the exposure of sensitive internal information, potentially impacting all organizations using the Royal Elementor Addons plugin for WordPress version 1.7.1057 and below. This may include internal configuration files, API keys, database credentials, or other sensitive data accessible through internal services. The severity is high due to the potential for attackers to pivot from this vulnerability and further compromise the WordPress server or the internal network.

Recommendation

Upgrade the Royal Elementor Addons plugin to a version higher than 1.7.1057 to patch CVE-2026-6229.
Deploy the Sigma rule “Detect Royal Elementor Addons SSRF Attempt via URL Parameter” to identify malicious requests targeting the render_csv_data() function in your web server logs.
Implement strict network segmentation and firewall rules to limit access from the WordPress server to internal resources, mitigating the impact of potential SSRF vulnerabilities.

WordPress Drag and Drop File Upload Plugin Vulnerable to Arbitrary File Upload (CVE-2026-5364)

hello@craftedsignal.io — Wed, 03 Jan 2024 18:23:00 +0000

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress, in versions up to and including 1.1.3, contains an arbitrary file upload vulnerability tracked as CVE-2026-5364. The flaw stems from insufficient sanitization of file extensions during the upload process. Specifically, the plugin extracts the file extension before sanitization and allows the file type parameter to be controlled by the attacker. Furthermore, validation occurs on the unsanitized extension, while the file is saved with a sanitized extension, stripping special characters like ‘$’ during the save. While an .htaccess file and name randomization are present, these restrictions may be bypassable in certain configurations or by exploiting other vulnerabilities. This vulnerability could allow unauthenticated attackers to upload arbitrary PHP files to the web server, potentially leading to remote code execution (RCE).

Attack Chain

An unauthenticated attacker identifies a WordPress website using a vulnerable version (<= 1.1.3) of the “Drag and Drop File Upload for Contact Form 7” plugin.
The attacker crafts a malicious HTTP POST request targeting the plugin’s upload endpoint, typically /wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php.
The POST request includes a file with a manipulated extension, such as evil.php$.jpg, where evil.php is the malicious PHP payload and $.jpg is designed to be sanitized to .jpg.
The attacker modifies the file type parameter in the request to reflect the original manipulated file extension (evil.php$.jpg).
The plugin validates the extension against administrator-configured types but, due to the unsanitized extension and attacker control over the file type parameter, the malicious file passes validation.
The plugin sanitizes the extension, removing the $ character, resulting in a file saved with the extension .php.
The attacker attempts to access the uploaded PHP file via a direct HTTP request to /wp-content/uploads/.php.
If the .htaccess restrictions are bypassed (e.g., due to misconfiguration or another vulnerability), the web server executes the malicious PHP code, granting the attacker remote code execution.

Impact

Successful exploitation of CVE-2026-5364 allows unauthenticated attackers to upload and execute arbitrary PHP code on the target WordPress server. This can lead to complete compromise of the website, including defacement, data theft, and installation of backdoors. While the presence of .htaccess and name randomization mitigates the risk, these protections may be bypassed, especially when combined with other vulnerabilities or misconfigurations. Given the widespread use of WordPress and its plugins, this vulnerability poses a significant risk to a large number of websites. The CVSS v3.1 base score is 8.1, indicating a high severity vulnerability.

Recommendation

Upgrade the “Drag and Drop File Upload for Contact Form 7” plugin to the latest version (greater than 1.1.3) to patch CVE-2026-5364.
Implement a Web Application Firewall (WAF) rule to inspect and block requests containing suspicious file extensions in the POST parameters targeting the plugin’s upload endpoint (/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php).
Deploy the Sigma rule Detect Suspicious File Upload via Drag and Drop CF7 to identify exploitation attempts in web server logs (cs-uri-query).
Review and harden .htaccess configurations to ensure that PHP execution is restricted in the /wp-content/uploads/ directory.

WordPress Profile Builder Pro Plugin PHP Object Injection Vulnerability (CVE-2026-7647)

hello@craftedsignal.io — Wed, 03 Jan 2024 14:30:00 +0000

The Profile Builder Pro plugin for WordPress is susceptible to a critical PHP Object Injection vulnerability (CVE-2026-7647) affecting all versions up to and including 3.14.5. This flaw stems from the plugin’s use of the maybe_unserialize() function on the attacker-controlled args POST parameter passed to the wppb_request_users_pins_action_callback() AJAX handler. Critically, this handler lacks nonce verification, input validation, and type checking, making it accessible to unauthenticated users via both wp_ajax_ and wp_ajax_nopriv_ hooks. Successful exploitation allows remote, unauthenticated attackers to inject arbitrary PHP objects into the application’s memory space, potentially leading to remote code execution depending on available classes and application configuration. The vulnerability was published on 2026-05-02.

Attack Chain

An unauthenticated attacker identifies a WordPress site running a vulnerable version (<= 3.14.5) of the Profile Builder Pro plugin.
The attacker crafts a malicious HTTP POST request targeting the WordPress AJAX endpoint (/wp-admin/admin-ajax.php).
The POST request includes the action parameter set to wppb_request_users_pins_action_callback.
The POST request includes the args parameter containing a serialized PHP object designed to trigger arbitrary code execution upon deserialization.
The WordPress server receives the request and invokes the wppb_request_users_pins_action_callback() function.
The vulnerable function calls maybe_unserialize() on the attacker-controlled args parameter without proper sanitization or validation.
The malicious PHP object is deserialized and injected into the application’s memory space.
The injected object’s methods and properties are triggered, leading to arbitrary code execution on the server.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary PHP code on the target WordPress server. This can lead to complete system compromise, including data theft, website defacement, and the installation of backdoors for persistent access. Given the widespread use of WordPress and the Profile Builder Pro plugin, a large number of websites are potentially at risk until the plugin is updated.

Recommendation

Upgrade the Profile Builder Pro plugin to the latest available version to patch CVE-2026-7647.
Deploy the provided Sigma rule Detect Profile Builder Pro PHP Object Injection Attempt to detect exploitation attempts targeting the vulnerable AJAX endpoint.
Monitor web server logs for POST requests to /wp-admin/admin-ajax.php with the action parameter set to wppb_request_users_pins_action_callback and suspicious serialized data in the args parameter.

ExactMetrics WordPress Plugin Vulnerability Leads to Remote Code Execution

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

A critical vulnerability, CVE-2026-5464, exists in the ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin, affecting all versions up to and including 9.1.2. The vulnerability allows authenticated attackers with Editor-level access or higher, who also possess the ’exactmetrics_view_dashboard’ capability, to install and activate arbitrary WordPress plugins from attacker-controlled URLs. This is possible due to the exposure of the ‘onboarding_key’ transient and the lack of proper authorization checks on the ’exactmetrics_connect_process’ AJAX endpoint. Successful exploitation can lead to Remote Code Execution (RCE) on the target WordPress site. This poses a significant risk to websites using the vulnerable plugin, as attackers can inject malicious code and gain full control of the affected system.

Attack Chain

An attacker gains authenticated access to a WordPress site as an Editor or Administrator.
The attacker obtains the ‘onboarding_key’ by accessing the reports page, which exposes the transient value to users with the ’exactmetrics_view_dashboard’ capability.
The attacker uses the ‘onboarding_key’ to access the ‘/wp-json/exactmetrics/v1/onboarding/connect-url’ REST endpoint, receiving a one-time hash (OTH) token.
The attacker crafts a malicious plugin ZIP file hosted on an attacker-controlled server.
The attacker sends a request to the ’exactmetrics_connect_process’ AJAX endpoint, providing the OTH token and the URL of the malicious plugin ZIP file via the ‘file’ parameter. This endpoint lacks capability checks and nonce verification.
The ExactMetrics plugin downloads the malicious plugin ZIP file from the attacker-controlled URL.
The ExactMetrics plugin installs and activates the malicious plugin.
The attacker gains Remote Code Execution on the WordPress server through the installed malicious plugin.

Impact

Successful exploitation of CVE-2026-5464 allows attackers to install arbitrary plugins on vulnerable WordPress sites, leading to Remote Code Execution. This grants the attacker complete control over the compromised website, enabling them to inject malicious code, deface the site, steal sensitive data, or use the site for further malicious activities. The number of affected websites depends on the widespread use of the ExactMetrics plugin. Organizations using this plugin are at risk of significant data breaches and reputational damage.

Recommendation

Upgrade the ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin to the latest version, which patches CVE-2026-5464.
Monitor web server logs for suspicious requests to the ‘/wp-json/exactmetrics/v1/onboarding/connect-url’ REST endpoint and the ’exactmetrics_connect_process’ AJAX endpoint. Implement the Sigma rule provided below to detect exploitation attempts.
Implement strong password policies and multi-factor authentication to prevent unauthorized access to WordPress accounts.
Restrict the ’exactmetrics_view_dashboard’ capability to only the necessary users.