{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/wordpress/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-25863"}],"_cs_exploited":false,"_cs_products":["Contact Form 7 WordPress plugin"],"_cs_severities":["medium"],"_cs_tags":["wordpress","resource-exhaustion","denial-of-service","cve-2026-25863"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Contact Form 7 WordPress plugin, specifically versions up to 2.6.7, contains an uncontrolled resource consumption vulnerability (CVE-2026-25863) within the \u003ccode\u003eWpcf7cfMailParser\u003c/code\u003e class. The \u003ccode\u003ehide_hidden_mail_fields_regex_callback()\u003c/code\u003e method is susceptible to unbounded loop execution due to reading an iteration count directly from user-supplied POST parameters via the REST API endpoint without proper validation. This allows unauthenticated attackers to send a large integer value, triggering multiple \u003ccode\u003epreg_replace()\u003c/code\u003e operations, leading to server memory exhaustion and crashing the PHP process. This vulnerability enables a denial-of-service condition, potentially impacting all websites using the vulnerable plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress website using Contact Form 7 plugin version 2.6.7 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the WordPress REST API endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a large integer value for the iteration count parameter, which is passed directly to the \u003ccode\u003ehide_hidden_mail_fields_regex_callback()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehide_hidden_mail_fields_regex_callback()\u003c/code\u003e method, lacking input validation, reads the attacker-controlled integer.\u003c/li\u003e\n\u003cli\u003eThe method initiates an unbounded loop, performing \u003ccode\u003epreg_replace()\u003c/code\u003e operations based on the attacker-supplied iteration count.\u003c/li\u003e\n\u003cli\u003eEach \u003ccode\u003epreg_replace()\u003c/code\u003e operation consumes server memory.\u003c/li\u003e\n\u003cli\u003eThe excessive number of iterations rapidly exhausts available server memory.\u003c/li\u003e\n\u003cli\u003eThe PHP process crashes due to memory exhaustion, resulting in a denial-of-service condition for the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition. Attackers can crash the PHP process on vulnerable WordPress websites by exhausting server memory. This can result in website downtime, impacting user experience and potentially leading to data loss or corruption. While the exact number of affected websites is unknown, the widespread use of Contact Form 7 makes this vulnerability a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Contact Form 7 WordPress plugin to a version greater than 2.6.7 to patch CVE-2026-25863.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Contact Form 7 Uncontrolled Resource Consumption Attempt\u003c/code\u003e to your SIEM to detect malicious POST requests targeting the WordPress REST API.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for abnormally large POST request sizes to the WordPress REST API endpoint, as this may indicate an attempted exploitation of CVE-2026-25863.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T19:16:02Z","date_published":"2026-05-04T19:16:02Z","id":"/briefs/2026-05-contact-form-7-resource-exhaustion/","summary":"The Contact Form 7 WordPress plugin through version 2.6.7 is vulnerable to uncontrolled resource consumption, allowing unauthenticated attackers to exhaust server memory and crash the PHP process by supplying an arbitrarily large integer value to the REST API endpoint, leading to unbounded loop execution.","title":"Contact Form 7 WordPress Plugin Uncontrolled Resource Consumption Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-contact-form-7-resource-exhaustion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-41471"}],"_cs_exploited":false,"_cs_products":["Easy PayPal Events \u0026 Tickets plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","info-disclosure","cve-2026-41471","unauthenticated","enumeration"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Easy PayPal Events \u0026amp; Tickets plugin for WordPress, versions 1.3 and earlier, contains an information disclosure vulnerability (CVE-2026-41471). This vulnerability allows unauthenticated attackers to iterate through WordPress post IDs via the \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint. By sequentially accessing these IDs, attackers can retrieve customer order records stored within the WordPress database. The plugin was officially closed as of March 18, 2026, meaning websites using the plugin prior to this date are vulnerable. This allows for the potential harvesting of sensitive customer data including names, addresses, and purchase histories.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Easy PayPal Events \u0026amp; Tickets plugin (version 1.3 or earlier).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the request to iterate through sequential WordPress post IDs.\u003c/li\u003e\n\u003cli\u003eThe server processes the request without proper authentication or authorization checks.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint queries the WordPress database for order records associated with the provided post ID.\u003c/li\u003e\n\u003cli\u003eIf a valid order record is found, the server returns the information in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the HTTP response to extract customer order information.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 2-7, incrementing the post ID to enumerate all order records.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to retrieve all customer order records stored in the WordPress database. This can lead to the disclosure of sensitive customer information, including names, email addresses, purchase history, and potentially other personal details. The number of affected victims depends on the popularity and usage of the vulnerable plugin. If the database contains financial information the impact could be severe.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule detecting requests to the scan_qr.php endpoint with iterative post IDs to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eIf still using the Easy PayPal Events \u0026amp; Tickets plugin, remove the plugin, as it was closed as of 2026-03-18.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eReview the WordPress access logs for requests originating from unusual IP addresses accessing the \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T18:16:29Z","date_published":"2026-05-04T18:16:29Z","id":"/briefs/2026-05-wordpress-easy-paypal-info-disclosure/","summary":"An information disclosure vulnerability in the Easy PayPal Events \u0026 Tickets WordPress plugin (versions 1.3 and earlier) allows unauthenticated attackers to enumerate and retrieve all customer order records via the scan_qr.php endpoint.","title":"WordPress Easy PayPal Events \u0026 Tickets Plugin Information Disclosure Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-easy-paypal-info-disclosure/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-32834"}],"_cs_exploited":false,"_cs_products":["Easy PayPal Events \u0026 Tickets plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","authentication bypass","vulnerability"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Easy PayPal Events \u0026amp; Tickets plugin for WordPress, version 1.3 and earlier, contains a critical hardcoded authentication bypass vulnerability (CVE-2026-32834) within its QR code scanning functionality. This flaw allows unauthenticated remote attackers to bypass hash verification by supplying the string \u0026rsquo;test\u0026rsquo; as the hash parameter when accessing the \u003ccode\u003eadd_wpeevent_button_qr\u003c/code\u003e action. This bypass enables attackers to retrieve sensitive order details associated with any post ID, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information. The vulnerable plugin was officially closed on March 18, 2026, making it imperative to identify and mitigate any remaining installations to prevent potential data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a WordPress site using the Easy PayPal Events \u0026amp; Tickets plugin (version 1.3 or earlier).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eadd_wpeevent_button_qr\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003ehash\u003c/code\u003e parameter set to the hardcoded value \u003ccode\u003etest\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003epost_id\u003c/code\u003e parameter, either guessed or obtained through other means.\u003c/li\u003e\n\u003cli\u003eThe vulnerable plugin bypasses authentication due to the hardcoded hash.\u003c/li\u003e\n\u003cli\u003eThe plugin processes the request and retrieves sensitive order details associated with the provided \u003ccode\u003epost_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the sensitive data, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants unauthenticated attackers access to sensitive customer and transaction data associated with events and tickets managed through the Easy PayPal Events \u0026amp; Tickets plugin. The leaked information, including customer email addresses and PayPal transaction IDs, can be used for further malicious activities such as phishing campaigns, identity theft, and financial fraud. The number of affected WordPress sites is unknown, but any site using a vulnerable version of the plugin is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WordPress Easy PayPal Events \u0026amp; Tickets Authentication Bypass Attempt\u003c/code\u003e to your SIEM to detect exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eadd_wpeevent_button_qr\u003c/code\u003e and the \u003ccode\u003ehash\u003c/code\u003e parameter set to \u003ccode\u003etest\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious data exfiltration following the identified exploitation attempts to mitigate potential damage.\u003c/li\u003e\n\u003cli\u003eIf the plugin is still installed, remove it immediately.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T18:16:27Z","date_published":"2026-05-04T18:16:27Z","id":"/briefs/2026-05-wordpress-paypal-auth-bypass/","summary":"An unauthenticated remote attacker can exploit a hardcoded authentication bypass vulnerability in the Easy PayPal Events \u0026 Tickets plugin for WordPress (versions 1.3 and earlier) by providing 'test' as the hash parameter, allowing retrieval of sensitive order details.","title":"WordPress Easy PayPal Events \u0026 Tickets Plugin Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-paypal-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5063"}],"_cs_exploited":false,"_cs_products":["NEX-Forms – Ultimate Forms Plugin for WordPress plugin \u003c= 9.1.11"],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","stored-xss","cve-2026-5063"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe NEX-Forms – Ultimate Forms Plugin for WordPress, versions up to and including 9.1.11, is susceptible to a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-5063). This flaw stems from inadequate input sanitization and output escaping within the \u003ccode\u003esubmit_nex_form()\u003c/code\u003e function. Unauthenticated attackers can exploit this vulnerability by injecting malicious JavaScript code through POST parameter key names. Successful exploitation allows the attacker to execute arbitrary scripts in the context of a user\u0026rsquo;s browser when they access a page containing the injected script, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability was reported to Wordfence and a patch has been released.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to a WordPress page that utilizes the vulnerable NEX-Forms plugin.\u003c/li\u003e\n\u003cli\u003eThe POST request includes specially crafted parameter key names designed to inject JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esubmit_nex_form()\u003c/code\u003e function processes the POST request without properly sanitizing or escaping the malicious input.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code is stored in the WordPress database.\u003c/li\u003e\n\u003cli\u003eA legitimate user accesses a page where the form data, including the malicious script, is displayed.\u003c/li\u003e\n\u003cli\u003eThe stored JavaScript code executes within the user\u0026rsquo;s browser in the context of the WordPress page.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as stealing cookies, redirecting the user, or modifying the page content.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability allows an unauthenticated attacker to inject arbitrary JavaScript code into pages using the NEX-Forms plugin. This can lead to various malicious outcomes, including user session hijacking, website defacement, or redirection to phishing sites. As the vulnerability is stored, every user who visits a page containing the malicious script will be affected until the vulnerability is patched and the malicious input is removed. The severity is rated as HIGH with a CVSS base score of 7.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the NEX-Forms – Ultimate Forms Plugin for WordPress to a version beyond 9.1.11 to patch CVE-2026-5063.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious NEX-Forms POST Requests\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests containing potentially malicious JavaScript code in parameter names.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-03T06:15:57Z","date_published":"2026-05-03T06:15:57Z","id":"/briefs/2026-05-wordpress-nex-forms-xss/","summary":"The NEX-Forms WordPress plugin is vulnerable to stored XSS via POST parameter key names, allowing unauthenticated attackers to inject arbitrary web scripts.","title":"NEX-Forms WordPress Plugin Vulnerable to Stored Cross-Site Scripting (CVE-2026-5063)","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-nex-forms-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-2554"}],"_cs_exploited":false,"_cs_products":["WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin \u003c= 6.7.25"],"_cs_severities":["high"],"_cs_tags":["idor","wordpress","woocommerce","account-deletion"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin, a popular WordPress plugin, is affected by an Insecure Direct Object Reference (IDOR) vulnerability. This flaw, present in versions up to and including 6.7.25, stems from a lack of proper validation on the \u003ccode\u003ecustomerid\u003c/code\u003e parameter within the \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function. An attacker with Vendor-level privileges or higher can exploit this vulnerability to delete any user account on the WordPress instance, including those with administrative rights. This can lead to complete compromise of the affected website.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with Vendor-level access or higher.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the \u003ccode\u003ecustomerid\u003c/code\u003e parameter in the request, setting its value to the ID of the target user account they wish to delete.\u003c/li\u003e\n\u003cli\u003eDue to the missing validation on the \u003ccode\u003ecustomerid\u003c/code\u003e parameter, the application directly uses the provided ID to locate the user account.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function proceeds to delete the user account identified by the attacker-supplied \u003ccode\u003ecustomerid\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe targeted user account is successfully deleted from the WordPress instance.\u003c/li\u003e\n\u003cli\u003eIf the deleted user account was an administrator, the attacker can effectively take control of the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this IDOR vulnerability allows an attacker to delete arbitrary user accounts, including those with administrative privileges. This can lead to a complete compromise of the affected WordPress website. An attacker could then deface the website, steal sensitive data, or use it to launch further attacks. Due to the popularity of the plugin, a large number of WooCommerce stores are potentially affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest available patch or upgrade to a version of the WCFM plugin greater than 6.7.25 to remediate CVE-2026-2554.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e with unusual \u003ccode\u003ecustomerid\u003c/code\u003e values, using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the \u003ccode\u003ecustomerid\u003c/code\u003e parameter within the \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function to prevent arbitrary user deletion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T14:16:17Z","date_published":"2026-05-02T14:16:17Z","id":"/briefs/2026-05-wordpress-wcfm-idor/","summary":"The WCFM plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) that allows authenticated attackers with Vendor-level access or higher to delete arbitrary users, including administrators.","title":"WordPress WCFM Plugin Vulnerable to IDOR Leading to Account Deletion","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-wcfm-idor/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-6320"}],"_cs_exploited":false,"_cs_products":["Salon Booking System – Free Version plugin for WordPress \u003c= 10.30.25"],"_cs_severities":["high"],"_cs_tags":["arbitrary-file-read","wordpress","plugin-vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Salon Booking System – Free Version plugin for WordPress, versions up to and including 10.30.25, contains an arbitrary file read vulnerability. This flaw stems from the plugin\u0026rsquo;s public booking flow, where it accepts attacker-controlled file-field values. These values are subsequently used as trusted paths when creating email attachments for booking confirmations. This allows an unauthenticated attacker to supply a path to any file accessible to the web server, triggering its inclusion as an attachment in the booking confirmation email, effectively enabling arbitrary file exfiltration. Exploitation requires no authentication and can be triggered remotely.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker accesses the public booking form of a WordPress site running the vulnerable Salon Booking System plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the booking form, injecting a file path (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e) into a file-field parameter.\u003c/li\u003e\n\u003cli\u003eThe plugin processes the booking request and stores the attacker-supplied file path.\u003c/li\u003e\n\u003cli\u003eThe plugin generates a booking confirmation email.\u003c/li\u003e\n\u003cli\u003eThe plugin uses the stored, attacker-controlled file path to attach the specified file to the confirmation email.\u003c/li\u003e\n\u003cli\u003eThe booking confirmation email, now containing the arbitrary file as an attachment, is sent to the user who initiated the booking (which could be the attacker or an unwitting third party).\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the email (if sent to the attacker) or intercepts it (if sent to a third party) and extracts the attached file.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the contents of the exfiltrated file.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to read arbitrary files from the affected WordPress server. This could lead to the disclosure of sensitive information, such as configuration files, database credentials, or other confidential data. The vulnerability affects versions of the Salon Booking System plugin up to and including 10.30.25. The number of affected WordPress installations is unknown, but could be substantial given the plugin\u0026rsquo;s popularity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Salon Booking System plugin to the latest version to patch CVE-2026-6320.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for suspicious requests containing absolute or relative file paths in file-field parameters, using a detection rule similar to the ones provided below.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for all user-supplied data, especially file paths.\u003c/li\u003e\n\u003cli\u003eReview and restrict file system permissions to limit the files accessible to the web server process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-wordpress-arbitrary-file-read/","summary":"The Salon Booking System WordPress plugin is vulnerable to arbitrary file read, allowing unauthenticated attackers to exfiltrate local files by manipulating file-field values in booking confirmation emails.","title":"Salon Booking System WordPress Plugin Arbitrary File Read Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-arbitrary-file-read/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-4100"}],"_cs_exploited":false,"_cs_products":["Paid Memberships Pro plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","stripe","webhook","vulnerability","plugin"],"_cs_type":"advisory","_cs_vendors":["Stripe","WordPress"],"content_html":"\u003cp\u003eThe Paid Memberships Pro plugin, a popular WordPress plugin for managing paid subscriptions, contains a vulnerability (CVE-2026-4100) that allows authenticated attackers with minimal privileges (Subscriber-level access) to manipulate Stripe webhook configurations. This flaw exists in versions up to and including 3.6.5 due to missing capability checks on specific AJAX handlers. An attacker exploiting this vulnerability can delete, create, or rebuild the site\u0026rsquo;s Stripe webhook, leading to significant disruptions in payment processing, subscription renewal synchronization, cancellation handling, and management of failed payments. This vulnerability puts revenue streams and customer relationships at risk for any organization using the affected plugin versions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains Subscriber-level access to the WordPress site, either through registration or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious AJAX request targeting the \u003ccode\u003ewp_ajax_pmpro_stripe_create_webhook\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a malicious AJAX request to the \u003ccode\u003ewp_ajax_pmpro_stripe_delete_webhook\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eOr, the attacker crafts a malicious AJAX request to the \u003ccode\u003ewp_ajax_pmpro_stripe_rebuild_webhook\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDue to missing capability checks, the server processes the request without proper authorization.\u003c/li\u003e\n\u003cli\u003eThe Stripe webhook configuration is modified, deleted, or rebuilt based on the attacker\u0026rsquo;s request.\u003c/li\u003e\n\u003cli\u003eLegitimate payment processing and subscription management processes fail due to the altered webhook configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker effectively disrupts the site\u0026rsquo;s ability to collect payments and manage subscriptions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to completely disrupt a WordPress site\u0026rsquo;s payment processing and subscription management functionalities. This can result in significant financial losses due to interrupted sales and subscription renewals. Furthermore, the disruption can damage customer trust and lead to churn as users experience issues with their subscriptions. The vulnerability affects all sites using Paid Memberships Pro plugin versions up to 3.6.5.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Paid Memberships Pro plugin to the latest version to patch CVE-2026-4100.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress web server logs for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003epmpro_stripe_create_webhook\u003c/code\u003e, \u003ccode\u003epmpro_stripe_delete_webhook\u003c/code\u003e, or \u003ccode\u003epmpro_stripe_rebuild_webhook\u003c/code\u003e using the \u0026ldquo;Detect Suspicious PMPro Stripe Webhook AJAX Requests\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions to minimize the number of users with Subscriber-level access as a temporary mitigation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-pmpro-stripe-webhook-vuln/","summary":"The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification of Stripe webhook configurations due to missing capability checks, allowing authenticated attackers with Subscriber-level access to disrupt payment processing.","title":"Paid Memberships Pro Plugin Vulnerability Allows Unauthorized Stripe Webhook Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-pmpro-stripe-webhook-vuln/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4062"}],"_cs_exploited":false,"_cs_products":["Geo Mashup plugin \u003c= 1.13.18"],"_cs_severities":["high"],"_cs_tags":["sqli","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Geo Mashup plugin for WordPress, in versions up to and including 1.13.18, contains a Time-Based SQL Injection vulnerability (CVE-2026-4062). The vulnerability exists within the \u0026lsquo;object_ids\u0026rsquo; and \u0026rsquo;exclude_object_ids\u0026rsquo; parameters. Insufficient escaping of user-supplied input, specifically within the \u003ccode\u003eIN(...)\u003c/code\u003e and \u003ccode\u003eNOT IN(...)\u003c/code\u003e SQL context, coupled with inadequate preparation of the existing SQL query, allows for the injection. The \u003ccode\u003eesc_sql()\u003c/code\u003e function is applied but is rendered ineffective due to its inability to protect against parenthesis or SQL keyword injection within the unquoted \u003ccode\u003eIN(...)\u003c/code\u003e / \u003ccode\u003eNOT IN(...)\u003c/code\u003e context. A numeric-only sanitizer exists in \u003ccode\u003esanitize_query_args()\u003c/code\u003e, but this is only applied in the AJAX code path and not in the \u003ccode\u003erender-map.php\u003c/code\u003e or template tag code paths. This flaw enables unauthenticated attackers to append malicious SQL queries, facilitating the extraction of sensitive information from the WordPress database through a time-based blind SQL injection technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies the vulnerable Geo Mashup plugin running on a WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an endpoint that utilizes the \u0026lsquo;object_ids\u0026rsquo; or \u0026rsquo;exclude_object_ids\u0026rsquo; parameters.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a time-based SQL injection payload into the \u0026lsquo;object_ids\u0026rsquo; or \u0026rsquo;exclude_object_ids\u0026rsquo; parameter. This payload leverages SQL functions like \u003ccode\u003eSLEEP()\u003c/code\u003e or \u003ccode\u003eBENCHMARK()\u003c/code\u003e to introduce delays based on conditional SQL logic.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code fails to properly sanitize the injected SQL code due to the ineffective \u003ccode\u003eesc_sql()\u003c/code\u003e function in the \u003ccode\u003eIN\u003c/code\u003e/\u003ccode\u003eNOT IN\u003c/code\u003e context.\u003c/li\u003e\n\u003cli\u003eThe injected SQL payload is appended to the existing SQL query executed by the Geo Mashup plugin.\u003c/li\u003e\n\u003cli\u003eThe database server executes the combined query, including the injected time-based SQL injection.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors the response time of the HTTP request. A delayed response indicates that the injected SQL logic evaluated to true.\u003c/li\u003e\n\u003cli\u003eBy repeatedly sending requests with different SQL injection payloads, the attacker can extract sensitive information from the database one character at a time.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to the complete compromise of the WordPress database. An attacker can extract sensitive information such as user credentials, API keys, configuration details, and other confidential data. This can result in data breaches, unauthorized access to the WordPress site, and potential further attacks on connected systems. The CVSS v3.1 base score for this vulnerability is 7.5, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Geo Mashup plugin to a version greater than 1.13.18 to remediate CVE-2026-4062.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Geo Mashup Time-Based SQL Injection Attempts\u003c/code\u003e to identify potential exploitation attempts targeting the vulnerable parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL injection payloads in the \u0026lsquo;object_ids\u0026rsquo; or \u0026rsquo;exclude_object_ids\u0026rsquo; parameters to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-geo-mashup-sqli/","summary":"The Geo Mashup WordPress plugin is vulnerable to Time-Based SQL Injection due to insufficient input sanitization, allowing unauthenticated attackers to extract sensitive database information.","title":"Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4062)","url":"https://feed.craftedsignal.io/briefs/2026-05-geo-mashup-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4061"}],"_cs_exploited":false,"_cs_products":["Geo Mashup plugin"],"_cs_severities":["high"],"_cs_tags":["sql-injection","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Geo Mashup plugin for WordPress is vulnerable to time-based SQL injection, as detailed in CVE-2026-4061. This vulnerability affects all versions of the plugin up to and including 1.13.18. The root cause lies in the \u003ccode\u003eSearchResults\u003c/code\u003e hook, where the \u003ccode\u003emap_post_type\u003c/code\u003e parameter is mishandled. Specifically, the code first calls \u003ccode\u003estripslashes_deep($_POST)\u003c/code\u003e, effectively removing WordPress\u0026rsquo;s magic quotes protection. Subsequently, the unsanitized \u003ccode\u003emap_post_type\u003c/code\u003e value is directly concatenated into an \u003ccode\u003eIN(...)\u003c/code\u003e clause without proper escaping using \u003ccode\u003eesc_sql()\u003c/code\u003e or \u003ccode\u003e$wpdb-\u0026gt;prepare()\u003c/code\u003e. While the \u0026lsquo;any\u0026rsquo; branch of the code correctly applies \u003ccode\u003earray_map('esc_sql', ...)\u003c/code\u003e, the alternative branch lacks this crucial sanitization step. Successful exploitation requires the Geo Search feature to be enabled in the plugin\u0026rsquo;s settings. This vulnerability allows unauthenticated attackers to inject malicious SQL queries, potentially leading to the extraction of sensitive database information through time-based blind techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a WordPress site using a vulnerable version of the Geo Mashup plugin (\u0026lt;= 1.13.18) with the Geo Search feature enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003eSearchResults\u003c/code\u003e hook with a specially crafted \u003ccode\u003emap_post_type\u003c/code\u003e parameter containing SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code within the Geo Mashup plugin processes the POST request, removing magic quotes using \u003ccode\u003estripslashes_deep($_POST)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe unsanitized \u003ccode\u003emap_post_type\u003c/code\u003e value is then concatenated directly into an SQL query within an \u003ccode\u003eIN(...)\u003c/code\u003e clause without proper escaping.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code executes within the database query, allowing the attacker to manipulate the query\u0026rsquo;s behavior.\u003c/li\u003e\n\u003cli\u003eThe attacker uses time-based SQL injection techniques (e.g., \u003ccode\u003eIF(condition, SLEEP(5), 0)\u003c/code\u003e) within the injected payload to infer information based on the response time.\u003c/li\u003e\n\u003cli\u003eBy repeatedly sending modified requests and observing the response times, the attacker can extract sensitive data, character by character, from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information such as usernames, passwords, API keys, or other confidential data stored in the WordPress database.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to extract sensitive information from the WordPress database. The severity of the impact depends on the sensitivity of the data stored in the database, but could include exposure of user credentials, confidential business data, or other sensitive information. Because it affects any installation with the Geo Search feature enabled, a large number of websites using the Geo Mashup plugin may be vulnerable. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Geo Mashup plugin to the latest version (later than 1.13.18) to patch CVE-2026-4061.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential exploitation attempts targeting the vulnerable \u003ccode\u003eSearchResults\u003c/code\u003e hook using a malicious \u003ccode\u003emap_post_type\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eReview web server logs for suspicious POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e (common AJAX endpoint in WordPress) containing potentially malicious SQL injection payloads in the \u003ccode\u003emap_post_type\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-geo-mashup-sql-injection/","summary":"A time-based SQL injection vulnerability (CVE-2026-4061) exists in the Geo Mashup WordPress plugin (\u003c= 1.13.18) due to insufficient sanitization of the 'map_post_type' parameter, enabling unauthenticated attackers to extract sensitive information via time-based blind SQL injection if the Geo Search feature is enabled.","title":"Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4061)","url":"https://feed.craftedsignal.io/briefs/2026-05-geo-mashup-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-2052"}],"_cs_exploited":false,"_cs_products":["The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks \u0026 Classic Widgets plugin \u003c= 4.2.2"],"_cs_severities":["critical"],"_cs_tags":["wordpress","rce","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Widget Options – Advanced Conditional Visibility for Gutenberg Blocks \u0026amp; Classic Widgets plugin, versions 4.2.2 and earlier, contains a Remote Code Execution (RCE) vulnerability (CVE-2026-2052). This flaw stems from the plugin\u0026rsquo;s Display Logic feature, which utilizes the \u003ccode\u003eeval()\u003c/code\u003e function to process user-supplied expressions. The plugin\u0026rsquo;s implemented blocklist/allowlist is insufficient, making it bypassable through techniques involving \u003ccode\u003earray_map\u003c/code\u003e with string concatenation. Furthermore, the plugin lacks proper authorization enforcement on the \u003ccode\u003eextended_widget_opts_block\u003c/code\u003e attribute. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject and execute arbitrary code on the underlying server. The vendor partially addressed this vulnerability in version 4.2.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress application as a Contributor or higher-level user.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Widget Options settings within the WordPress admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Display Logic expression designed to execute arbitrary PHP code. This involves bypassing the blocklist/allowlist using techniques such as \u003ccode\u003earray_map\u003c/code\u003e and string concatenation.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious Display Logic expression into the \u003ccode\u003eextended_widget_opts_block\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eThe WordPress application processes the widget options, including the malicious Display Logic expression. Due to the lack of proper sanitization and authorization, the \u003ccode\u003eeval()\u003c/code\u003e function executes the attacker-supplied PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with the permissions of the web server user, potentially allowing the attacker to read or write files, execute system commands, or compromise the entire server.\u003c/li\u003e\n\u003cli\u003eThe attacker may establish persistence by writing a backdoor to a file on the server or by creating a new administrator account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-2052 allows an attacker to execute arbitrary code on the WordPress server. This can lead to complete compromise of the website, including data theft, defacement, and the installation of malware. Since the vulnerability requires Contributor access or higher, the impact is significant if such accounts are compromised through other means (e.g., phishing, credential stuffing). The lack of proper input sanitization and authorization makes this a critical vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u0026ldquo;The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks \u0026amp; Classic Widgets\u0026rdquo; plugin to the latest version to patch CVE-2026-2052.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WordPress Widget Options RCE Attempt\u0026rdquo; to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions to minimize the number of users with Contributor or higher-level access.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity, particularly requests to \u003ccode\u003e/wp-admin/options.php\u003c/code\u003e related to widget options.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T08:16:27Z","date_published":"2026-05-02T08:16:27Z","id":"/briefs/2026-05-wordpress-widget-rce/","summary":"The Widget Options plugin for WordPress is vulnerable to Remote Code Execution (CVE-2026-2052) due to insufficient input sanitization in the Display Logic feature, allowing authenticated attackers with Contributor-level access and above to execute arbitrary code on the server.","title":"WordPress Widget Options Plugin Remote Code Execution Vulnerability (CVE-2026-2052)","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-widget-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-7049"}],"_cs_exploited":false,"_cs_products":["PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress \u003c= 12.5.0.1"],"_cs_severities":["high"],"_cs_tags":["ssrf","wordpress","plugin"],"_cs_type":"threat","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eCVE-2026-7049 is a server-side request forgery (SSRF) vulnerability found in the PixelYourSite Pro WordPress plugin. Specifically, all versions up to and including 12.5.0.1 are affected. This vulnerability allows unauthenticated attackers to send requests to arbitrary internal or external resources, as viewed from the web server. Although the fetched response bodies are not directly returned to the attacker (making it a blind SSRF), the application parses these responses internally, creating opportunities for reconnaissance and potentially for exploiting vulnerable internal services. Successful exploitation could expose sensitive information or allow unauthorized modification of internal systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies the \u003ccode\u003escan_video\u003c/code\u003e parameter as an SSRF entry point.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the WordPress server with the vulnerable PixelYourSite Pro plugin. The request includes the \u003ccode\u003escan_video\u003c/code\u003e parameter set to a URL pointing to an internal resource (e.g., internal IP address or hostname).\u003c/li\u003e\n\u003cli\u003eThe WordPress server receives the malicious request.\u003c/li\u003e\n\u003cli\u003eThe PixelYourSite Pro plugin processes the request and initiates an HTTP request to the URL specified in the \u003ccode\u003escan_video\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe WordPress server makes a request to the internal resource.\u003c/li\u003e\n\u003cli\u003eThe response from the internal resource is received by the WordPress server.\u003c/li\u003e\n\u003cli\u003eThe PixelYourSite Pro plugin parses the response body, potentially revealing information about the internal service.\u003c/li\u003e\n\u003cli\u003eDepending on the targeted internal service and the attacker\u0026rsquo;s crafted request, the attacker might be able to modify information or execute commands on the internal service, even though the response is not directly returned to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7049 allows an unauthenticated attacker to perform reconnaissance of internal network resources. The blind nature of the SSRF limits the attacker\u0026rsquo;s immediate visibility into the response, but internal parsing of the response allows for potential information disclosure and exploitation of vulnerable internal services. The scope of the impact depends heavily on the configuration of the internal network and the services exposed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the PixelYourSite Pro plugin to a version greater than 12.5.0.1 to patch CVE-2026-7049.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious PixelYourSite Pro SSRF Attempts\u003c/code\u003e to monitor for exploitation attempts targeting the \u003ccode\u003escan_video\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eReview and restrict internal network access to sensitive services to mitigate the potential impact of SSRF vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T06:16:04Z","date_published":"2026-05-02T06:16:04Z","id":"/briefs/2026-05-pys-ssrf/","summary":"The PixelYourSite Pro WordPress plugin is vulnerable to server-side request forgery (SSRF), allowing unauthenticated attackers to make arbitrary web requests from the server, potentially querying or modifying internal services.","title":"PixelYourSite Pro WordPress Plugin SSRF Vulnerability (CVE-2026-7049)","url":"https://feed.craftedsignal.io/briefs/2026-05-pys-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5113"}],"_cs_exploited":false,"_cs_products":["Gravity Forms plugin \u003c= 2.10.0"],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","gravityforms","cve-2026-5113","stored-xss"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Gravity Forms plugin for WordPress, a popular form builder, contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2026-5113. This flaw affects versions up to and including 2.10.0. The vulnerability stems from a flawed state validation mechanism combined with insufficient output escaping within the Consent field\u0026rsquo;s hidden inputs. An unauthenticated attacker can exploit this by injecting malicious JavaScript code into form entries. This malicious code is then executed when an authenticated administrator accesses the Entries List page within the WordPress administration panel, potentially leading to account compromise or other malicious actions performed within the administrator\u0026rsquo;s session. Successful exploitation allows attackers to execute arbitrary web scripts in the context of an administrator\u0026rsquo;s browser.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious payload containing XSS code within a Gravity Forms Consent field. The payload leverages HTML tags like \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e that \u003ccode\u003ewp_kses()\u003c/code\u003e will strip.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted form entry to the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe Gravity Forms plugin\u0026rsquo;s state validation mechanism calculates two hashes: one for the raw input and another after sanitization via \u003ccode\u003ewp_kses()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the nature of the XSS payload, the \u003ccode\u003ewp_kses()\u003c/code\u003e function strips the \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e tag, resulting in a matching hash for the sanitized input.\u003c/li\u003e\n\u003cli\u003eThe flawed validation logic fails to detect the malicious intent because at least one hash matches the original state, allowing the malicious raw value (containing the XSS payload) to be stored in the database.\u003c/li\u003e\n\u003cli\u003eAn authenticated administrator logs into the WordPress administration panel.\u003c/li\u003e\n\u003cli\u003eThe administrator navigates to the Entries List page for the affected Gravity Form.\u003c/li\u003e\n\u003cli\u003eThe stored malicious consent label is retrieved from the database and output without proper escaping, causing the XSS payload to execute within the administrator\u0026rsquo;s browser session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5113 allows unauthenticated attackers to execute arbitrary web scripts within the context of an authenticated administrator\u0026rsquo;s browser session. This can lead to a variety of malicious outcomes, including account compromise, data theft, modification of website content, or further propagation of the attack to other administrative users. The severity of the impact depends on the privileges held by the compromised administrator account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gravity Forms plugin to the latest version, which includes a fix for CVE-2026-5113.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to filter out requests containing potentially malicious XSS payloads targeting the Gravity Forms Consent field.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to form submissions containing encoded or obfuscated JavaScript code. Analyze HTTP request parameters for unusual characters or patterns indicative of XSS attempts.\u003c/li\u003e\n\u003cli\u003eEnable output escaping on form entries to prevent stored XSS attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T06:16:04Z","date_published":"2026-05-02T06:16:04Z","id":"/briefs/2026-05-gravityforms-xss/","summary":"The Gravity Forms plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via Consent field hidden inputs, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the entries list page.","title":"Gravity Forms Plugin Stored XSS Vulnerability (CVE-2026-5113)","url":"https://feed.craftedsignal.io/briefs/2026-05-gravityforms-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6963"}],"_cs_exploited":false,"_cs_products":["WP Mail Gateway plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","privilege-escalation","plugin-vulnerability"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WP Mail Gateway plugin, a WordPress extension, contains a vulnerability (CVE-2026-6963) that allows authenticated users with minimal privileges (Subscriber level or higher) to gain administrative access. The flaw resides in the \u003ccode\u003ewmg_save_provider_config\u003c/code\u003e AJAX action, which lacks proper authorization checks. This omission enables attackers to manipulate SMTP settings, redirect outgoing emails, and ultimately trigger password reset emails intended for administrators. The vulnerability affects all versions of the WP Mail Gateway plugin up to and including version 1.8. Successful exploitation grants attackers complete control over the WordPress site, making it a critical security concern for any organization using the vulnerable plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker logs into a WordPress site with a Subscriber-level account or higher.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious AJAX request targeting the \u003ccode\u003ewmg_save_provider_config\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eThis request modifies the SMTP settings, redirecting outgoing emails to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a password reset request for an administrator account.\u003c/li\u003e\n\u003cli\u003eThe password reset email is intercepted by the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the password reset link to gain access to the administrator\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the WordPress dashboard with administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform any administrative action, including installing malicious plugins, modifying site content, or creating new administrator accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6963 allows an attacker to completely compromise a WordPress website.  Even low-privileged users can elevate their access to administrator, giving them full control over the site.  This can lead to data breaches, website defacement, malware deployment, and other malicious activities. The vulnerability affects all installations of the WP Mail Gateway plugin up to version 1.8, potentially impacting thousands of WordPress sites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WP Mail Gateway plugin to a version beyond 1.8 to patch CVE-2026-6963.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress logs for suspicious AJAX requests targeting the \u003ccode\u003ewmg_save_provider_config\u003c/code\u003e action using the Sigma rule provided below. Enable webserver logging to capture HTTP POST requests.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect modifications to WordPress options related to SMTP configuration. Enable relevant logging for registry modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T05:16:01Z","date_published":"2026-05-02T05:16:01Z","id":"/briefs/2026-05-wp-mail-gateway-privesc/","summary":"The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check, allowing authenticated attackers to modify SMTP settings and escalate privileges.","title":"WP Mail Gateway Plugin Vulnerability Leads to Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-wp-mail-gateway-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-7458"}],"_cs_exploited":false,"_cs_products":["User Verification by PickPlugins plugin for WordPress \u003c= 2.0.46"],"_cs_severities":["critical"],"_cs_tags":["wordpress","authentication bypass","cve-2026-7458"],"_cs_type":"threat","_cs_vendors":["PickPlugins"],"content_html":"\u003cp\u003eThe User Verification by PickPlugins plugin, a popular WordPress plugin, contains a critical authentication bypass vulnerability (CVE-2026-7458) affecting all versions up to and including 2.0.46. The flaw resides within the \u003ccode\u003euser_verification_form_wrap_process_otpLogin\u003c/code\u003e function, where a loose PHP comparison operator is used to validate OTP codes. This weakness allows unauthenticated attackers to bypass the OTP verification process and log in as any user with a verified email address, potentially gaining administrative access. Successful exploitation requires the attacker to submit the string \u0026ldquo;true\u0026rdquo; as the OTP value. This vulnerability poses a significant risk to WordPress sites using the affected plugin, potentially leading to complete site compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version of the User Verification by PickPlugins plugin (\u0026lt;= 2.0.46).\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the OTP login form provided by the plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker enters the email address of a target user, such as an administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the OTP request and instead of a numerical code, submits the string \u0026ldquo;true\u0026rdquo; as the OTP value.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003euser_verification_form_wrap_process_otpLogin\u003c/code\u003e function processes the submitted OTP. Due to the loose PHP comparison (e.g., \u003ccode\u003e==\u003c/code\u003e instead of \u003ccode\u003e===\u003c/code\u003e), the string \u0026ldquo;true\u0026rdquo; evaluates to \u003ccode\u003etrue\u003c/code\u003e, bypassing the intended OTP validation.\u003c/li\u003e\n\u003cli\u003eThe plugin incorrectly authenticates the attacker as the targeted user.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the targeted user\u0026rsquo;s account, potentially gaining administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform actions such as modifying website content, installing malicious plugins, or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7458 allows unauthenticated attackers to bypass the OTP verification mechanism and gain unauthorized access to any user account with a verified email address on a vulnerable WordPress site. This can lead to complete compromise of the affected WordPress site, enabling attackers to modify content, inject malicious code, steal sensitive data, or use the site for malicious purposes. Given the plugin\u0026rsquo;s popularity, this vulnerability could impact a large number of WordPress websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the User Verification by PickPlugins plugin to the latest version (greater than 2.0.46) to patch CVE-2026-7458.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress access logs for unusual login attempts or the presence of \u0026ldquo;true\u0026rdquo; as OTP values to identify potential exploitation attempts. Deploy the \u003ccode\u003eDetect Successful Authentication Bypass via True OTP\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation and sanitization for OTP codes to prevent similar bypass vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T05:16:01Z","date_published":"2026-05-02T05:16:01Z","id":"/briefs/2026-05-wordpress-auth-bypass/","summary":"The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in versions up to 2.0.46 due to a loose PHP comparison, allowing unauthenticated attackers to log in as any verified user by submitting a 'true' OTP value.","title":"WordPress User Verification Plugin Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7641"}],"_cs_exploited":false,"_cs_products":["Import and export users and customers plugin"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","wordpress","cloud"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Import and export users and customers plugin for WordPress, a plugin used to manage user data, is vulnerable to privilege escalation. This vulnerability, identified as CVE-2026-7641, affects all versions of the plugin up to and including 2.0.8. The vulnerability stems from an incomplete blocklist in the \u003ccode\u003esave_extra_user_profile_fields()\u003c/code\u003e function. This function fails to adequately filter meta keys for subsites within a WordPress Multisite network, allowing attackers to manipulate user roles. Successful exploitation allows authenticated attackers with Subscriber-level access or higher to escalate their privileges to Administrator on any subsite within the Multisite network. Exploitation requires the targeted WordPress instance to be part of a Multisite network and have specific settings enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn administrator imports a CSV file containing multisite-prefixed capability column headers (e.g., \u003ccode\u003ewp_2_capabilities\u003c/code\u003e) using the affected plugin.\u003c/li\u003e\n\u003cli\u003eThe administrator enables the \u0026ldquo;Show fields in profile?\u0026rdquo; option within the plugin settings. This action stores the imported column headers (including the multisite capabilities) in the \u003ccode\u003eacui_columns\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eA low-privileged user (e.g., Subscriber) authenticates to the WordPress subsite.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to their user profile page (\u003ccode\u003e/wp-admin/profile.php\u003c/code\u003e). The plugin displays the previously imported multisite capability fields as editable options on the profile page.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a profile update request, setting the value of the \u003ccode\u003ewp_{subsite_id}_capabilities\u003c/code\u003e meta key to \u003ccode\u003ea:1:{s:13:\u0026quot;administrator\u0026quot;;b:1;}\u003c/code\u003e which grants administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted profile update to \u003ccode\u003e/wp-admin/profile.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esave_extra_user_profile_fields()\u003c/code\u003e function processes the update. Due to the incomplete blocklist, the function fails to prevent the modification of the \u003ccode\u003ewp_{subsite_id}_capabilities\u003c/code\u003e meta key.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eupdate_user_meta()\u003c/code\u003e function writes the attacker-controlled value directly to the user\u0026rsquo;s metadata, granting them Administrator privileges on the specified subsite.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7641 allows an attacker to gain complete control over a WordPress subsite within a Multisite network. This can lead to unauthorized access to sensitive data, modification of website content, installation of malicious plugins or themes, and potential compromise of the entire Multisite network. Given the widespread use of WordPress and the Import and export users and customers plugin, a successful attack can have significant repercussions for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Import and export users and customers plugin to the latest version to patch CVE-2026-7641.\u003c/li\u003e\n\u003cli\u003eApply the Sigma rule \u003ccode\u003eWordPress Multisite Privilege Escalation via Profile Update\u003c/code\u003e to detect exploitation attempts against \u003ccode\u003e/wp-admin/profile.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eacui_columns\u003c/code\u003e option in the WordPress database to identify any instances where multisite-prefixed capability column headers have been imported, and remove those fields.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress user profile updates for unusual modifications to user capabilities using the \u003ccode\u003eWordPress User Role Change Detection\u003c/code\u003e rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T05:16:01Z","date_published":"2026-05-02T05:16:01Z","id":"/briefs/2026-05-wordpress-privesc/","summary":"A privilege escalation vulnerability exists in the Import and export users and customers plugin for WordPress (versions \u003c= 2.0.8) due to an incomplete blocklist allowing authenticated users to gain administrator privileges on subsites within a Multisite network.","title":"WordPress Import and Export Users Plugin Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-4882"}],"_cs_exploited":false,"_cs_products":["User Registration Advanced Fields plugin \u003c= 1.6.20"],"_cs_severities":["critical"],"_cs_tags":["wordpress","file-upload","rce"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe User Registration Advanced Fields plugin for WordPress, specifically versions up to and including 1.6.20, contains an arbitrary file upload vulnerability (CVE-2026-4882) due to insufficient file type validation in the \u003ccode\u003eURAF_AJAX::method_upload\u003c/code\u003e function. This flaw enables unauthenticated attackers to upload any file type to the affected server, which can lead to remote code execution if the uploaded file is strategically placed and executed. The vulnerability is exploitable only if a \u0026ldquo;Profile Picture\u0026rdquo; field is active within the registration form. This poses a significant threat to websites using the plugin, as attackers can potentially gain full control of the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable User Registration Advanced Fields plugin (\u0026lt;= 1.6.20) with the \u0026ldquo;Profile Picture\u0026rdquo; field enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the \u003ccode\u003eURAF_AJAX::method_upload\u003c/code\u003e function, bypassing any client-side file type checks.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a web shell (e.g., a PHP file) disguised as a legitimate file type or without any extension to evade basic detection mechanisms.\u003c/li\u003e\n\u003cli\u003eThe vulnerable plugin saves the file to the WordPress uploads directory without proper validation.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the exact file path of the uploaded web shell on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends another HTTP request directly to the uploaded web shell.\u003c/li\u003e\n\u003cli\u003eThe web shell executes on the server, providing the attacker with remote code execution capabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker can then leverage the web shell to perform various malicious activities, such as installing malware, defacing the website, or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-4882) allows unauthenticated attackers to upload arbitrary files to a vulnerable WordPress website, potentially leading to remote code execution. This can result in complete compromise of the affected website, including data theft, website defacement, and malware infections. The CVSS v3.1 base score for this vulnerability is 9.8, indicating a critical severity level. The impact includes potential damage to reputation, financial losses, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the User Registration Advanced Fields plugin to the latest version (greater than 1.6.20) to patch CVE-2026-4882.\u003c/li\u003e\n\u003cli\u003eImplement file type validation on the server-side, restricting allowed file extensions for profile picture uploads.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file upload activity targeting the \u003ccode\u003eURAF_AJAX::method_upload\u003c/code\u003e function to detect potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect Suspicious WordPress File Uploads\u003c/code\u003e to your SIEM.\u003c/li\u003e\n\u003cli\u003eImplement strict file permission policies to prevent uploaded files from being executed as scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T05:16:00Z","date_published":"2026-05-02T05:16:00Z","id":"/briefs/2026-05-wordpress-upload/","summary":"The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, allowing unauthenticated attackers to upload arbitrary files leading to potential remote code execution.","title":"WordPress User Registration Advanced Fields Plugin Arbitrary File Upload Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-3772"}],"_cs_exploited":false,"_cs_products":["WP Editor plugin \u003c= 1.2.9.2"],"_cs_severities":["high"],"_cs_tags":["csrf","wordpress","plugin","vulnerability"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WP Editor plugin, a WordPress plugin, contains a Cross-Site Request Forgery (CSRF) vulnerability affecting versions up to and including 1.2.9.2. This vulnerability stems from a lack of nonce verification in the \u0026lsquo;add_plugins_page\u0026rsquo; and \u0026lsquo;add_themes_page\u0026rsquo; functions. An unauthenticated attacker can exploit this vulnerability by crafting a malicious request designed to overwrite arbitrary plugin and theme PHP files with attacker-controlled code. The success of this attack hinges on the attacker\u0026rsquo;s ability to deceive a site administrator into triggering the forged request, typically by clicking a specially crafted link. This flaw allows for potential arbitrary code execution on the targeted WordPress site.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable WordPress site running a WP Editor plugin version \u0026lt;= 1.2.9.2.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u0026lsquo;add_plugins_page\u0026rsquo; or \u0026lsquo;add_themes_page\u0026rsquo; functions. This request includes parameters designed to overwrite a specific plugin or theme PHP file with attacker-supplied code.\u003c/li\u003e\n\u003cli\u003eThe attacker social engineers a WordPress administrator into clicking a malicious link or visiting a compromised website containing the forged request. This could be achieved via phishing emails or other deceptive techniques.\u003c/li\u003e\n\u003cli\u003eIf the administrator is logged into the WordPress dashboard, their browser automatically sends the forged request to the vulnerable WordPress site.\u003c/li\u003e\n\u003cli\u003eDue to the missing nonce verification, the WordPress site processes the request without validating its origin.\u003c/li\u003e\n\u003cli\u003eThe target plugin or theme PHP file is overwritten with the attacker\u0026rsquo;s malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code is executed when the plugin or theme is loaded or accessed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the WordPress server, potentially leading to complete site compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this CSRF vulnerability allows an unauthenticated attacker to inject arbitrary PHP code into a WordPress website. This can lead to a full compromise of the website, including data theft, defacement, or the installation of backdoors for persistent access. Given the widespread use of WordPress and the WP Editor plugin, a large number of websites are potentially at risk. Successful attacks can result in significant reputational damage and financial losses for affected website owners.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WP Editor plugin to the latest available version, which includes a fix for CVE-2026-3772.\u003c/li\u003e\n\u003cli\u003eImplement strong CSRF protection measures on all WordPress forms and administrative functions.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect attempts to exploit this vulnerability through suspicious requests to the \u003ccode\u003eadd_plugins_page\u003c/code\u003e or \u003ccode\u003eadd_themes_page\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T12:16:16Z","date_published":"2026-05-01T12:16:16Z","id":"/briefs/2024-01-wp-editor-csrf/","summary":"The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.2.9.2, allowing unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with malicious code by tricking a site administrator into clicking a link.","title":"WP Editor Plugin CSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-wp-editor-csrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-7567"}],"_cs_exploited":false,"_cs_products":["Temporary Login plugin"],"_cs_severities":["critical"],"_cs_tags":["authentication bypass","wordpress","plugin vulnerability","cve-2026-7567","cloud"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eCVE-2026-7567 is an authentication bypass vulnerability that affects the Temporary Login plugin for WordPress, specifically versions up to and including 1.0.0. The vulnerability stems from a failure to properly validate the \u0026rsquo;temp-login-token\u0026rsquo; GET parameter within the \u003ccode\u003emaybe_login_temporary_user()\u003c/code\u003e function. By supplying an array as the value for this parameter, attackers can circumvent the intended \u003ccode\u003eempty()\u003c/code\u003e check. This leads to the \u003ccode\u003esanitize_key()\u003c/code\u003e function returning an empty string, which is then used in a database query to fetch users. WordPress ignores empty \u003ccode\u003emeta_value\u003c/code\u003e parameters, causing the query to return all users with the \u003ccode\u003e_temporary_login_token\u003c/code\u003e meta key. Consequently, an unauthenticated attacker can effectively authenticate as any user with an active temporary login session by sending a single, maliciously crafted GET request. This poses a severe risk to website security, as it allows unauthorized access to user accounts and potentially sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Temporary Login plugin (version \u0026lt;= 1.0.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious GET request targeting the WordPress site\u0026rsquo;s login endpoint, including the \u0026rsquo;temp-login-token\u0026rsquo; parameter as an array (e.g., \u003ccode\u003etemp-login-token[]=\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web server receives the GET request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emaybe_login_temporary_user()\u003c/code\u003e function processes the request.\u003c/li\u003e\n\u003cli\u003eDue to improper input validation, the \u003ccode\u003eempty()\u003c/code\u003e check is bypassed when the \u0026rsquo;temp-login-token\u0026rsquo; parameter is an array.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esanitize_key()\u003c/code\u003e processes the array and returns an empty string as the meta_value.\u003c/li\u003e\n\u003cli\u003eWordPress executes a database query using the empty meta_value, effectively retrieving all users with active temporary login tokens.\u003c/li\u003e\n\u003cli\u003eThe attacker is granted unauthorized access to the account of a targeted temporary user, bypassing normal authentication procedures.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7567 allows unauthenticated attackers to bypass login restrictions and gain unauthorized access to WordPress user accounts utilizing the vulnerable Temporary Login plugin. The severity is high, as it allows complete compromise of user accounts without requiring any valid credentials. The impact includes potential data theft, account takeover, website defacement, and other malicious activities, depending on the privileges of the compromised user account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the available patch or upgrade the Temporary Login plugin to a version greater than 1.0.0 to remediate CVE-2026-7567.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WordPress Temporary Login Authentication Bypass Attempt\u003c/code\u003e to detect exploitation attempts by monitoring HTTP requests with array-based \u003ccode\u003etemp-login-token\u003c/code\u003e parameters in the query string.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the web server to reject requests containing array-based parameters where scalar strings are expected.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T10:15:58Z","date_published":"2026-05-01T10:15:58Z","id":"/briefs/2024-01-wordpress-temp-login-auth-bypass/","summary":"The Temporary Login plugin for WordPress versions up to 1.0.0 is vulnerable to authentication bypass due to improper input validation, allowing unauthenticated attackers to log in as arbitrary temporary users by sending a specially crafted GET request.","title":"WordPress Temporary Login Plugin Authentication Bypass (CVE-2026-7567)","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-temp-login-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2018-25308"}],"_cs_exploited":false,"_cs_products":["BuddyPress Xprofile Custom Fields Type"],"_cs_severities":["high"],"_cs_tags":["rce","file-deletion","wordpress"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBuddyPress Xprofile Custom Fields Type 2.6.3 is vulnerable to a remote code execution vulnerability, identified as CVE-2018-25308. This flaw enables authenticated users to execute arbitrary code on the server by deleting arbitrary files. The attack involves manipulating unescaped POST parameters, specifically \u003ccode\u003efield_hiddenfile\u003c/code\u003e and \u003ccode\u003efield_deleteimg\u003c/code\u003e, during profile editing actions. Successful exploitation allows attackers to unlink files from the server, potentially disrupting services or gaining unauthorized access. This vulnerability was published on 2026-04-29 and poses a significant threat to BuddyPress installations that have not applied the necessary patches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to a BuddyPress site running the vulnerable Xprofile Custom Fields Type 2.6.3 plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to their profile editing page.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the profile update endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the \u003ccode\u003efield_hiddenfile\u003c/code\u003e and \u003ccode\u003efield_deleteimg\u003c/code\u003e parameters are manipulated to point to arbitrary files on the server.\u003c/li\u003e\n\u003cli\u003eThe server-side script processes the crafted POST request without proper sanitization or validation of the file paths.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function or an equivalent file deletion function is called with the attacker-controlled file paths.\u003c/li\u003e\n\u003cli\u003eThe targeted files are deleted from the server file system.\u003c/li\u003e\n\u003cli\u003eThe attacker can potentially delete critical system files or web application files, leading to remote code execution or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-25308 allows authenticated attackers to delete arbitrary files on the server. This can lead to a denial-of-service condition if critical system files are removed. The vulnerability can also potentially lead to remote code execution if the attacker is able to delete and replace executable files or inject malicious code into configuration files. While the number of victims is unknown, all BuddyPress installations using the vulnerable plugin are susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for BuddyPress Xprofile Custom Fields Type to address CVE-2018-25308.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the server-side to prevent manipulation of file paths in POST parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests targeting the profile update endpoint with unusual \u003ccode\u003efield_hiddenfile\u003c/code\u003e and \u003ccode\u003efield_deleteimg\u003c/code\u003e parameter values (reference the attack chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect exploitation attempts based on the manipulation of specific POST parameters (reference the Sigma rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:26Z","date_published":"2026-04-29T20:16:26Z","id":"/briefs/2026-04-buddypress-rce/","summary":"CVE-2018-25308 is a remote code execution vulnerability in BuddyPress Xprofile Custom Fields Type 2.6.3 that allows authenticated users to delete arbitrary files on the server by manipulating POST parameters.","title":"BuddyPress Xprofile Custom Fields Type 2.6.3 Remote Code Execution via Arbitrary File Deletion","url":"https://feed.craftedsignal.io/briefs/2026-04-buddypress-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-4119"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","authorization-bypass","plugin-vulnerability","cve-2026-4119"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Create DB Tables plugin, versions 1.2.1 and earlier, suffers from an authorization bypass vulnerability (CVE-2026-4119). This flaw stems from the plugin\u0026rsquo;s failure to implement capability checks or nonce verification for its admin_post action hooks, specifically those responsible for creating (admin_post_add_table) and deleting (admin_post_delete_db_table) database tables. Because the admin_post hook only requires a user to be logged in, any authenticated user, including those with the lowest Subscriber role, can access these endpoints. This oversight allows malicious actors to create arbitrary database tables or, more critically, delete existing ones, including vital WordPress core tables. The vulnerability was published on 2026-04-22, and given the severity, defenders should immediately address this risk. The affected versions of the plugin should be updated or removed to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker registers an account on a vulnerable WordPress site, gaining Subscriber-level access.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to \u003ccode\u003ewp-admin/admin-post.php\u003c/code\u003e with the action parameter set to \u003ccode\u003eadd_table\u003c/code\u003e or \u003ccode\u003edelete_db_table\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker provides the \u003ccode\u003edb_table\u003c/code\u003e parameter with the name of the table to be deleted, if exploiting the \u003ccode\u003edelete_db_table\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eThe server processes the request without proper authorization checks, because \u003ccode\u003ecurrent_user_can()\u003c/code\u003e and \u003ccode\u003ewp_verify_nonce()\u003c/code\u003e are missing.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecdbt_delete_db_table()\u003c/code\u003e function executes a \u003ccode\u003eDROP TABLE\u003c/code\u003e SQL query based on the user-supplied \u003ccode\u003edb_table\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets a critical WordPress core table like \u003ccode\u003ewp_users\u003c/code\u003e or \u003ccode\u003ewp_options\u003c/code\u003e, the site\u0026rsquo;s functionality will be severely impacted.\u003c/li\u003e\n\u003cli\u003eAlternatively, if exploiting the \u003ccode\u003eadd_table\u003c/code\u003e action, the \u003ccode\u003ecdbt_create_new_table()\u003c/code\u003e function executes a \u003ccode\u003eCREATE TABLE\u003c/code\u003e SQL query, creating an arbitrary database table.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation can lead to complete destruction of the WordPress installation or the introduction of malicious database tables.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows any authenticated user to delete arbitrary database tables, including critical WordPress core tables. This can lead to complete site destruction and data loss. An attacker could delete the \u003ccode\u003ewp_users\u003c/code\u003e table, effectively locking out all administrators and other users, or delete the \u003ccode\u003ewp_options\u003c/code\u003e table, causing the site to revert to its default state or become completely unusable. The CVSS v3.1 base score for this vulnerability is 9.1, highlighting the critical nature of the risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Create DB Tables plugin to a version higher than 1.2.1, where this vulnerability is patched.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003ewp-admin/admin-post.php\u003c/code\u003e with \u003ccode\u003eaction=delete_db_table\u003c/code\u003e or \u003ccode\u003eaction=add_table\u003c/code\u003e (see rule: \u0026ldquo;Detect Unauthorized DB Table Modification\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to block requests to \u003ccode\u003ewp-admin/admin-post.php\u003c/code\u003e with the vulnerable actions unless originating from an administrator (see rule: \u0026ldquo;WAF - Block Unauthorized DB Table Modification\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T09:16:49Z","date_published":"2026-04-22T09:16:49Z","id":"/briefs/2026-04-wordpress-create-db-tables-auth-bypass/","summary":"The Create DB Tables plugin for WordPress versions 1.2.1 and earlier is vulnerable to an authorization bypass, allowing authenticated users to create and delete database tables without proper checks, potentially leading to complete site destruction.","title":"WordPress Create DB Tables Plugin Authorization Bypass Vulnerability (CVE-2026-4119)","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-create-db-tables-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-4132"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","rce","plugin","cve-2026-4132"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe HTTP Headers plugin for WordPress, versions up to and including 1.19.2, is vulnerable to remote code execution (RCE) due to a file path manipulation vulnerability (CVE-2026-4132). This vulnerability stems from the plugin\u0026rsquo;s insufficient validation of the \u0026lsquo;hh_htpasswd_path\u0026rsquo; option, which controls the location of the .htpasswd file. Furthermore, the \u0026lsquo;hh_www_authenticate_user\u0026rsquo; option, used for setting the username for HTTP Basic Authentication, lacks proper sanitization. This allows attackers with administrator privileges to specify an arbitrary file path for the htpasswd file and inject unsanitized content into it. By crafting a malicious username containing PHP code and setting the htpasswd path to a web-accessible directory, an attacker can execute arbitrary code on the server. This exploit requires administrator-level access to the WordPress dashboard.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the WordPress dashboard with administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the HTTP Headers plugin settings page.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u0026lsquo;hh_htpasswd_path\u0026rsquo; option, setting it to a web-accessible directory (e.g., \u003ccode\u003e/var/www/html/wp-content/uploads/.shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u0026lsquo;hh_www_authenticate_user\u0026rsquo; option, injecting PHP code into the username field (e.g., \u003ccode\u003e\u0026lt;?php system($_GET['cmd']); ?\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eapache_auth_credentials()\u003c/code\u003e function uses sprintf to combine the malicious username with a SHA hash, creating a crafted htpasswd entry.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eupdate_auth_credentials()\u003c/code\u003e function then writes the crafted content, including the injected PHP code, to the attacker-controlled file path using \u003ccode\u003efile_put_contents()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the newly created PHP file via a web browser (e.g., \u003ccode\u003ehttp://example.com/wp-content/uploads/.shell.php?cmd=id\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe injected PHP code executes, allowing the attacker to run arbitrary commands on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants the attacker remote code execution on the affected WordPress server. This can lead to complete compromise of the server, including data theft, website defacement, malware deployment, and further attacks against internal networks. Given the widespread use of WordPress and its plugins, a successful exploit could impact a large number of websites and organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the HTTP Headers plugin to a patched version (if available) to remediate CVE-2026-4132.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to unusual file paths that match the \u0026lsquo;hh_htpasswd_path\u0026rsquo; setting specified in the plugin configuration to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule to detect file creation events in web-accessible directories with PHP extensions that are triggered by the web server process.\u003c/li\u003e\n\u003cli\u003eRestrict access to the WordPress administrator dashboard to only trusted individuals and enforce strong password policies to prevent unauthorized access to plugin settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T09:16:24Z","date_published":"2026-04-22T09:16:24Z","id":"/briefs/2026-04-wordpress-http-headers-rce/","summary":"The HTTP Headers WordPress plugin is vulnerable to remote code execution (RCE) due to insufficient validation of the htpasswd file path and lack of sanitization of the username, allowing authenticated administrators to write arbitrary code to the server.","title":"WordPress HTTP Headers Plugin Remote Code Execution via File Path Manipulation (CVE-2026-4132)","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-http-headers-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-39467"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","object-injection","deserialization","cve-2026-39467"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-39467 is a critical vulnerability affecting the MetaSlider Responsive Slider plugin for WordPress. Specifically, it is a Deserialization of Untrusted Data vulnerability that can lead to Object Injection. The vulnerability exists in versions up to and including 3.106.0. An attacker can exploit this vulnerability to inject arbitrary PHP objects into the application, potentially leading to remote code execution. This is possible because the plugin deserializes data without proper validation, allowing malicious actors to manipulate serialized data and inject harmful objects. The vulnerability was reported by Patchstack. Given the widespread use of WordPress and the MetaSlider plugin, this vulnerability poses a significant risk to a large number of websites.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker sends a crafted HTTP request to a WordPress endpoint that processes MetaSlider plugin data.\u003c/li\u003e\n\u003cli\u003eThe request contains a serialized PHP object designed for malicious purposes.\u003c/li\u003e\n\u003cli\u003eThe MetaSlider plugin deserializes the untrusted data without proper sanitization or validation using \u003ccode\u003eunserialize()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe deserialization process instantiates the malicious PHP object.\u003c/li\u003e\n\u003cli\u003eThe injected object executes its malicious payload, potentially writing files to the server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the file write capability to plant a PHP webshell in the WordPress uploads directory.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the webshell via a direct HTTP request.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the server via the webshell, gaining full control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39467 allows an unauthenticated attacker to inject arbitrary PHP objects, leading to remote code execution on the target WordPress server. This could result in complete compromise of the website, including data theft, defacement, or further attacks on internal networks. Given the popularity of MetaSlider, potentially thousands of websites are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the MetaSlider Responsive Slider plugin to the latest version to patch CVE-2026-39467.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect MetaSlider Object Injection Attempt\u003c/code\u003e to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests containing serialized PHP objects to WordPress endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T10:16:29Z","date_published":"2026-04-21T10:16:29Z","id":"/briefs/2026-04-metaslider-deserialization/","summary":"A deserialization of untrusted data vulnerability in the MetaSlider Responsive Slider plugin for WordPress (versions up to 3.106.0) allows for unauthenticated object injection, potentially leading to remote code execution.","title":"MetaSlider Responsive Slider Plugin Deserialization Vulnerability (CVE-2026-39467)","url":"https://feed.craftedsignal.io/briefs/2026-04-metaslider-deserialization/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-5478"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","file-read","file-deletion","cve-2026-5478"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Everest Forms plugin for WordPress, versions 3.4.4 and earlier, contains an arbitrary file read and deletion vulnerability (CVE-2026-5478). This flaw stems from the plugin\u0026rsquo;s improper handling of the \u003ccode\u003eold_files\u003c/code\u003e parameter within form submissions. Specifically, the plugin trusts attacker-controlled data as legitimate server-side upload state and insecurely converts URLs into local filesystem paths without adequate sanitization. This lack of input validation enables unauthenticated attackers to inject path traversal sequences, leading to the disclosure of sensitive files like \u003ccode\u003ewp-config.php\u003c/code\u003e, which contains database credentials and authentication salts. Furthermore, the flawed path resolution is utilized in a post-email cleanup routine, resulting in arbitrary file deletion via the \u003ccode\u003eunlink()\u003c/code\u003e function, potentially causing a denial-of-service condition. Successful exploitation requires a form with a file-upload or image-upload field and the \u0026ldquo;store entry information\u0026rdquo; feature disabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious HTTP POST request to a WordPress page containing an Everest Forms form with a file upload field.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the \u003ccode\u003eold_files\u003c/code\u003e parameter in the POST data, injecting a path traversal payload (e.g., \u003ccode\u003e../../../../wp-config.php\u003c/code\u003e) into its value.\u003c/li\u003e\n\u003cli\u003eThe WordPress application processes the form submission, and the Everest Forms plugin extracts the \u003ccode\u003eold_files\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe plugin\u0026rsquo;s flawed logic converts the attacker-supplied URL into a local file system path using regex-based string replacement without canonicalization or directory boundary enforcement.\u003c/li\u003e\n\u003cli\u003eThe plugin attaches the resolved file (e.g., \u003ccode\u003e/var/www/wordpress/../../../../wp-config.php\u003c/code\u003e) to the notification email.\u003c/li\u003e\n\u003cli\u003eAfter sending the notification email, the post-email cleanup routine utilizes the same flawed path resolution to determine the file to delete.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function is called on the resolved path, leading to the deletion of the targeted file (e.g., \u003ccode\u003ewp-config.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information (database credentials, salts) or causes a denial of service by deleting critical system files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5478 allows unauthenticated attackers to read arbitrary files on the WordPress server, potentially exposing sensitive information like database credentials and authentication salts stored in \u003ccode\u003ewp-config.php\u003c/code\u003e. This could lead to full site compromise, including data theft, defacement, or further malicious activities. Furthermore, the ability to delete arbitrary files enables attackers to cause a denial-of-service condition by removing critical system or application files. The impact is significant as it affects all versions of the Everest Forms plugin up to and including 3.4.4.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Everest Forms plugin to a version higher than 3.4.4 to patch CVE-2026-5478.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Everest Forms Arbitrary File Read Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eEnable web server logging to capture HTTP POST requests, which are crucial for detecting path traversal attempts (cs-uri-query, cs-method in webserver logs).\u003c/li\u003e\n\u003cli\u003eMonitor file deletion events on the WordPress server, especially those initiated by the web server user, using a file integrity monitoring (FIM) solution (file_event logs).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all user-supplied data, especially file paths, to prevent path traversal vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T20:35:20Z","date_published":"2026-04-20T20:35:20Z","id":"/briefs/2026-08-everest-forms-rfi-rce/","summary":"The Everest Forms plugin for WordPress is vulnerable to arbitrary file read and deletion, allowing unauthenticated attackers to access sensitive data or cause denial of service by manipulating the 'old_files' parameter in versions up to 3.4.4.","title":"Everest Forms Plugin Arbitrary File Read and Deletion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-08-everest-forms-rfi-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-3464"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","file-read","file-deletion","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe WP Customer Area plugin, a popular WordPress plugin, is susceptible to an arbitrary file read and deletion vulnerability. This flaw, identified as CVE-2026-3464, resides within the \u0026lsquo;ajax_attach_file\u0026rsquo; function and stems from inadequate file path validation. All versions of the plugin up to and including 8.3.4 are affected. The vulnerability enables authenticated attackers with minimal privileges (e.g., Subscriber), granted access by an administrator, to read arbitrary files on the server, potentially exposing sensitive data. Attackers can also delete arbitrary files, which, in certain cases (such as deleting \u003ccode\u003ewp-config.php\u003c/code\u003e), can pave the way for remote code execution. This vulnerability poses a significant risk to WordPress websites utilizing the WP Customer Area plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to a WordPress site with the WP Customer Area plugin enabled, with privileges granted by an administrator (e.g., as a Subscriber).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u0026lsquo;ajax_attach_file\u0026rsquo; function.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated file path, bypassing input validation.\u003c/li\u003e\n\u003cli\u003eThe plugin, failing to properly sanitize the file path, attempts to read or delete the file specified in the malicious request.\u003c/li\u003e\n\u003cli\u003eIf reading, the contents of the targeted file are returned to the attacker in the HTTP response.\u003c/li\u003e\n\u003cli\u003eIf deleting, the targeted file is removed from the server.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets a sensitive file, such as \u003ccode\u003ewp-config.php\u003c/code\u003e, and successfully deletes it, the WordPress installation becomes unstable and potentially allows for re-installation and control by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the instability to achieve remote code execution, potentially installing a web shell or other malicious code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-3464) allows attackers to read sensitive files, potentially including database credentials, API keys, and other confidential information. Moreover, the ability to delete arbitrary files can lead to denial-of-service conditions or, more critically, remote code execution. The number of affected websites is potentially large, given the popularity of the WP Customer Area plugin. A successful attack can result in complete compromise of the WordPress website and its underlying server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WP Customer Area plugin to a version greater than 8.3.4 to patch CVE-2026-3464.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing suspicious file paths targeting the \u0026lsquo;ajax_attach_file\u0026rsquo; function (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement stricter file path validation on the web server to prevent arbitrary file access.\u003c/li\u003e\n\u003cli\u003eApply the provided Sigma rules to your SIEM to detect and alert on malicious attempts to exploit this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T17:17:07Z","date_published":"2026-04-17T17:17:07Z","id":"/briefs/2026-04-wp-customer-area-file-read-delete/","summary":"The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation, allowing authenticated attackers to read sensitive files or delete critical files leading to potential remote code execution.","title":"WP Customer Area Plugin Arbitrary File Read and Deletion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-wp-customer-area-file-read-delete/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4659"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","file-read","path-traversal","cve-2026-4659"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Unlimited Elements for Elementor plugin, versions 2.0.6 and earlier, contains an arbitrary file read vulnerability (CVE-2026-4659). This vulnerability stems from inadequate sanitization of path traversal sequences within the \u003ccode\u003eURLtoRelative()\u003c/code\u003e and \u003ccode\u003eurlToPath()\u003c/code\u003e functions, particularly when combined with the ability to enable debug output. The \u003ccode\u003eURLtoRelative()\u003c/code\u003e function inadequately strips the base URL without properly sanitizing path traversal characters (\u003ccode\u003e../\u003c/code\u003e). Successful exploitation allows authenticated attackers with Author-level permissions or higher to access and read arbitrary local files on the WordPress host. This can include sensitive configuration files like \u003ccode\u003ewp-config.php\u003c/code\u003e, potentially exposing database credentials and other sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress application with Author-level or higher privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the \u003ccode\u003eRepeater JSON/CSV URL\u003c/code\u003e parameter within the Unlimited Elements widget settings.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing path traversal sequences (e.g., \u003ccode\u003ehttp://site.com/../../../../etc/passwd\u003c/code\u003e) in the \u003ccode\u003eRepeater JSON/CSV URL\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe crafted URL is passed to the \u003ccode\u003eURLtoRelative()\u003c/code\u003e function, which removes the base URL but fails to sanitize the path traversal sequences.\u003c/li\u003e\n\u003cli\u003eThe resulting path (e.g., \u003ccode\u003e/../../../../etc/passwd\u003c/code\u003e) is concatenated with the base path by the application.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecleanPath()\u003c/code\u003e function normalizes directory separators, but does not remove traversal components, leaving the path vulnerable.\u003c/li\u003e\n\u003cli\u003eThe application resolves the path, leading to access of the targeted file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the contents of the arbitrary file, such as \u003ccode\u003ewp-config.php\u003c/code\u003e, potentially extracting sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to read arbitrary files on the WordPress host. This can lead to the exposure of sensitive data, including database credentials, API keys, and other configuration settings stored in files like \u003ccode\u003ewp-config.php\u003c/code\u003e. The impact ranges from data leakage to potential full compromise of the WordPress installation and the underlying server, depending on the contents of the accessed files and the attacker\u0026rsquo;s subsequent actions. The number of potentially affected WordPress sites is substantial, given the popularity of the Elementor plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Unlimited Elements for Elementor plugin to a version greater than 2.0.6 to patch CVE-2026-4659.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests containing path traversal sequences (\u003ccode\u003e../\u003c/code\u003e) in the URI, focusing on requests targeting WordPress plugins; use the provided Sigma rule to facilitate this detection.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation and sanitization for URL parameters within WordPress plugins, specifically when handling file paths, to prevent path traversal vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T07:23:36Z","date_published":"2026-04-17T07:23:36Z","id":"/briefs/2026-04-wordpress-file-read/","summary":"The Unlimited Elements for Elementor plugin for WordPress is vulnerable to arbitrary file read due to insufficient path traversal sanitization, allowing authenticated attackers to read sensitive files from the WordPress host.","title":"Unlimited Elements for Elementor WordPress Plugin Arbitrary File Read (CVE-2026-4659)","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-file-read/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-6372"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","payment-bypass","cve-2026-6372"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6372 is a missing authorization vulnerability affecting the Plisio Accept Cryptocurrencies with Plisio WordPress plugin, specifically versions from initial releases through 2.0.5. Discovered by Patchstack, the vulnerability stems from incorrectly configured access control security levels within the plugin. An attacker can exploit this flaw to bypass payment verification processes, potentially leading to unauthorized transactions or manipulation of payment-related functionalities. Given the increasing adoption of cryptocurrency payments, this vulnerability presents a significant risk to e-commerce sites using the affected plugin. Successful exploitation can result in financial losses and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a WordPress site using the vulnerable Plisio plugin (version \u0026lt;= 2.0.5).\u003c/li\u003e\n\u003cli\u003eAttacker analyzes the plugin\u0026rsquo;s code or intercepts network traffic to identify the specific endpoint or function responsible for payment verification lacking proper authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the vulnerable endpoint, bypassing the intended authentication or authorization mechanisms.\u003c/li\u003e\n\u003cli\u003eThe crafted request modifies payment parameters (e.g., amount, recipient) without proper validation.\u003c/li\u003e\n\u003cli\u003eThe modified request is sent to the server, which processes it without correctly verifying the user\u0026rsquo;s authority.\u003c/li\u003e\n\u003cli\u003eThe server updates the payment status, marking it as \u0026ldquo;paid\u0026rdquo; or \u0026ldquo;verified,\u0026rdquo; even though the actual payment might be incomplete, altered, or entirely missing.\u003c/li\u003e\n\u003cli\u003eThe WordPress site delivers goods or services based on the fraudulently verified payment status.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6372 allows attackers to bypass payment verification processes in e-commerce sites using the Plisio Accept Cryptocurrencies plugin. This can lead to financial losses for the site owner due to unauthorized transactions. The vulnerability affects all installations using versions up to and including 2.0.5. Given the potential for widespread impact on any site accepting cryptocurrency via this plugin, this issue represents a high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Plisio Accept Cryptocurrencies with Plisio plugin to a version greater than 2.0.5 to patch CVE-2026-6372.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Plisio Payment Bypass Attempt\u003c/code\u003e to monitor for exploit attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eExamine web server logs for suspicious POST requests to payment processing endpoints associated with the Plisio plugin, filtering for unexpected parameter modifications (log source: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-plisio-auth-bypass/","summary":"A missing authorization vulnerability in the Plisio Accept Cryptocurrencies with Plisio WordPress plugin (versions up to 2.0.5) allows attackers to bypass payment verification due to incorrectly configured access control security levels.","title":"Plisio Accept Cryptocurrencies Plugin Missing Authorization Vulnerability (CVE-2026-6372)","url":"https://feed.craftedsignal.io/briefs/2026-04-plisio-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-3614"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","privilege-escalation","acymailing"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe AcyMailing plugin for WordPress, a popular email marketing tool, contains a critical privilege escalation vulnerability, tracked as CVE-2026-3614. Affecting versions 9.11.0 through 10.8.1, the vulnerability stems from a missing capability check on the \u003ccode\u003ewp_ajax_acymailing_router\u003c/code\u003e AJAX handler. This oversight allows authenticated attackers with minimal privileges (Subscriber level or higher) to bypass access controls intended to restrict access to administrative functions. Successful exploitation of this flaw allows attackers to perform actions reserved for administrators, including modifying configuration settings, enabling autologin features, and ultimately, compromising the entire WordPress installation. This is a critical vulnerability due to the widespread use of AcyMailing and the potential for complete site takeover.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains subscriber-level access to the WordPress site (e.g., through registration or compromised credentials).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious AJAX request targeting the \u003ccode\u003ewp_ajax_acymailing_router\u003c/code\u003e endpoint. This request attempts to access admin-only controllers without proper authentication.\u003c/li\u003e\n\u003cli\u003eDue to the missing capability check, the server processes the request, granting the attacker access to restricted administrative functions within AcyMailing.\u003c/li\u003e\n\u003cli\u003eThe attacker enables the autologin feature within AcyMailing\u0026rsquo;s configuration, using the exposed administrative controller.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new AcyMailing subscriber.  Crucially, the attacker injects a malicious \u003ccode\u003ecms_id\u003c/code\u003e value into the subscriber\u0026rsquo;s data. This \u003ccode\u003ecms_id\u003c/code\u003e is crafted to point to the WordPress user account they wish to impersonate (e.g., an administrator account).\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the autologin URL generated for the newly created (and malicious) subscriber.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the autologin URL.\u003c/li\u003e\n\u003cli\u003eThe AcyMailing plugin, configured with the now-enabled autologin feature, authenticates the attacker as the user specified by the injected \u003ccode\u003ecms_id\u003c/code\u003e, granting them full administrative access to the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3614 allows an attacker to escalate privileges from a subscriber to an administrator. This grants the attacker complete control over the WordPress website, including the ability to modify content, install malicious plugins, create new administrator accounts, and potentially compromise the underlying server. This vulnerability impacts any WordPress site running a vulnerable version of the AcyMailing plugin (9.11.0 through 10.8.1). The severity is critical due to the ease of exploitation and the potential for complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the AcyMailing plugin to the latest version (greater than 10.8.1) to patch CVE-2026-3614.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AcyMailing Unauthorized AJAX Access Attempt\u0026rdquo; to detect attempts to exploit the vulnerability by monitoring for access to the \u003ccode\u003ewp_ajax_acymailing_router\u003c/code\u003e endpoint from non-administrator users.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction=acymailing_router\u003c/code\u003e parameter, as this is the entry point for exploiting CVE-2026-3614.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T06:16:18Z","date_published":"2026-04-16T06:16:18Z","id":"/briefs/2026-04-acymailing-privesc/","summary":"The AcyMailing plugin for WordPress is vulnerable to privilege escalation (CVE-2026-3614), allowing authenticated attackers with subscriber-level access to gain administrative privileges.","title":"AcyMailing Plugin Privilege Escalation Vulnerability (CVE-2026-3614)","url":"https://feed.craftedsignal.io/briefs/2026-04-acymailing-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-3599"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","sqli","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Riaxe Product Customizer plugin, a WordPress plugin, is susceptible to SQL Injection attacks. This vulnerability resides within the \u003ccode\u003e/wp-json/InkXEProductDesignerLite/add-item-to-cart\u003c/code\u003e REST API endpoint, specifically through the \u0026lsquo;options\u0026rsquo; parameter keys nested within the \u0026lsquo;product_data\u0026rsquo;. All versions of the plugin up to and including 2.1.2 are affected. Due to insufficient input sanitization and inadequate preparation of SQL queries, unauthenticated attackers can inject malicious SQL code. Successful exploitation enables attackers to execute arbitrary SQL queries, potentially leading to sensitive data extraction. This poses a significant risk to WordPress sites utilizing the affected plugin, as attackers could gain access to user credentials, financial information, or other confidential data stored in the database. Defenders should prioritize patching or removing the plugin to mitigate this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version (\u0026lt;=2.1.2) of the Riaxe Product Customizer plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/wp-json/InkXEProductDesignerLite/add-item-to-cart\u003c/code\u003e REST API endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u0026lsquo;product_data\u0026rsquo; parameter containing a manipulated \u0026lsquo;options\u0026rsquo; array.\u003c/li\u003e\n\u003cli\u003eWithin the \u0026lsquo;options\u0026rsquo; array, the attacker injects SQL code into one or more of the parameter keys.\u003c/li\u003e\n\u003cli\u003eThe WordPress server processes the request without properly sanitizing the injected SQL code.\u003c/li\u003e\n\u003cli\u003eThe application constructs a SQL query using the unsanitized input, effectively injecting the malicious code into the query.\u003c/li\u003e\n\u003cli\u003eThe database server executes the attacker-controlled SQL query.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information from the database, such as user credentials, by using the SQL injection vulnerability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-3599) allows unauthenticated attackers to extract sensitive information from the WordPress database. This may include user credentials (usernames, email addresses, and password hashes), customer data, financial information, and other confidential data stored within the database. The impact can range from defacement of the website and data theft, to complete compromise of the WordPress site and its associated server. Due to the widespread use of WordPress and its plugins, this vulnerability poses a significant threat to a potentially large number of websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Riaxe Product Customizer plugin to a version higher than 2.1.2 to patch CVE-2026-3599.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SQL Injection Attempts via Riaxe Product Customizer Plugin\u003c/code\u003e to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the \u003ccode\u003e/wp-json/InkXEProductDesignerLite/add-item-to-cart\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T06:16:17Z","date_published":"2026-04-16T06:16:17Z","id":"/briefs/2024-01-wordpress-sqli/","summary":"The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter within 'product_data' of the `/wp-json/InkXEProductDesignerLite/add-item-to-cart` REST API endpoint, allowing unauthenticated attackers to extract sensitive information from the database.","title":"Riaxe Product Customizer WordPress Plugin SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-3596"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","privilege-escalation","cve-2026-3596","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Riaxe Product Customizer plugin for WordPress, versions 2.1.2 and earlier, contains a critical privilege escalation vulnerability (CVE-2026-3596). This flaw stems from an unauthenticated AJAX action, \u0026lsquo;wp_ajax_nopriv_install-imprint\u0026rsquo;, which is improperly secured. The corresponding function, \u003ccode\u003eink_pd_add_option()\u003c/code\u003e, allows unauthenticated users to modify arbitrary WordPress options by sending POST requests. There are no nonce checks, capability checks, or input validation performed on the \u0026lsquo;option\u0026rsquo; and \u0026lsquo;opt_value\u0026rsquo; parameters, making it trivial to manipulate sensitive site settings. Successful exploitation allows attackers to grant themselves administrative privileges. This vulnerability poses a significant risk to any WordPress site using the affected plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version of the Riaxe Product Customizer plugin (\u0026lt;= 2.1.2).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003einstall-imprint\u003c/code\u003e, triggering the vulnerable AJAX action \u003ccode\u003ewp_ajax_nopriv_install-imprint\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eoption\u003c/code\u003e parameter to \u003ccode\u003edefault_role\u003c/code\u003e and the \u003ccode\u003eopt_value\u003c/code\u003e parameter to \u003ccode\u003eadministrator\u003c/code\u003e within the POST request. This will change the default user role to administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eoption\u003c/code\u003e parameter to \u003ccode\u003eusers_can_register\u003c/code\u003e and the \u003ccode\u003eopt_value\u003c/code\u003e parameter to \u003ccode\u003e1\u003c/code\u003e within the POST request. This enables user registration on the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eink_pd_add_option()\u003c/code\u003e function executes, calling \u003ccode\u003edelete_option()\u003c/code\u003e and \u003ccode\u003eadd_option()\u003c/code\u003e with the attacker-supplied values, effectively updating the WordPress options table.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a new user account on the WordPress site.\u003c/li\u003e\n\u003cli\u003eBecause user registration is enabled and the default user role is set to administrator, the attacker\u0026rsquo;s new account is granted administrator privileges, allowing full control over the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3596 allows unauthenticated attackers to gain complete control over a vulnerable WordPress website. This can lead to website defacement, data theft, malware distribution, and denial of service. Given the widespread use of WordPress, this vulnerability has the potential to affect a large number of websites across various sectors. A successful attack would result in the attacker having the same access as the original website administrator.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately remove the Riaxe Product Customizer plugin from WordPress installations if it is present. This will eliminate the attack vector (plugin removal).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category: \u003ccode\u003ewebserver\u003c/code\u003e, product: \u003ccode\u003elinux\u003c/code\u003e or \u003ccode\u003ewindows\u003c/code\u003e) for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003einstall-imprint\u003c/code\u003e using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eConsider implementing a Web Application Firewall (WAF) rule to block requests matching the exploit pattern described in the Attack Chain.\u003c/li\u003e\n\u003cli\u003eReview WordPress user accounts for any unauthorized administrators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T06:16:15Z","date_published":"2026-04-16T06:16:15Z","id":"/briefs/2026-04-wordpress-privesc/","summary":"The Riaxe Product Customizer plugin for WordPress is vulnerable to privilege escalation, allowing unauthenticated attackers to update arbitrary WordPress options via a publicly accessible AJAX endpoint and escalate privileges to administrator.","title":"Riaxe Product Customizer WordPress Plugin Privilege Escalation Vulnerability (CVE-2026-3596)","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.6,"id":"CVE-2025-63029"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","wordpress","wcfm-marketplace"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-63029 describes an SQL Injection vulnerability affecting the WC Lovers WCFM (WooCommerce Frontend Manager) Marketplace WordPress plugin. This vulnerability, present in versions up to and including 3.7.1, stems from improper neutralization of special elements within SQL commands. An attacker exploiting this flaw can inject malicious SQL code, potentially leading to unauthorized data access, modification, or deletion within the WordPress database. Given the widespread use of WordPress and the WCFM Marketplace plugin, this vulnerability poses a significant risk to e-commerce websites and their associated sensitive information. Successful exploitation could result in compromised customer data, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable WCFM Marketplace instance running a version \u0026lt;= 3.7.1.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing SQL injection payloads in a vulnerable parameter.\u003c/li\u003e\n\u003cli\u003eThe WCFM Marketplace plugin fails to properly sanitize the attacker-controlled input.\u003c/li\u003e\n\u003cli\u003eThe unsanitized input is incorporated into an SQL query executed against the WordPress database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code modifies the intended query logic.\u003c/li\u003e\n\u003cli\u003eThe database server executes the attacker\u0026rsquo;s malicious SQL query.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data stored in the database, such as user credentials, financial information, or product details.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify or delete data, escalate privileges, or potentially gain control of the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-63029 can have severe consequences. An attacker could gain complete control over the affected WordPress site\u0026rsquo;s database. This can lead to the theft of sensitive customer data (e.g., usernames, passwords, addresses, payment information), modification of product listings and pricing, or even complete site defacement or takeover. The number of potentially affected sites is substantial, considering the popularity of the WCFM Marketplace plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WC Lovers WCFM Marketplace plugin to the latest available version, which includes a patch for CVE-2025-63029.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious WCFM Marketplace SQL Injection Attempts\u0026rdquo; to your SIEM to identify potential exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests containing potential SQL injection payloads targeting the WCFM Marketplace plugin.\u003c/li\u003e\n\u003cli\u003eReview and harden database access controls to minimize the impact of potential SQL injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T17:17:00Z","date_published":"2026-04-15T17:17:00Z","id":"/briefs/2026-04-wcfm-sql-injection/","summary":"An SQL Injection vulnerability, identified as CVE-2025-63029, exists in the WC Lovers WCFM Marketplace WordPress plugin up to version 3.7.1, potentially allowing attackers to execute arbitrary SQL queries.","title":"WC Lovers WCFM Marketplace SQL Injection Vulnerability (CVE-2025-63029)","url":"https://feed.craftedsignal.io/briefs/2026-04-wcfm-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-3017"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","php","object-injection","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Smart Post Show WordPress plugin, specifically the Post Grid, Post Carousel \u0026amp; Slider, and List Category Posts components, contains a PHP Object Injection vulnerability. This flaw affects all versions up to and including 3.0.12. The vulnerability resides in the \u003ccode\u003eimport_shortcodes()\u003c/code\u003e function, where the deserialization of untrusted input occurs. This vulnerability requires an authenticated attacker with administrative privileges or higher. Successful exploitation requires the presence of a suitable Property-Oriented Programming (POP) chain within another installed plugin or theme. Without a POP chain, the injected object has no immediate impact. However, with a POP chain, attackers can potentially delete arbitrary files, retrieve sensitive data, or execute arbitrary code on the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative-level access to the WordPress dashboard, either through credential compromise or vulnerability exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Smart Post Show plugin settings page within the WordPress admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing a serialized PHP object designed to trigger a POP chain.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into the \u003ccode\u003eimport_shortcodes()\u003c/code\u003e function, likely through a form field or file upload.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eimport_shortcodes()\u003c/code\u003e function deserializes the attacker-controlled input, creating the malicious PHP object.\u003c/li\u003e\n\u003cli\u003eIf a suitable POP chain exists within other installed plugins or themes, the deserialization triggers the chain.\u003c/li\u003e\n\u003cli\u003eThe POP chain executes a series of predefined actions based on the objects and methods involved.\u003c/li\u003e\n\u003cli\u003eThe final objective is achieved, such as deleting arbitrary files, retrieving sensitive data, or executing arbitrary code on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe PHP Object Injection vulnerability in the Smart Post Show WordPress plugin allows attackers to potentially gain remote code execution on the affected server. The impact is contingent on the existence of a POP chain within other installed plugins or themes. If successful, an attacker could potentially compromise the entire web server, leading to data breaches, defacement, or complete system takeover. Given the widespread use of WordPress and this plugin, a successful exploit could affect numerous websites across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Smart Post Show plugin to a version greater than 3.0.12 to patch CVE-2026-3017.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WordPress Plugin Deserialization Attempt\u0026rdquo; to monitor for suspicious deserialization activity on WordPress servers.\u003c/li\u003e\n\u003cli\u003eAudit all installed WordPress plugins and themes for potential POP chains that could be exploited in conjunction with this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T06:17:10Z","date_published":"2026-04-14T06:17:10Z","id":"/briefs/2026-04-smart-post-show-rce/","summary":"The Smart Post Show WordPress plugin versions 3.0.12 and earlier are vulnerable to PHP Object Injection via deserialization of untrusted input in the import_shortcodes() function, potentially leading to remote code execution if a suitable POP chain is present.","title":"Smart Post Show WordPress Plugin PHP Object Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-smart-post-show-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-4365"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","learnpress","data-deletion","unauthorized-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe LearnPress plugin for WordPress, in versions up to and including 4.3.2.8, is susceptible to unauthorized data deletion. The vulnerability stems from a missing capability check on the \u003ccode\u003edelete_question_answer()\u003c/code\u003e function. The plugin exposes a \u003ccode\u003ewp_rest\u003c/code\u003e nonce in public frontend HTML, and this nonce serves as the sole security check for the \u003ccode\u003elp-load-ajax\u003c/code\u003e AJAX dispatcher. As the \u003ccode\u003edelete_question_answer\u003c/code\u003e action lacks capability or ownership validation, unauthenticated attackers can exploit this flaw to delete arbitrary quiz answer options. This is achieved by sending a crafted POST request containing a publicly available nonce. Exploitation does not require any prior authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a LearnPress installation with a vulnerable version (\u0026lt;= 4.3.2.8).\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the public frontend of the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the \u003ccode\u003ewp_rest\u003c/code\u003e nonce from the \u003ccode\u003elpData\u003c/code\u003e variable in the HTML source code. This nonce is used for AJAX requests.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted POST request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003edelete_question_answer\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request also includes the \u003ccode\u003enonce\u003c/code\u003e parameter with the value of the retrieved \u003ccode\u003ewp_rest\u003c/code\u003e nonce.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eanswer_id\u003c/code\u003e parameter set to the ID of the quiz answer option to be deleted.\u003c/li\u003e\n\u003cli\u003eThe server, lacking proper capability checks, processes the request and deletes the specified quiz answer option from the database. This results in data loss and potentially disrupts the functionality of quizzes within the LearnPress plugin.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows unauthenticated attackers to arbitrarily delete quiz answer options within the LearnPress plugin. This can lead to data loss, disruption of quizzes, and potentially compromise the integrity of educational content. The CVSS v3.1 base score for this vulnerability is 9.1, indicating a critical severity. The number of victims and specific sectors targeted are currently unknown, but any website using the vulnerable LearnPress plugin is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the LearnPress plugin to a version greater than 4.3.2.8 to patch CVE-2026-4365.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LearnPress Unauthorized Data Deletion Attempt\u0026rdquo; to your SIEM to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003edelete_question_answer\u003c/code\u003e and investigate suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T02:16:57Z","date_published":"2026-04-14T02:16:57Z","id":"/briefs/2026-04-learnpress-data-deletion/","summary":"The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function, allowing unauthenticated attackers to delete quiz answer options.","title":"LearnPress WordPress Plugin Unauthorized Data Deletion Vulnerability (CVE-2026-4365)","url":"https://feed.craftedsignal.io/briefs/2026-04-learnpress-data-deletion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2025-5804"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["php","lfi","wordpress","cve-2025-5804"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA local file inclusion (LFI) vulnerability, identified as CVE-2025-5804, affects the Case Theme User WordPress plugin before version 1.0.4. The vulnerability stems from insufficient validation of filenames passed to PHP\u0026rsquo;s \u003ccode\u003einclude\u003c/code\u003e or \u003ccode\u003erequire\u003c/code\u003e statements. This allows an unauthenticated attacker to potentially include arbitrary local files on the server hosting the WordPress instance. Successful exploitation could lead to sensitive information disclosure, arbitrary code execution, or denial of service. The vulnerability was reported and patched by Patchstack. Users of the Case Theme User plugin are advised to upgrade to version 1.0.4 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Case Theme User plugin running on a WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a PHP file within the plugin that uses an \u003ccode\u003einclude\u003c/code\u003e or \u003ccode\u003erequire\u003c/code\u003e statement.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies a GET or POST parameter associated with the vulnerable \u003ccode\u003einclude\u003c/code\u003e or \u003ccode\u003erequire\u003c/code\u003e statement, injecting a path to a local file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web server processes the request, and the PHP interpreter attempts to include the file specified in the attacker-controlled parameter.\u003c/li\u003e\n\u003cli\u003eDue to the LFI vulnerability, the server includes the attacker-specified local file.\u003c/li\u003e\n\u003cli\u003eIf the included file contains sensitive data, such as configuration files or credentials, the attacker can extract this information from the server\u0026rsquo;s response.\u003c/li\u003e\n\u003cli\u003eIn more advanced scenarios, the attacker might attempt to include PHP files containing malicious code, achieving remote code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-5804 can lead to a range of impacts, including sensitive information disclosure such as WordPress configuration files (wp-config.php), which contain database credentials. Arbitrary code execution is possible if the attacker can include a file containing malicious PHP code. This could allow the attacker to gain complete control of the WordPress site and the underlying server. The number of affected sites depends on the adoption rate of the vulnerable Case Theme User plugin, but given the widespread use of WordPress, the potential impact could be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Case Theme User WordPress plugin to version 1.0.4 or later to patch CVE-2025-5804.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Case Theme User LFI Attempt\u003c/code\u003e to your SIEM to identify potential exploitation attempts based on suspicious file paths in HTTP requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual file access patterns, particularly requests containing \u0026ldquo;..\u0026rdquo;, \u0026ldquo;%2e%2e\u0026rdquo;, or other directory traversal sequences, to catch LFI attempts (see log source \u003ccode\u003ewebserver\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-case-theme-lfi/","summary":"CVE-2025-5804 is a PHP Local File Inclusion vulnerability in the Case Theme User WordPress plugin before version 1.0.4 due to improper filename control in include/require statements, potentially allowing attackers to execute arbitrary code by including malicious local files.","title":"Case Theme User WordPress Plugin Local File Inclusion Vulnerability (CVE-2025-5804)","url":"https://feed.craftedsignal.io/briefs/2026-04-case-theme-lfi/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-58913"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","lfi","cve-2025-58913"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA local file inclusion (LFI) vulnerability has been identified in the CactusThemes VideoPro WordPress theme. Assigned CVE-2025-58913, this vulnerability exists due to the improper handling of filenames passed to include or require statements within the PHP code of the theme. Specifically, versions of VideoPro from its initial release up to and including version 2.3.8.1 are affected. Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to further compromise. The vulnerability was reported by Patchstack. Defenders should prioritize patching or removing the vulnerable theme.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a VideoPro installation running a vulnerable version (\u0026lt;= 2.3.8.1).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a PHP script within the VideoPro theme that uses \u003ccode\u003einclude\u003c/code\u003e or \u003ccode\u003erequire\u003c/code\u003e statements.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a path traversal sequence (e.g., \u003ccode\u003e../../../../etc/passwd\u003c/code\u003e) into the filename parameter of the HTTP request.\u003c/li\u003e\n\u003cli\u003eThe vulnerable PHP script, without proper sanitization of the filename, attempts to include the attacker-specified file.\u003c/li\u003e\n\u003cli\u003eIf successful, the contents of the file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e) are exposed within the web server\u0026rsquo;s response.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the exposed file contents for sensitive information such as user credentials or configuration details.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained information to further compromise the server or other related systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-58913 allows an attacker to read arbitrary files on the webserver hosting the vulnerable WordPress instance. This can lead to the exposure of sensitive data such as configuration files containing database credentials, WordPress salts, or even source code. If sensitive credentials are leaked, an attacker could pivot to other systems or gain administrative access to the WordPress site. The vulnerable VideoPro theme is used by an unknown number of WordPress websites, representing a significant attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the CactusThemes VideoPro theme to a patched version (later than 2.3.8.1) or remove the theme entirely from WordPress installations to remediate CVE-2025-58913.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect VideoPro LFI Attempts via Path Traversal\u0026rdquo; to identify exploitation attempts against vulnerable VideoPro installations using path traversal sequences in URI queries.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for suspicious requests containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e../../\u003c/code\u003e) in the URI query string, which may indicate LFI attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-videopro-lfi/","summary":"CVE-2025-58913 is a PHP Local File Inclusion vulnerability in the CactusThemes VideoPro WordPress theme, affecting versions from n/a through 2.3.8.1 due to improper control of the filename for include/require statements, potentially allowing unauthorized file access.","title":"CactusThemes VideoPro Theme Local File Inclusion Vulnerability (CVE-2025-58913)","url":"https://feed.craftedsignal.io/briefs/2026-04-videopro-lfi/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-5809"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","file-deletion","plugin","CVE-2026-5809"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe wpForo Forum plugin, a popular WordPress plugin, is susceptible to an arbitrary file deletion vulnerability (CVE-2026-5809) affecting versions up to and including 3.0.2. The vulnerability stems from insufficient validation of user-supplied data within the \u003ccode\u003etopic_add()\u003c/code\u003e and \u003ccode\u003etopic_edit()\u003c/code\u003e action handlers. Specifically, the plugin improperly handles array values in the \u003ccode\u003e$_REQUEST\u003c/code\u003e data, storing them as postmeta without proper filtering. An authenticated attacker (subscriber-level or higher) can exploit this by injecting a malicious file path into the \u003ccode\u003edata[body][fileurl]\u003c/code\u003e parameter. This injected path is subsequently used in a file deletion function without adequate sanitization, leading to potential deletion of critical system files. This vulnerability allows attackers to potentially cripple the WordPress installation or gain further access to the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with at least subscriber-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003etopic_add()\u003c/code\u003e or \u003ccode\u003etopic_edit()\u003c/code\u003e action handler.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker includes the \u003ccode\u003edata[body][fileurl]\u003c/code\u003e parameter containing the path to the file they wish to delete (e.g., \u003ccode\u003e/var/www/html/wp-config.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe wpForo plugin stores the attacker-supplied \u003ccode\u003efileurl\u003c/code\u003e value as postmeta associated with the forum topic without proper validation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts another request, this time including the \u003ccode\u003ewpftcf_delete[]=body\u003c/code\u003e parameter, targeting the \u003ccode\u003etopic_edit\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eadd_file()\u003c/code\u003e method retrieves the poisoned \u003ccode\u003efileurl\u003c/code\u003e from the stored postmeta record.\u003c/li\u003e\n\u003cli\u003eThe plugin attempts to sanitize the path using \u003ccode\u003ewpforo_fix_upload_dir()\u003c/code\u003e, but this function only modifies paths within the legitimate wpForo upload directory, leaving other paths untouched.\u003c/li\u003e\n\u003cli\u003eThe plugin calls \u003ccode\u003ewp_delete_file()\u003c/code\u003e on the unsanitized path, resulting in the deletion of the targeted file if the PHP process has write permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an authenticated attacker to delete arbitrary files on the server, provided the PHP process has the necessary write permissions. This can lead to a denial of service by deleting core WordPress files or configuration files such as \u003ccode\u003ewp-config.php\u003c/code\u003e. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high severity. This could lead to complete compromise of the WordPress installation and potential further exploitation of the server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the wpForo Forum plugin to a version higher than 3.0.2 to patch CVE-2026-5809.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect wpForo Arbitrary File Deletion Attempt\u0026rdquo; to your SIEM to detect potential exploitation attempts by monitoring HTTP requests to WordPress.\u003c/li\u003e\n\u003cli\u003eImplement stricter file permission controls to limit the PHP process\u0026rsquo;s write access to only necessary directories and files.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests containing the \u003ccode\u003ewpftcf_delete\u003c/code\u003e parameter, as highlighted in the Attack Chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T08:16:05Z","date_published":"2026-04-11T08:16:05Z","id":"/briefs/2026-04-wpforo-file-deletion/","summary":"The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion due to a logic flaw that allows authenticated users to delete arbitrary files writable by the PHP process by manipulating post metadata.","title":"wpForo Forum Plugin Arbitrary File Deletion Vulnerability (CVE-2026-5809)","url":"https://feed.craftedsignal.io/briefs/2026-04-wpforo-file-deletion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5144"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","buddypress","privilege-escalation","cve-2026-5144","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe BuddyPress Groupblog plugin, versions 1.9.3 and below, contains a critical privilege escalation vulnerability (CVE-2026-5144). This flaw allows authenticated attackers with minimal privileges (Subscriber or higher) to escalate privileges to Administrator on the main WordPress Multisite site. The vulnerability stems from a lack of authorization checks in the group blog settings handler. Specifically, the plugin improperly validates the \u003ccode\u003egroupblog-blogid\u003c/code\u003e, \u003ccode\u003edefault-member\u003c/code\u003e, and \u003ccode\u003egroupblog-silent-add\u003c/code\u003e parameters. This vulnerability allows an attacker to associate their group with the main site (blog ID 1) and automatically assign the \u0026lsquo;administrator\u0026rsquo; role to new group members. Successful exploitation grants attackers full control over the WordPress Multisite network, posing a significant risk to data confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a new group on the WordPress Multisite network with a Subscriber account.\u003c/li\u003e\n\u003cli\u003eAttacker accesses the group\u0026rsquo;s settings page.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the \u003ccode\u003egroupblog-blogid\u003c/code\u003e parameter, setting it to \u0026ldquo;1\u0026rdquo; to associate the group with the main site. This is done by crafting a malicious HTTP POST request to the group settings handler.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003edefault-member\u003c/code\u003e parameter to \u0026ldquo;administrator\u0026rdquo;. This parameter controls the default role assigned to new members.\u003c/li\u003e\n\u003cli\u003eThe attacker enables the \u003ccode\u003egroupblog-silent-add\u003c/code\u003e parameter. This setting automatically adds new group members to the associated blog (main site) with the specified default role (administrator).\u003c/li\u003e\n\u003cli\u003eAttacker creates a second user account or convinces another user to join their malicious group.\u003c/li\u003e\n\u003cli\u003eWhen the new user joins the attacker\u0026rsquo;s group, the \u003ccode\u003egroupblog-silent-add\u003c/code\u003e setting automatically adds the new user to the main site with the administrator role.\u003c/li\u003e\n\u003cli\u003eThe attacker (via the new user account) now has administrator access to the main WordPress Multisite site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5144 grants an attacker complete control over the targeted WordPress Multisite network. This allows them to modify content, install malicious plugins, create new administrator accounts, and potentially compromise the underlying server. The impact is especially severe for organizations relying on WordPress Multisite for critical applications, as it can lead to data breaches, service disruptions, and significant financial losses. The vulnerability affects all installations using the BuddyPress Groupblog plugin up to version 1.9.3, potentially impacting thousands of websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the BuddyPress Groupblog plugin to a version greater than 1.9.3 to patch CVE-2026-5144.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/wp-admin/options.php\u003c/code\u003e with parameters \u003ccode\u003egroupblog-blogid\u003c/code\u003e, \u003ccode\u003edefault-member\u003c/code\u003e, and \u003ccode\u003egroupblog-silent-add\u003c/code\u003e to detect potential exploitation attempts, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit the ability of low-privileged users to modify group settings and install plugins.\u003c/li\u003e\n\u003cli\u003eEnable logging of user role changes to detect unauthorized privilege escalation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T02:19:36Z","date_published":"2026-04-11T02:19:36Z","id":"/briefs/2026-04-buddypress-privesc/","summary":"The BuddyPress Groupblog plugin for WordPress is vulnerable to privilege escalation (CVE-2026-5144), allowing a low-privileged user to gain administrator access on a WordPress Multisite network by manipulating group blog settings.","title":"BuddyPress Groupblog Plugin Privilege Escalation Vulnerability (CVE-2026-5144)","url":"https://feed.craftedsignal.io/briefs/2026-04-buddypress-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2025-58920"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","reflected-xss"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA reflected XSS vulnerability, identified as CVE-2025-58920, affects the Zootemplate Cerato WordPress theme. The vulnerability resides in versions ranging from n/a through 2.2.18. It stems from the improper neutralization of input during web page generation, which can allow an attacker to inject malicious scripts into a web page viewed by other users. Successful exploitation could allow an attacker to steal cookies, redirect users to malicious websites, or deface web pages. Given the widespread use of WordPress and its themes, this vulnerability poses a risk to websites using the affected Cerato theme.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable endpoint within the Cerato theme that does not properly sanitize user input.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing a JavaScript payload within a parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious URL via email, social media, or other means.\u003c/li\u003e\n\u003cli\u003eA victim clicks the malicious URL, sending a request to the vulnerable WordPress site.\u003c/li\u003e\n\u003cli\u003eThe WordPress server, using the Cerato theme, reflects the attacker\u0026rsquo;s JavaScript payload in the response without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser executes the malicious JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to perform actions on behalf of the victim, such as stealing cookies or redirecting the user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this reflected XSS vulnerability can lead to several adverse effects. An attacker could steal a user\u0026rsquo;s session cookies, gaining unauthorized access to their account. Victims can be redirected to phishing sites, potentially compromising their credentials. Further, attackers might inject malicious content into the web page, defacing the site or spreading malware. The impact of this vulnerability is limited by the need for user interaction (clicking a malicious link), but the potential for widespread exploitation remains significant for sites using the vulnerable Cerato theme.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Zootemplate Cerato WordPress theme to a version beyond 2.2.18 to remediate CVE-2025-58920.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect exploitation attempts against this vulnerability (see the \u0026ldquo;Reflected XSS Attempt via GET\u0026rdquo; rule below).\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) with rules to detect and block common XSS payloads to mitigate this and similar vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T14:16:25Z","date_published":"2026-04-10T14:16:25Z","id":"/briefs/2024-01-cerato-xss/","summary":"A reflected cross-site scripting (XSS) vulnerability exists in the Zootemplate Cerato WordPress theme (versions n/a through 2.2.18) due to improper neutralization of user-supplied input, potentially allowing attackers to execute arbitrary JavaScript in a user's browser.","title":"Zootemplate Cerato Theme Reflected XSS Vulnerability (CVE-2025-58920)","url":"https://feed.craftedsignal.io/briefs/2024-01-cerato-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-4162"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["wordpress","missing-authorization","plugin","cve-2026-4162"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Gravity SMTP plugin, a WordPress extension facilitating email sending through SMTP, contains a missing authorization vulnerability (CVE-2026-4162) affecting versions 2.1.4 and earlier. This flaw allows authenticated users with minimal subscriber-level permissions to perform administrative actions such as uninstalling and deactivating the plugin, as well as deleting its associated options. The vulnerability stems from the plugin failing to properly validate user authorization before executing sensitive functions. Additionally, the vulnerability can be exploited via a Cross-Site Request Forgery (CSRF) attack. Patches have been released in Gravity SMTP version 2.1.5 to address this security concern. Exploitation of this vulnerability allows low-privileged users to disrupt email functionality and potentially compromise WordPress configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with subscriber-level or higher privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to uninstall the Gravity SMTP plugin, leveraging the missing authorization vulnerability. This request targets the WordPress plugin management endpoint.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a CSRF attack that tricks a privileged user into triggering the malicious HTTP request to uninstall the plugin.\u003c/li\u003e\n\u003cli\u003eThe WordPress server receives the crafted request without proper authorization checks.\u003c/li\u003e\n\u003cli\u003eThe plugin\u0026rsquo;s uninstall function is executed, removing the Gravity SMTP plugin from the WordPress installation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts another HTTP request to delete Gravity SMTP plugin options.\u003c/li\u003e\n\u003cli\u003eThe WordPress server processes the request, and the plugin options are deleted from the database.\u003c/li\u003e\n\u003cli\u003eThe Gravity SMTP plugin is uninstalled and deactivated, and its settings are removed, disrupting the email functionality of the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4162 allows attackers with low-level privileges on a WordPress site to disable email functionality and manipulate plugin settings. While the number of affected installations remains unknown, the impact can be significant for organizations heavily reliant on WordPress for communication or critical business processes, potentially leading to disruption of services, loss of email functionality, and unauthorized access to sensitive data or configurations. The CVSS v3.1 score of 7.1 indicates a high severity, considering the ease of exploitation and the potential for widespread disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gravity SMTP plugin to version 2.1.5 or later to patch CVE-2026-4162.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress access logs for unauthorized requests targeting the plugin management endpoints to detect potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect WordPress Plugin Uninstall via Missing Auth\u003c/code\u003e to identify suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement CSRF protection mechanisms within WordPress plugins to mitigate the risk of CSRF-based exploitation.\u003c/li\u003e\n\u003cli\u003eReview WordPress user roles and permissions to minimize the attack surface and restrict access to sensitive functionalities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T10:16:04Z","date_published":"2026-04-10T10:16:04Z","id":"/briefs/2026-04-gravity-smtp-auth-bypass/","summary":"The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization, allowing authenticated attackers with subscriber-level access or higher to uninstall/deactivate the plugin and delete plugin options, and is also exploitable via Cross-Site Request Forgery.","title":"Gravity SMTP Plugin Missing Authorization Vulnerability (CVE-2026-4162)","url":"https://feed.craftedsignal.io/briefs/2026-04-gravity-smtp-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4351"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","perfmatters","file-overwrite","path-traversal"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Perfmatters plugin for WordPress, in versions up to and including 2.5.9, is vulnerable to an arbitrary file overwrite vulnerability (CVE-2026-4351). This vulnerability stems from the \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method\u0026rsquo;s processing of bulk \u003ccode\u003eactivate\u003c/code\u003e/\u003ccode\u003edeactivate\u003c/code\u003e actions without proper authorization checks or nonce verification. The unsanitized \u003ccode\u003e$_GET['snippets'][]\u003c/code\u003e values are then passed to \u003ccode\u003eSnippet::activate()\u003c/code\u003e/\u003ccode\u003eSnippet::deactivate()\u003c/code\u003e, which subsequently call \u003ccode\u003eSnippet::update()\u003c/code\u003e and \u003ccode\u003efile_put_contents()\u003c/code\u003e with a traversed path. An authenticated attacker with subscriber-level privileges can exploit this flaw to overwrite arbitrary files on the server with a fixed PHP docblock, leading to a potential denial-of-service condition by corrupting critical files such as \u003ccode\u003e.htaccess\u003c/code\u003e or \u003ccode\u003eindex.php\u003c/code\u003e. This vulnerability allows low-privileged users to gain elevated privileges on the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the WordPress site with subscriber-level access.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET request targeting the WordPress installation.\u003c/li\u003e\n\u003cli\u003eThe GET request includes the \u003ccode\u003epmcs_action\u003c/code\u003e parameter set to \u003ccode\u003ebulk_activate\u003c/code\u003e or \u003ccode\u003ebulk_deactivate\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe GET request includes the \u003ccode\u003esnippets[]\u003c/code\u003e parameter containing a path traversal payload, such as \u003ccode\u003e../../../.htaccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e function processes the request without proper authorization or nonce validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSnippet::activate()\u003c/code\u003e or \u003ccode\u003eSnippet::deactivate()\u003c/code\u003e functions are called, leading to \u003ccode\u003eSnippet::update()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSnippet::update()\u003c/code\u003e then calls \u003ccode\u003efile_put_contents()\u003c/code\u003e with the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites the targeted file (e.g., \u003ccode\u003e.htaccess\u003c/code\u003e, \u003ccode\u003eindex.php\u003c/code\u003e) with a fixed PHP docblock, leading to a denial of service or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to overwrite arbitrary files on the WordPress server. Overwriting critical files like \u003ccode\u003e.htaccess\u003c/code\u003e or \u003ccode\u003eindex.php\u003c/code\u003e can result in a denial-of-service condition, rendering the website unavailable. In some cases, this could be leveraged for further compromise by injecting malicious code into other PHP files or modifying server configurations. The vulnerability affects all installations using the Perfmatters plugin version 2.5.9 or earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Perfmatters plugin to the latest version to patch CVE-2026-4351.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Perfmatters Arbitrary File Overwrite Attempt\u003c/code\u003e to monitor for exploitation attempts targeting this vulnerability via HTTP GET requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious GET requests containing \u003ccode\u003epmcs_action=bulk_activate\u003c/code\u003e or \u003ccode\u003epmcs_action=bulk_deactivate\u003c/code\u003e and path traversal sequences within the \u003ccode\u003esnippets[]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement strict file permission controls to limit the impact of potential file overwrite vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T02:37:36Z","date_published":"2026-04-10T02:37:36Z","id":"/briefs/2026-04-perfmatters-overwrite/","summary":"The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal, allowing authenticated attackers with subscriber-level access to overwrite arbitrary files on the server with a fixed PHP docblock content, potentially causing denial of service.","title":"Perfmatters WordPress Plugin Arbitrary File Overwrite Vulnerability (CVE-2026-4351)","url":"https://feed.craftedsignal.io/briefs/2026-04-perfmatters-overwrite/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-34424"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","joomla","remote-code-execution","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSmart Slider 3 Pro version 3.5.1.35, a popular WordPress and Joomla plugin, is vulnerable to remote code execution due to a compromised update system. This vulnerability, tracked as CVE-2026-34424, allows unauthenticated attackers to inject a multi-stage remote access toolkit. The attackers leverage this toolkit to execute arbitrary code and commands, effectively taking control of the affected web server. This vulnerability poses a significant threat to websites using the vulnerable plugin, potentially leading to data theft, website defacement, or use of the server for malicious purposes. Defenders should prioritize patching or removing the affected plugin version immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises the Smart Slider 3 Pro update server.\u003c/li\u003e\n\u003cli\u003eA malicious update is pushed to vulnerable Smart Slider 3 Pro installations (version 3.5.1.35).\u003c/li\u003e\n\u003cli\u003eThe plugin downloads and installs the malicious update, injecting the multi-stage remote access toolkit.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers pre-authentication remote shell execution by sending crafted HTTP headers to the web server.\u003c/li\u003e\n\u003cli\u003eAn authenticated backdoor is established, allowing the attacker to execute arbitrary PHP code or OS commands.\u003c/li\u003e\n\u003cli\u003eThe attacker creates hidden administrator accounts within WordPress or Joomla to maintain persistent access.\u003c/li\u003e\n\u003cli\u003eCredentials and access keys are exfiltrated from the compromised system.\u003c/li\u003e\n\u003cli\u003ePersistence is maintained through multiple injection points, including modifications to must-use plugins and core files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34424 leads to complete compromise of the affected web server. Attackers can gain unauthorized access to sensitive data, including user credentials, database information, and proprietary code. Websites can be defaced, injected with malware, or used as part of a botnet. The vulnerability affects all users of Smart Slider 3 Pro version 3.5.1.35, regardless of the underlying operating system. Given the widespread use of WordPress and Joomla, a large number of websites are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately remove or update Smart Slider 3 Pro to a patched version newer than 3.5.1.35 to remediate CVE-2026-34424.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests with unusual headers indicative of attempted pre-authentication shell execution as described in the Attack Chain.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rules to detect suspicious process creation and file modifications related to the injected toolkit.\u003c/li\u003e\n\u003cli\u003eAudit user accounts for unauthorized administrator accounts as the attacker creates hidden accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T23:17:00Z","date_published":"2026-04-09T23:17:00Z","id":"/briefs/2026-04-smart-slider-rce/","summary":"Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system allowing unauthenticated remote code execution and system takeover.","title":"Smart Slider 3 Pro Compromised Update Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-smart-slider-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2023-54359"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","sql-injection","cve-2023-54359"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe adivaha Travel plugin 2.3 for WordPress is susceptible to a time-based blind SQL injection vulnerability (CVE-2023-54359). This flaw allows unauthenticated attackers to inject malicious SQL code through the \u0026lsquo;pid\u0026rsquo; GET parameter in requests to the \u003ccode\u003e/mobile-app/v3/\u003c/code\u003e endpoint. By crafting specific \u0026lsquo;pid\u0026rsquo; values with XOR-based payloads, attackers can manipulate database queries. This vulnerability can be exploited to extract sensitive database information or to cause a denial-of-service condition on the affected WordPress site. Publicly available exploits exist, increasing the risk of widespread exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable adivaha Travel Plugin version 2.3.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/mobile-app/v3/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u003ccode\u003epid\u003c/code\u003e GET parameter, utilizing XOR-based payloads to bypass input validation or sanitization.\u003c/li\u003e\n\u003cli\u003eThe server processes the malicious SQL query against the WordPress database.\u003c/li\u003e\n\u003cli\u003eDue to the time-based blind SQL injection, the attacker infers information about the database by observing the response time of the server.\u003c/li\u003e\n\u003cli\u003eThrough repeated requests, the attacker extracts sensitive data from the database, such as user credentials, API keys, or other confidential information.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker injects SQL code to cause a denial-of-service condition, such as by creating a very long delay.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exfiltrated data for malicious purposes or further compromise of the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to the extraction of sensitive information from the WordPress database, potentially compromising user accounts, customer data, and other confidential information. Attackers could gain complete control over the affected website, leading to defacement, malware distribution, or further attacks on other systems. A successful denial-of-service attack could also disrupt the availability of the website, impacting business operations and user experience.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for the adivaha Travel Plugin to remediate CVE-2023-54359.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious adivaha Travel Plugin SQL Injection Attempt\u003c/code\u003e to your SIEM to identify potential exploitation attempts targeting the \u003ccode\u003e/mobile-app/v3/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for requests to \u003ccode\u003e/mobile-app/v3/\u003c/code\u003e containing suspicious characters or SQL syntax in the \u003ccode\u003epid\u003c/code\u003e parameter to identify exploitation attempts (reference: vulnerable endpoint \u003ccode\u003e/mobile-app/v3/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to the URLs listed in the IOCs (reference: \u003ccode\u003ehttps://www.exploit-db.com/exploits/51655\u003c/code\u003e and \u003ccode\u003ehttps://www.vulncheck.com/advisories/wordpress-adivaha-travel-plugin-sql-injection-via-pid\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T21:16:05Z","date_published":"2026-04-09T21:16:05Z","id":"/briefs/2026-04-adivaha-sql-injection/","summary":"The WordPress adivaha Travel Plugin version 2.3 is vulnerable to time-based blind SQL injection via the 'pid' GET parameter, allowing unauthenticated attackers to inject SQL code through the /mobile-app/v3/ endpoint for potential data extraction or denial of service.","title":"WordPress adivaha Travel Plugin SQL Injection Vulnerability (CVE-2023-54359)","url":"https://feed.craftedsignal.io/briefs/2026-04-adivaha-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-3396"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["woocommerce","sqli","cve-2026-3396","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe WooCommerce Ajax Product Filter (WCAPF) plugin, a WordPress extension, is susceptible to a time-based SQL Injection vulnerability (CVE-2026-3396). This flaw stems from inadequate input sanitization of the \u003ccode\u003epost-author\u003c/code\u003e parameter and insufficient preparation within the existing SQL query structure. Specifically, all versions of the plugin up to and including version 4.2.3 are affected. An unauthenticated attacker can exploit this vulnerability by injecting malicious SQL code into the \u003ccode\u003epost-author\u003c/code\u003e parameter. Successful exploitation allows the attacker to manipulate database queries and extract sensitive information without requiring authentication. This vulnerability poses a significant risk to e-commerce sites using the WCAPF plugin, as attackers could potentially access customer data, administrative credentials, or other confidential information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WooCommerce website using a vulnerable version (\u0026lt;=4.2.3) of the WCAPF plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an endpoint that utilizes the vulnerable \u003ccode\u003epost-author\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes SQL injection payload within the \u003ccode\u003epost-author\u003c/code\u003e parameter, designed to extract data using time-based techniques. For example, the attacker might use a \u003ccode\u003eSLEEP()\u003c/code\u003e function to introduce delays based on conditional database queries.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and passes the unsanitized \u003ccode\u003epost-author\u003c/code\u003e parameter to the database query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code manipulates the original query, causing the database to execute the attacker\u0026rsquo;s malicious commands.\u003c/li\u003e\n\u003cli\u003eBased on the response time (due to the \u003ccode\u003eSLEEP()\u003c/code\u003e function), the attacker infers whether their injected SQL query was successful in retrieving specific data.\u003c/li\u003e\n\u003cli\u003eThe attacker iteratively refines their SQL injection payload to extract sensitive information, such as user credentials or customer details.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the obtained data, potentially using it for identity theft, financial fraud, or further attacks against the compromised website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3396 can lead to the complete compromise of the vulnerable WooCommerce website\u0026rsquo;s database. An attacker could potentially access sensitive customer data, including names, addresses, credit card details, and purchase history. Furthermore, administrative credentials could be stolen, allowing the attacker to gain full control over the website. This can result in significant financial losses, reputational damage, and legal liabilities for the affected e-commerce business. While the exact number of affected websites is unknown, any online store using the WCAPF plugin versions 4.2.3 or earlier is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WCAPF plugin to a version greater than 4.2.3 to patch CVE-2026-3396 (references: CVE-2026-3396).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WooCommerce SQL Injection Attempt\u003c/code\u003e to identify potential exploitation attempts in web server logs (references: Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003epost-author\u003c/code\u003e parameter to prevent SQL injection attacks (references: Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL injection payloads, particularly those targeting WCAPF plugin endpoints (references: Sigma rule, Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T12:16:21Z","date_published":"2026-04-08T12:16:21Z","id":"/briefs/2026-04-woocommerce-sqli/","summary":"The WCAPF - WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection (CVE-2026-3396) due to insufficient escaping and SQL query preparation, allowing unauthenticated attackers to extract sensitive information from the database in versions up to 4.2.3.","title":"WooCommerce Ajax Product Filter Plugin Vulnerable to SQL Injection (CVE-2026-3396)","url":"https://feed.craftedsignal.io/briefs/2026-04-woocommerce-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-4808"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","file-upload","remote-code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Gerador de Certificados – DevApps plugin for WordPress, versions up to and including 1.3.6, contains an arbitrary file upload vulnerability (CVE-2026-4808). This flaw stems from a lack of file type validation within the \u003ccode\u003emoveUploadedFile()\u003c/code\u003e function. Authenticated users with administrator privileges or higher can exploit this vulnerability by uploading arbitrary files to the affected server. Successful exploitation could allow an attacker to execute arbitrary code on the server, leading to a complete system compromise. This vulnerability poses a significant threat to websites using the affected plugin, potentially impacting data confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with administrator-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Gerador de Certificados – DevApps plugin\u0026rsquo;s upload functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious file (e.g., a PHP file) with a disguised extension or no extension.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious file through the plugin\u0026rsquo;s interface, bypassing the missing file type validation in the \u003ccode\u003emoveUploadedFile()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe plugin saves the file to a publicly accessible directory on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the location of the uploaded file.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the uploaded file\u0026rsquo;s location.\u003c/li\u003e\n\u003cli\u003eThe server executes the malicious code within the uploaded file, granting the attacker remote code execution capabilities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers with administrator privileges to upload arbitrary files to the web server. This can lead to remote code execution, potentially allowing the attacker to gain full control of the WordPress website and the underlying server. This could lead to data theft, website defacement, or use of the server for malicious purposes such as hosting phishing sites or launching attacks against other systems. The number of affected sites is potentially very large.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gerador de Certificados – DevApps plugin to the latest version, which includes a fix for CVE-2026-4808.\u003c/li\u003e\n\u003cli\u003eImplement web server configurations to prevent the execution of scripts in upload directories.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and monitor for suspicious file uploads and access attempts to unusual file types.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect attempts to access PHP files within the wp-content/uploads directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T07:16:22Z","date_published":"2026-04-08T07:16:22Z","id":"/briefs/2026-04-wordpress-upload/","summary":"The Gerador de Certificados – DevApps WordPress plugin is vulnerable to arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.","title":"WordPress Plugin Vulnerability: Arbitrary File Upload in Gerador de Certificados – DevApps","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-3499"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","woocommerce","csrf","cve-2026-3499"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin, a WordPress plugin, suffers from a Cross-Site Request Forgery (CSRF) vulnerability. Present in versions 13.4.6 through 13.5.2.1, this flaw allows unauthenticated attackers to execute administrative functions if they can successfully coerce a site administrator into performing an action, such as clicking a specially crafted link. The vulnerability stems from the plugin\u0026rsquo;s failure to implement proper nonce validation on several AJAX actions, including \u003ccode\u003eajax_migrate_to_custom_post_type\u003c/code\u003e, \u003ccode\u003eajax_adt_clear_custom_attributes_product_meta_keys\u003c/code\u003e, \u003ccode\u003eajax_update_file_url_to_lower_case\u003c/code\u003e, \u003ccode\u003eajax_use_legacy_filters_and_rules\u003c/code\u003e, and \u003ccode\u003eajax_fix_duplicate_feed\u003c/code\u003e. This vulnerability poses a significant risk to WooCommerce store owners using the affected plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing a request to one of the vulnerable AJAX actions (e.g., \u003ccode\u003eajax_migrate_to_custom_post_type\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious URL via email, social media, or another channel, attempting to trick a WordPress administrator into clicking the link.\u003c/li\u003e\n\u003cli\u003eThe administrator, while authenticated to the WordPress admin panel, clicks the malicious link.\u003c/li\u003e\n\u003cli\u003eThe administrator\u0026rsquo;s browser sends the forged request to the WordPress server, including the administrator\u0026rsquo;s session cookies.\u003c/li\u003e\n\u003cli\u003eDue to the missing or incorrect nonce validation, the WordPress server processes the request as if it were a legitimate action performed by the administrator.\u003c/li\u003e\n\u003cli\u003eDepending on the specific AJAX action targeted, the attacker can trigger feed migration, clear custom attribute caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, or delete duplicate feed posts.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats this process to perform other administrative actions, gaining control over the plugin\u0026rsquo;s settings and data.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially manipulates product feeds to inject malicious content, redirect users, or compromise the WooCommerce store\u0026rsquo;s SEO.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this CSRF vulnerability (CVE-2026-3499) could allow an attacker to manipulate a WooCommerce store\u0026rsquo;s product feeds, potentially leading to data corruption, SEO poisoning, or the injection of malicious content. If successful, attackers could modify product information, redirect users to phishing sites, or damage the store\u0026rsquo;s reputation. The severity of the impact depends on the targeted AJAX action, but the potential for unauthorized administrative control is significant. Given the wide usage of WooCommerce and the Product Feed PRO plugin, a large number of online stores are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Product Feed PRO for WooCommerce plugin to a patched version greater than 13.5.2.1 to remediate CVE-2026-3499.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect exploitation attempts targeting the vulnerable AJAX actions.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests to the vulnerable AJAX endpoints originating from suspicious referrers.\u003c/li\u003e\n\u003cli\u003eEducate WordPress administrators on the risks of CSRF attacks and the importance of verifying links before clicking them.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T02:16:04Z","date_published":"2026-04-08T02:16:04Z","id":"/briefs/2026-04-woocommerce-csrf/","summary":"The Product Feed PRO for WooCommerce WordPress plugin (versions 13.4.6-13.5.2.1) is vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing unauthenticated attackers to perform administrative actions by tricking an administrator into clicking a malicious link.","title":"Product Feed PRO for WooCommerce Plugin CSRF Vulnerability (CVE-2026-3499)","url":"https://feed.craftedsignal.io/briefs/2026-04-woocommerce-csrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-3296"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","php","object-injection","rce","cve-2026-3296"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Everest Forms plugin for WordPress, a widely used form builder, contains a critical PHP Object Injection vulnerability (CVE-2026-3296) affecting versions up to and including 3.4.3. This vulnerability stems from the insecure deserialization of user-supplied data within the \u003ccode\u003ehtml-admin-page-entries-view.php\u003c/code\u003e file. Specifically, the plugin uses PHP\u0026rsquo;s \u003ccode\u003eunserialize()\u003c/code\u003e function on form entry metadata stored in the \u003ccode\u003ewp_evf_entrymeta\u003c/code\u003e table without specifying allowed classes, creating an exploitable condition. An unauthenticated attacker can inject malicious serialized PHP objects through any public form field. The \u003ccode\u003esanitize_text_field()\u003c/code\u003e function fails to prevent these attacks because it doesn\u0026rsquo;t strip serialization control characters. This allows attackers to execute arbitrary PHP code on the WordPress server when an administrator views form entries. This vulnerability poses a significant risk to WordPress sites using the Everest Forms plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker submits a malicious serialized PHP object through a public Everest Forms form field.\u003c/li\u003e\n\u003cli\u003eThe submitted payload bypasses the \u003ccode\u003esanitize_text_field()\u003c/code\u003e function due to the function\u0026rsquo;s failure to remove serialization control characters.\u003c/li\u003e\n\u003cli\u003eThe crafted serialized object is stored in the \u003ccode\u003ewp_evf_entrymeta\u003c/code\u003e database table associated with the form entry.\u003c/li\u003e\n\u003cli\u003eAn administrator accesses the WordPress administration panel and navigates to the Everest Forms entries section.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehtml-admin-page-entries-view.php\u003c/code\u003e file is executed to display form entries and their associated metadata.\u003c/li\u003e\n\u003cli\u003eThe plugin retrieves the stored serialized object from the \u003ccode\u003ewp_evf_entrymeta\u003c/code\u003e table.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunserialize()\u003c/code\u003e function is called on the retrieved data \u003cem\u003ewithout\u003c/em\u003e the \u003ccode\u003eallowed_classes\u003c/code\u003e parameter, triggering PHP Object Injection.\u003c/li\u003e\n\u003cli\u003eThe injected PHP object is instantiated, leading to arbitrary PHP code execution on the server, potentially granting the attacker complete control over the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-3296) can lead to complete compromise of the WordPress website. An attacker can gain remote code execution, allowing them to inject malware, deface the site, steal sensitive data (including user credentials and financial information), or use the compromised server as part of a botnet. Given the widespread use of the Everest Forms plugin, a large number of WordPress sites are potentially vulnerable. The CVSS v3.1 base score of 9.8 reflects the critical severity of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Everest Forms plugin to the latest version (greater than 3.4.3) to patch CVE-2026-3296.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious unserialize Call in Everest Forms\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to WordPress form submission endpoints containing serialized PHP objects, as detected by the \u003ccode\u003eDetect Suspicious Form Submission with Serialized Data\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to block requests containing serialized PHP objects in form submission data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T02:16:04Z","date_published":"2026-04-08T02:16:04Z","id":"/briefs/2026-04-everest-forms-rce/","summary":"The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection (CVE-2026-3296) in versions up to 3.4.3, allowing unauthenticated attackers to execute arbitrary code by injecting serialized PHP objects via form fields.","title":"Everest Forms WordPress Plugin PHP Object Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-everest-forms-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-34896"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["wordpress","csrf","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA cross-site request forgery (CSRF) vulnerability, identified as CVE-2026-34896, affects the Analytify Under Construction, Coming Soon \u0026amp; Maintenance Mode WordPress plugin. This vulnerability allows an attacker to trick a user into performing actions they did not intend to, such as modifying plugin settings or performing administrative tasks, provided the targeted user is authenticated to the WordPress site. The vulnerability exists in versions from n/a through 2.1.1. The vulnerability was reported to affect a publicly available plugin, increasing the scope of potentially impacted websites. Successful exploitation could lead to arbitrary code execution depending on the privileges of the targeted user and plugin functionality that can be abused.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable WordPress site running the affected plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTML page containing a CSRF exploit. This page contains a crafted HTTP request designed to trigger a specific action within the plugin (e.g., changing settings) when submitted by an authenticated user.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious HTML page via email, social media, or other means to a targeted WordPress administrator or user.\u003c/li\u003e\n\u003cli\u003eThe targeted user, while logged into the vulnerable WordPress site, visits the malicious HTML page.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser automatically submits the crafted HTTP request to the WordPress site without the user\u0026rsquo;s knowledge or consent.\u003c/li\u003e\n\u003cli\u003eThe WordPress site, believing the request originated from the authenticated user, processes the request and executes the attacker\u0026rsquo;s desired action.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s malicious action, such as changing plugin settings, is successfully performed on the vulnerable WordPress site.\u003c/li\u003e\n\u003cli\u003eDepending on the privileges of the compromised user and vulnerable plugin settings, the attacker may be able to achieve arbitrary code execution, site defacement, or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this CSRF vulnerability (CVE-2026-34896) in the Analytify Under Construction, Coming Soon \u0026amp; Maintenance Mode WordPress plugin could lead to unauthorized modification of website settings, potentially resulting in site defacement, malware injection, or complete website takeover. The impact depends on the targeted user\u0026rsquo;s privileges and the plugin\u0026rsquo;s configurable options. While the exact number of affected websites is unknown, the plugin\u0026rsquo;s popularity suggests a potentially broad impact across various sectors using WordPress for their online presence.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Analytify Under Construction, Coming Soon \u0026amp; Maintenance Mode WordPress plugin to a version beyond 2.1.1 to patch CVE-2026-34896.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WordPress Plugin Setting Changes via POST\u003c/code\u003e to monitor for unauthorized changes to WordPress plugins.\u003c/li\u003e\n\u003cli\u003eEducate WordPress users on the risks of CSRF attacks and the importance of verifying the legitimacy of links and websites before clicking them.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T09:16:21Z","date_published":"2026-04-07T09:16:21Z","id":"/briefs/2026-04-wordpress-csrf/","summary":"A cross-site request forgery (CSRF) vulnerability exists in the Analytify Under Construction, Coming Soon \u0026 Maintenance Mode WordPress plugin (versions n/a through 2.1.1), potentially allowing attackers to execute unauthorized actions on behalf of legitimate users.","title":"CSRF Vulnerability in WordPress Under Construction Plugin (CVE-2026-34896)","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-csrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5465"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","amelia","idor","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Amelia WordPress plugin, specifically the \u0026ldquo;Booking for Appointments and Events Calendar\u0026rdquo;, contains an Insecure Direct Object Reference (IDOR) vulnerability (CVE-2026-5465) in versions up to and including 2.1.3. This flaw resides within the \u003ccode\u003eUpdateProviderCommandHandler\u003c/code\u003e and stems from insufficient validation when a Provider (Employee) user modifies their profile. The critical issue is the ability to manipulate the \u003ccode\u003eexternalId\u003c/code\u003e field, which directly corresponds to a WordPress user ID. By injecting an arbitrary \u003ccode\u003eexternalId\u003c/code\u003e value during a profile update, an authenticated attacker with Provider-level access or higher can bypass authorization checks. This oversight permits the attacker to execute functions such as \u003ccode\u003ewp_set_password()\u003c/code\u003e and \u003ccode\u003ewp_update_user()\u003c/code\u003e on behalf of any other user, including those with Administrator privileges. This vulnerability allows for complete account takeover, representing a significant risk for organizations utilizing the vulnerable plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to a WordPress instance with the Amelia plugin installed, possessing at least Provider (Employee) level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to their user profile within the Amelia plugin interface.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the HTTP request generated when updating their profile using a tool like Burp Suite or browser developer tools.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eexternalId\u003c/code\u003e parameter within the intercepted HTTP request, replacing its original value with the WordPress user ID of the target account they wish to compromise (e.g., the Administrator account, typically user ID 1).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the modified HTTP request to the server.\u003c/li\u003e\n\u003cli\u003eDue to the IDOR vulnerability, the \u003ccode\u003eUpdateProviderCommandHandler\u003c/code\u003e fails to validate the manipulated \u003ccode\u003eexternalId\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe Amelia plugin\u0026rsquo;s backend utilizes the attacker-controlled \u003ccode\u003eexternalId\u003c/code\u003e to call \u003ccode\u003ewp_set_password()\u003c/code\u003e and/or \u003ccode\u003ewp_update_user()\u003c/code\u003e on the target account.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully changes the password or other profile details of the target account, achieving complete account takeover and escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5465 allows an attacker with minimal privileges (Provider/Employee role) to compromise any other account on the WordPress instance, including Administrator accounts. This grants the attacker full control over the WordPress site, enabling them to install malicious plugins, modify content, exfiltrate sensitive data, or further compromise the underlying server. The number of potential victims is directly proportional to the number of websites utilizing the vulnerable Amelia plugin. Given the plugin\u0026rsquo;s popularity, a successful mass exploitation could impact thousands of websites across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Amelia WordPress plugin to the latest version (greater than 2.1.3) to patch CVE-2026-5465.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e endpoint with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eam_update_provider\u003c/code\u003e and a modified \u003ccode\u003eexternalId\u003c/code\u003e parameter in the request body. Implement the Sigma rule \u003ccode\u003eDetect Amelia Plugin IDOR Attack\u003c/code\u003e to detect such activity.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication for all WordPress accounts, including those with limited privileges, to mitigate the impact of potential account compromises.\u003c/li\u003e\n\u003cli\u003eReview and audit existing WordPress user accounts and their assigned roles to identify and remove any unnecessary or excessive privileges.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T07:16:24Z","date_published":"2026-04-07T07:16:24Z","id":"/briefs/2026-04-amelia-idor/","summary":"The Amelia WordPress plugin is vulnerable to an insecure direct object reference, allowing authenticated attackers with Provider-level access or higher to escalate privileges and gain persistence by taking over any WordPress account, including Administrator by manipulating the `externalId` field.","title":"Amelia WordPress Plugin IDOR Vulnerability CVE-2026-5465","url":"https://feed.craftedsignal.io/briefs/2026-04-amelia-idor/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-0740"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","file-upload","rce","CVE-2026-0740"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Ninja Forms - File Uploads plugin for WordPress, specifically versions up to and including 3.3.26, contains an arbitrary file upload vulnerability (CVE-2026-0740). This flaw stems from a lack of proper file type validation within the \u003ccode\u003eNF_FU_AJAX_Controllers_Uploads::handle_upload\u003c/code\u003e function. An unauthenticated attacker can exploit this vulnerability to upload arbitrary files to the affected WordPress server. Successful exploitation could enable remote code execution, allowing the attacker to compromise the web server and potentially the underlying network. The vulnerability was partially addressed in version 3.3.25 and fully resolved in version 3.3.27. This vulnerability poses a significant risk to organizations using the vulnerable plugin, potentially leading to data breaches, website defacement, or complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP POST request to the WordPress server targeting the \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a malicious file disguised as a legitimate file type, exploiting the missing file type validation in the \u003ccode\u003eNF_FU_AJAX_Controllers_Uploads::handle_upload\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehandle_upload\u003c/code\u003e function processes the request without properly validating the file type, allowing the malicious file to be uploaded to the server.\u003c/li\u003e\n\u003cli\u003eThe uploaded file is stored in the WordPress uploads directory, typically located within the \u003ccode\u003ewp-content/uploads/ninja-forms-uploads/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the malicious file (e.g., a PHP script) to execute arbitrary code on the server when accessed.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded malicious file via a direct HTTP request to the file\u0026rsquo;s location within the uploads directory.\u003c/li\u003e\n\u003cli\u003eThe web server executes the malicious file (e.g., a PHP script), granting the attacker the ability to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the executed code to gain a persistent foothold on the server, install malware, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0740 allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution. This can result in complete compromise of the WordPress website, including data breaches, website defacement, and installation of backdoors. The impact is significant due to the widespread use of WordPress and the Ninja Forms plugin. Even a single successful attack can lead to substantial financial losses, reputational damage, and legal liabilities. Websites utilizing versions of the Ninja Forms File Uploads plugin prior to 3.3.27 are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Ninja Forms File Uploads plugin to version 3.3.27 or later to fully patch CVE-2026-0740.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to detect and block malicious file upload attempts targeting the \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for suspicious requests to the \u003ccode\u003ewp-content/uploads/ninja-forms-uploads/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Ninja Forms Arbitrary File Upload Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eEnforce strict file type validation on all file upload forms, even after upgrading the plugin, as a defense-in-depth measure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T05:16:06Z","date_published":"2026-04-07T05:16:06Z","id":"/briefs/2026-04-ninja-forms-rce/","summary":"The Ninja Forms File Uploads plugin for WordPress is vulnerable to unauthenticated arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.","title":"Ninja Forms File Upload Plugin Vulnerability Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-04-ninja-forms-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.5,"id":"CVE-2026-34885"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","wordpress","plugin-vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-34885 describes an SQL Injection vulnerability affecting the Media Library Assistant WordPress plugin. This plugin, developed by David Lingren, is vulnerable in versions up to and including 3.34. The vulnerability stems from improper neutralization of special elements used in SQL commands, potentially allowing attackers to inject malicious SQL code. Exploitation could lead to unauthorized data access, modification, or deletion within the WordPress database. Given the widespread use of WordPress and its plugin ecosystem, this vulnerability presents a significant risk to websites utilizing the affected plugin. Successful exploitation could compromise sensitive information, deface websites, or even gain administrative control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a WordPress website using Media Library Assistant version 3.34 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing SQL injection payload in a plugin parameter, such as a search query or media metadata field.\u003c/li\u003e\n\u003cli\u003eThe crafted request is sent to the vulnerable endpoint within the Media Library Assistant plugin.\u003c/li\u003e\n\u003cli\u003eThe plugin fails to properly sanitize or neutralize the SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe unsanitized payload is incorporated into an SQL query executed against the WordPress database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code manipulates the query logic, allowing the attacker to bypass security checks.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive data from the database, such as user credentials, posts, or other stored information.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially modify or delete data, or even gain administrative access to the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could lead to a range of damaging outcomes. Attackers could gain unauthorized access to sensitive data stored within the WordPress database, including user credentials, customer information, and proprietary content. This data could be exfiltrated and sold on the dark web or used for further malicious activities. Website defacement, data modification, and complete site compromise are also potential consequences. The number of affected websites is potentially large, given the popularity of WordPress and its extensive plugin ecosystem.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Media Library Assistant WordPress plugin to a version higher than 3.34 to patch CVE-2026-34885.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SQL Injection Attempts via HTTP Request\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attacks against WordPress plugins.\u003c/li\u003e\n\u003cli\u003eEnable regular security audits of WordPress installations and plugins to identify and address vulnerabilities promptly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T15:17:11Z","date_published":"2026-04-06T15:17:11Z","id":"/briefs/2026-04-mla-sql-injection/","summary":"The Media Library Assistant WordPress plugin through version 3.34 is vulnerable to SQL injection, allowing attackers to manipulate database queries.","title":"Media Library Assistant WordPress Plugin SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-mla-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5425"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","cve-2026-5425","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Widgets for Social Photo Feed plugin for WordPress, versions up to and including 1.7.9, contains a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-5425). This vulnerability stems from insufficient input sanitization and output escaping of the \u0026lsquo;feed_data\u0026rsquo; parameter keys. An unauthenticated attacker can exploit this flaw by injecting malicious JavaScript code into the WordPress database. When a user visits a page containing a vulnerable widget, the injected script executes within their browser, potentially leading to session hijacking, account takeover, or other malicious activities. This vulnerability was reported by Wordfence and patched in version 1.8 of the plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe unauthenticated attacker identifies a WordPress site using a vulnerable version (\u0026lt;= 1.7.9) of the Widgets for Social Photo Feed plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the plugin\u0026rsquo;s functionality that handles the \u003ccode\u003efeed_data\u003c/code\u003e parameter. This request contains XSS payload within the parameter keys.\u003c/li\u003e\n\u003cli\u003eThe WordPress server receives the crafted HTTP request. The vulnerable plugin processes the request without proper input sanitization or output escaping.\u003c/li\u003e\n\u003cli\u003eThe malicious XSS payload is stored in the WordPress database, associated with the plugin\u0026rsquo;s settings or data.\u003c/li\u003e\n\u003cli\u003eA legitimate user visits a page on the WordPress site where the affected widget is displayed.\u003c/li\u003e\n\u003cli\u003eThe WordPress server retrieves the plugin data, including the stored XSS payload, from the database.\u003c/li\u003e\n\u003cli\u003eThe server renders the page with the unsanitized XSS payload embedded within the HTML output.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser receives the HTML page containing the malicious script and executes it. This could lead to redirection, information theft, or further compromise of the user\u0026rsquo;s session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a website user\u0026rsquo;s browser. This can result in session hijacking, defacement of the website, redirection to malicious sites, or the theft of sensitive information. While the exact number of vulnerable installations is not available, the widespread use of WordPress plugins makes this a potentially significant threat, particularly for sites that do not promptly apply security updates.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Widgets for Social Photo Feed plugin to version 1.8 or later to patch CVE-2026-5425.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WordPress Social Photo Feed XSS Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to filter out requests containing potentially malicious JavaScript code in the \u003ccode\u003efeed_data\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T09:16:20Z","date_published":"2026-04-04T09:16:20Z","id":"/briefs/2026-04-wordpress-xss/","summary":"The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'feed_data' parameter, allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute when a user accesses the injected page.","title":"WordPress Widgets for Social Photo Feed Plugin Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-3445"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","vulnerability","membership"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe ProfilePress plugin for WordPress, specifically the \u0026ldquo;Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile \u0026amp; Restrict Content\u0026rdquo; version 4.16.11 and earlier, contains a vulnerability (CVE-2026-3445) that allows authenticated attackers to bypass membership payment requirements. This flaw stems from a missing ownership verification on the \u003ccode\u003echange_plan_sub_id\u003c/code\u003e parameter within the \u003ccode\u003eprocess_checkout()\u003c/code\u003e function. An attacker with subscriber-level access can exploit this by referencing another user\u0026rsquo;s active subscription during the checkout process. This manipulation affects proration calculations, ultimately enabling the attacker to obtain paid lifetime membership plans without submitting legitimate payment. This vulnerability is triggered via the \u003ccode\u003eppress_process_checkout\u003c/code\u003e AJAX action, making it critical for defenders to implement appropriate detection and mitigation strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker registers a new account on the WordPress site with the vulnerable ProfilePress plugin installed, obtaining subscriber-level access.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a valid, active subscription ID belonging to another user within the ProfilePress system.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the purchase of a paid membership plan (e.g., a lifetime membership).\u003c/li\u003e\n\u003cli\u003eDuring the checkout process, the attacker intercepts the HTTP request sent to the \u003ccode\u003eppress_process_checkout\u003c/code\u003e AJAX action.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003echange_plan_sub_id\u003c/code\u003e parameter within the request, replacing the expected value with the subscription ID of the other user.\u003c/li\u003e\n\u003cli\u003eThe server-side \u003ccode\u003eprocess_checkout()\u003c/code\u003e function fails to properly validate the ownership of the provided \u003ccode\u003echange_plan_sub_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the manipulated \u003ccode\u003echange_plan_sub_id\u003c/code\u003e, the proration calculations are skewed, resulting in a significantly reduced or zeroed payment amount.\u003c/li\u003e\n\u003cli\u003eThe attacker completes the checkout process without making a legitimate payment and is granted access to the paid membership plan.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3445 allows attackers to bypass payment requirements and gain unauthorized access to premium content and features offered through the ProfilePress plugin. This can result in significant revenue loss for website owners relying on paid memberships. The number of affected websites is potentially large, given the popularity of WordPress and the ProfilePress plugin. This vulnerability could also damage the reputation of the affected website and erode trust among legitimate paying members.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to ProfilePress version 4.16.12 or later to patch CVE-2026-3445 (reference: vulnerability description).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ProfilePress Membership Bypass Attempt\u003c/code\u003e to your SIEM and tune for your environment to detect potential exploitation attempts by monitoring for the use of the \u003ccode\u003eppress_process_checkout\u003c/code\u003e AJAX action with suspicious \u003ccode\u003echange_plan_sub_id\u003c/code\u003e values (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e endpoint with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eppress_process_checkout\u003c/code\u003e to identify potential exploit attempts (reference: Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T09:16:20Z","date_published":"2026-04-04T09:16:20Z","id":"/briefs/2026-04-profilepress-bypass/","summary":"The ProfilePress WordPress plugin before 4.16.12 is vulnerable to an unauthorized membership payment bypass, allowing authenticated attackers to obtain paid memberships without payment by manipulating subscription IDs during checkout.","title":"ProfilePress WordPress Plugin Membership Payment Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-profilepress-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4350"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-4350","wordpress","perfmatters","file-deletion","path-traversal"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Perfmatters plugin, a popular WordPress performance optimization tool, contains a critical vulnerability (CVE-2026-4350) affecting versions up to and including 2.5.9.1. This flaw enables authenticated attackers with Subscriber-level access, the lowest privilege level in WordPress, to delete arbitrary files on the server. The vulnerability stems from the \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method\u0026rsquo;s failure to sanitize the \u003ccode\u003e$_GET['delete']\u003c/code\u003e parameter. This lack of validation allows for path traversal attacks using sequences like \u003ccode\u003e../\u003c/code\u003e, enabling attackers to navigate outside the intended storage directory and delete any accessible file. Successful exploitation can lead to the deletion of critical files such as \u003ccode\u003ewp-config.php\u003c/code\u003e, effectively disabling the website and potentially allowing a full site takeover.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a WordPress site using a vulnerable version (\u0026lt;=2.5.9.1) of the Perfmatters plugin.\u003c/li\u003e\n\u003cli\u003eAttacker gains Subscriber-level access to the WordPress site. This can be achieved through registration or compromised credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET request targeting the WordPress site. The request includes the \u003ccode\u003edelete\u003c/code\u003e parameter with a path traversal payload. For example: \u003ccode\u003e?delete=../../../../wp-config.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method within the Perfmatters plugin.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method processes the unsanitized \u003ccode\u003e$_GET['delete']\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe plugin concatenates the malicious path with the storage directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function executes, deleting the file specified by the attacker\u0026rsquo;s path traversal payload.\u003c/li\u003e\n\u003cli\u003eIf the attacker successfully deletes \u003ccode\u003ewp-config.php\u003c/code\u003e, the WordPress site becomes inaccessible and redirects to the installation wizard, potentially allowing for complete site takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4350 allows attackers to delete arbitrary files on a vulnerable WordPress server. A key target is \u003ccode\u003ewp-config.php\u003c/code\u003e, which contains sensitive database credentials. Deleting this file forces WordPress into the installation wizard, potentially leading to a full site takeover. The impact ranges from defacement and data loss to complete control of the website, impacting businesses, organizations, and individuals relying on WordPress for their online presence. The ease of exploitation due to the low privilege requirements makes this a high-risk vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Perfmatters plugin to the latest version to patch CVE-2026-4350.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eDetect Perfmatters Arbitrary File Deletion Attempt\u003c/code\u003e to identify potential exploitation attempts based on \u003ccode\u003ecs-uri-query\u003c/code\u003e in web server logs.\u003c/li\u003e\n\u003cli\u003eConsider implementing rate limiting on requests to \u003ccode\u003ewp-admin/options.php\u003c/code\u003e to mitigate potential brute-force exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for unusual patterns in \u003ccode\u003ecs-uri-query\u003c/code\u003e parameters containing \u003ccode\u003e../\u003c/code\u003e sequences, as these may indicate path traversal attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T08:16:17Z","date_published":"2026-04-03T08:16:17Z","id":"/briefs/2026-04-perfmatters-file-deletion/","summary":"The Perfmatters plugin for WordPress versions up to 2.5.9.1 is vulnerable to arbitrary file deletion via path traversal, allowing authenticated attackers with minimal privileges to delete sensitive files.","title":"Perfmatters WordPress Plugin Arbitrary File Deletion Vulnerability (CVE-2026-4350)","url":"https://feed.craftedsignal.io/briefs/2026-04-perfmatters-file-deletion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-0686"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","wordpress","webmention","cve-2026-0686"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Webmention plugin for WordPress, a plugin designed to facilitate webmention communications, contains a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2026-0686. This vulnerability affects all versions of the plugin up to and including 5.6.2. The vulnerability resides within the \u0026lsquo;MF2::parse_authorpage\u0026rsquo; function, accessible through the \u0026lsquo;Receiver::post\u0026rsquo; function. An unauthenticated attacker can exploit this flaw to force the WordPress server to make HTTP requests to arbitrary external or internal locations. This can be leveraged to gather sensitive information from internal services, bypass firewalls, or potentially modify data depending on the accessibility of internal resources. The vulnerable code was present as of April 2026 in the version 5.6.2 branch.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious webmention request targeting a WordPress site running the vulnerable Webmention plugin.\u003c/li\u003e\n\u003cli\u003eThe WordPress site receives the webmention request and processes it using the \u0026lsquo;Receiver::post\u0026rsquo; function.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;Receiver::post\u0026rsquo; function calls the \u0026lsquo;MF2::parse_authorpage\u0026rsquo; function to parse the author page URL specified in the webmention request.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;MF2::parse_authorpage\u0026rsquo; function, due to lack of proper validation, makes an HTTP request to an attacker-controlled or internal URL specified within the webmention data.\u003c/li\u003e\n\u003cli\u003eThe WordPress server initiates a connection to the specified URL, potentially bypassing firewall restrictions or accessing internal services not directly exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe response from the targeted URL is processed by the plugin, potentially revealing information about the internal network or services.\u003c/li\u003e\n\u003cli\u003eDepending on the targeted internal service and the attacker\u0026rsquo;s crafted request, the attacker might be able to modify data or execute commands.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to information disclosure, internal service compromise, or potential remote code execution depending on the vulnerable internal service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0686 allows unauthenticated attackers to perform Server-Side Request Forgery attacks against WordPress sites utilizing the Webmention plugin. This can lead to the exposure of sensitive information from internal services, such as configuration files or database credentials. Furthermore, attackers could potentially leverage this vulnerability to interact with and potentially compromise other internal systems that are not directly accessible from the internet, leading to a full compromise of the affected network. While the exact number of affected WordPress installations is unknown, the widespread use of the Webmention plugin makes this a significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Webmention plugin to a version higher than 5.6.2 to patch CVE-2026-0686.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Webmention SSRF Attempt via Request to Internal IP\u0026rdquo; to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual outbound connections originating from the WordPress server to internal IP addresses.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential SSRF attacks, restricting access from the WordPress server to only necessary internal services.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T08:16:27Z","date_published":"2026-04-02T08:16:27Z","id":"/briefs/2026-04-wordpress-webmention-ssrf/","summary":"The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to 5.6.2, allowing unauthenticated attackers to make arbitrary web requests and potentially query or modify internal services.","title":"WordPress Webmention Plugin SSRF Vulnerability (CVE-2026-0686)","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-webmention-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4347"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","file-move","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe MW WP Form plugin for WordPress is susceptible to an arbitrary file moving vulnerability identified as CVE-2026-4347. This flaw stems from a lack of proper file path validation within the \u0026lsquo;generate_user_filepath\u0026rsquo; and \u0026lsquo;move_temp_file_to_upload_dir\u0026rsquo; functions. All versions of the plugin up to and including 5.1.0 are affected. An unauthenticated attacker can exploit this vulnerability to move arbitrary files on the server, potentially overwriting or relocating critical system files. The most severe outcome is remote code execution, which can be achieved by moving files such as \u0026lsquo;wp-config.php\u0026rsquo; to a location where its contents are exposed. The vulnerability is only exploitable when a file upload field exists on a form and the “Saving inquiry data in database” option is enabled, narrowing the attack surface but increasing the risk for affected installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version of the MW WP Form plugin (\u0026lt;= 5.1.0) with a file upload field enabled and the \u0026ldquo;Saving inquiry data in database\u0026rdquo; option turned on.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the WordPress site, targeting the file upload functionality of the MW WP Form plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the file path within the request, exploiting the insufficient validation in the \u0026lsquo;generate_user_filepath\u0026rsquo; function to specify a target file for movement.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;move_temp_file_to_upload_dir\u0026rsquo; function is triggered, attempting to move the uploaded file to the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper validation, the targeted file (e.g., wp-config.php) is successfully moved to a new location on the server.\u003c/li\u003e\n\u003cli\u003eIf wp-config.php is moved to a publicly accessible directory, the database credentials and other sensitive information become exposed.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the exposed wp-config.php file, extracting database credentials and other sensitive information.\u003c/li\u003e\n\u003cli\u003eUsing the obtained database credentials, the attacker gains unauthorized access to the WordPress database, potentially leading to remote code execution or complete site compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4347 allows unauthenticated attackers to move arbitrary files within the WordPress server\u0026rsquo;s file system. This can lead to the exposure of sensitive configuration files like \u0026lsquo;wp-config.php\u0026rsquo;, leading to full database and site compromise. While the number of affected installations is currently unknown, a successful attack can have devastating consequences, including data theft, website defacement, and remote code execution. The impact is limited to sites using the vulnerable MW WP Form plugin with specific configuration settings enabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the MW WP Form plugin to the latest version (greater than 5.1.0) to patch CVE-2026-4347.\u003c/li\u003e\n\u003cli\u003eAs a preventative measure, implement file integrity monitoring on critical files like \u0026lsquo;wp-config.php\u0026rsquo; to detect unauthorized modifications or movement. Use file_event logs to trigger alerts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect MW WP Form Arbitrary File Move Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eReview WordPress access logs for suspicious file upload requests, focusing on requests to the MW WP Form plugin\u0026rsquo;s upload handler.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T06:16:23Z","date_published":"2026-04-02T06:16:23Z","id":"/briefs/2026-04-mw-wp-form-file-move/","summary":"The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation, allowing unauthenticated attackers to move arbitrary files on the server, potentially leading to remote code execution.","title":"MW WP Form WordPress Plugin Arbitrary File Move Vulnerability (CVE-2026-4347)","url":"https://feed.craftedsignal.io/briefs/2026-04-mw-wp-form-file-move/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-4267"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","reflected-xss","cve-2026-4267"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Query Monitor plugin for WordPress, a developer tool panel, is susceptible to a reflected Cross-Site Scripting (XSS) vulnerability. Identified as CVE-2026-4267, this flaw exists in all versions up to and including 3.20.3. The vulnerability arises from the plugin\u0026rsquo;s failure to adequately sanitize input and escape output related to the \u003ccode\u003e$_SERVER['REQUEST_URI']\u003c/code\u003e parameter. An unauthenticated attacker can exploit this by injecting malicious web scripts into pages, posing a threat to users who…\u003c/p\u003e\n","date_modified":"2026-03-31T12:16:31Z","date_published":"2026-03-31T12:16:31Z","id":"/briefs/2024-01-query-monitor-xss/","summary":"The Query Monitor WordPress plugin is vulnerable to reflected cross-site scripting (XSS) due to insufficient input sanitization and output escaping of the '$_SERVER['REQUEST_URI']' parameter, allowing unauthenticated attackers to inject arbitrary web scripts.","title":"Query Monitor WordPress Plugin Vulnerable to Reflected XSS (CVE-2026-4267)","url":"https://feed.craftedsignal.io/briefs/2024-01-query-monitor-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-4257"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ssti","wordpress","rce","twig"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Contact Form by Supsystic plugin, a popular WordPress plugin, is susceptible to a critical Server-Side Template Injection (SSTI) vulnerability, identified as CVE-2026-4257. This vulnerability affects all versions up to and including 1.7.36. The root cause lies in the plugin\u0026rsquo;s use of the Twig template engine (\u003ccode\u003eTwig_Loader_String\u003c/code\u003e) without proper sandboxing. This, combined with the \u003ccode\u003ecfsPreFill\u003c/code\u003e functionality, allows unauthenticated attackers to inject arbitrary Twig expressions into form…\u003c/p\u003e\n","date_modified":"2026-03-30T22:16:20Z","date_published":"2026-03-30T22:16:20Z","id":"/briefs/2026-03-ssti-wordpress/","summary":"The Contact Form by Supsystic WordPress plugin is vulnerable to Server-Side Template Injection (SSTI) via the `cfsPreFill` parameter, leading to unauthenticated Remote Code Execution (RCE).","title":"Contact Form by Supsystic WordPress Plugin SSTI Vulnerability (CVE-2026-4257)","url":"https://feed.craftedsignal.io/briefs/2026-03-ssti-wordpress/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","wordpress","oxygen-theme","cve-2025-12886"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Oxygen Theme WordPress plugin, versions 6.0.8 and earlier, contains a Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-12886). This flaw allows unauthenticated attackers to send crafted requests to the WordPress server, potentially forcing it to make outbound connections to internal or external resources. The vulnerability is located within the \u003ccode\u003elaborator_calc_route\u003c/code\u003e AJAX action. By exploiting this, attackers can potentially access sensitive internal resources, bypass firewall…\u003c/p\u003e\n","date_modified":"2026-03-28T04:16:49Z","date_published":"2026-03-28T04:16:49Z","id":"/briefs/2026-03-oxygen-theme-ssrf/","summary":"The Oxygen Theme for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to 6.0.8, allowing unauthenticated attackers to make arbitrary web requests via the laborator_calc_route AJAX action.","title":"Oxygen Theme WordPress Plugin Vulnerable to Server-Side Request Forgery (CVE-2025-12886)","url":"https://feed.craftedsignal.io/briefs/2026-03-oxygen-theme-ssrf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","xss","cve-2026-2231"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-2231 describes a stored cross-site scripting (XSS) vulnerability within the Fluent Booking WordPress plugin. This vulnerability affects all versions up to and including 2.0.01. The root cause is insufficient input sanitization and output escaping of multiple parameters handled by the plugin. An unauthenticated attacker can exploit this vulnerability to inject malicious JavaScript code into the WordPress site. The injected script executes in the context of the victim\u0026rsquo;s browser when they access the page containing the injected code, potentially leading to session hijacking, defacement, or other malicious activities. Successful exploitation grants the attacker the same privileges as the victim user.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable parameter within the Fluent Booking plugin, specifically related to booking data.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker submits a request to the WordPress site with the crafted payload embedded within the vulnerable parameter (e.g., booking name, location, or other fields).\u003c/li\u003e\n\u003cli\u003eThe WordPress server stores the malicious payload in the database due to insufficient sanitization.\u003c/li\u003e\n\u003cli\u003eA legitimate user (e.g., an administrator or another user viewing bookings) accesses a page displaying the stored booking data.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript code embedded in the booking data is rendered in the user\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe injected script executes in the context of the user\u0026rsquo;s session.\u003c/li\u003e\n\u003cli\u003eThe attacker can potentially steal cookies, redirect the user to a malicious website, or perform other actions with the user\u0026rsquo;s privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a logged-in user\u0026rsquo;s browser. This can lead to account compromise, including administrator accounts, potentially leading to full control of the WordPress website. Website defacement, data theft, and redirection to phishing sites are also potential impacts. Given the widespread use of WordPress and the Fluent Booking plugin, a successful widespread exploit could affect a large number of websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Fluent Booking plugin to a version greater than 2.0.01 to patch CVE-2026-2231.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious URI Parameters in WordPress\u003c/code\u003e to detect potential XSS attempts against WordPress sites.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious URI parameters and user input, as detected by the \u003ccode\u003eDetect WordPress XSS via URI Parameters\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) with rules to filter out common XSS payloads.\u003c/li\u003e\n\u003cli\u003eRegularly audit and sanitize user input within WordPress plugins and themes to prevent stored XSS vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T14:16:09Z","date_published":"2026-03-26T14:16:09Z","id":"/briefs/2026-03-fluentbooking-xss/","summary":"The Fluent Booking plugin for WordPress is vulnerable to stored cross-site scripting (XSS) allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page, affecting versions up to and including 2.0.01.","title":"Fluent Booking WordPress Plugin Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-fluentbooking-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","plugin","cve-2026-4329"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Blackhole for Bad Bots plugin for WordPress, up to and including version 3.8, contains a stored cross-site scripting (XSS) vulnerability. The vulnerability stems from insufficient input sanitization and output escaping of the User-Agent HTTP header when capturing bot data. Specifically, the plugin uses \u003ccode\u003esanitize_text_field()\u003c/code\u003e which strips HTML tags but does not escape HTML entities. This data is then stored using \u003ccode\u003eupdate_option()\u003c/code\u003e and later displayed on the Bad Bots log page. The stored data is output into HTML input value attributes and HTML span content without proper escaping via \u003ccode\u003eesc_attr()\u003c/code\u003e or \u003ccode\u003eesc_html()\u003c/code\u003e. This allows an unauthenticated attacker to inject arbitrary web scripts that are executed when an administrator views the Blackhole Bad Bots admin page, potentially leading to privilege escalation or other malicious actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a request to the WordPress site with a malicious User-Agent header containing XSS payload.\u003c/li\u003e\n\u003cli\u003eThe Blackhole for Bad Bots plugin captures the User-Agent string using \u003ccode\u003esanitize_text_field()\u003c/code\u003e, which inadequately sanitizes the input.\u003c/li\u003e\n\u003cli\u003eThe plugin stores the inadequately sanitized User-Agent string in the WordPress options database using \u003ccode\u003eupdate_option()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA WordPress administrator navigates to the Blackhole Bad Bots admin page.\u003c/li\u003e\n\u003cli\u003eThe plugin retrieves the stored User-Agent strings from the database.\u003c/li\u003e\n\u003cli\u003eThe plugin outputs the stored User-Agent string directly into HTML input value attributes (lines 75-83) without \u003ccode\u003eesc_attr()\u003c/code\u003e and into HTML span content without \u003ccode\u003eesc_html()\u003c/code\u003e on the admin page.\u003c/li\u003e\n\u003cli\u003eThe administrator\u0026rsquo;s browser executes the injected XSS payload.\u003c/li\u003e\n\u003cli\u003eThe XSS payload can perform actions such as stealing the administrator\u0026rsquo;s session cookie, redirecting the administrator to a malicious site, or performing actions on behalf of the administrator.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute in the context of an administrator\u0026rsquo;s browser session. This can lead to various malicious outcomes, including account takeover, data theft, and defacement of the WordPress site. Given the widespread use of WordPress and the Blackhole for Bad Bots plugin, a successful exploit could impact a significant number of websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Blackhole for Bad Bots plugin to a version greater than 3.8 to remediate CVE-2026-4329.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to filter requests containing suspicious User-Agent headers that might exploit CVE-2026-4329.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests with unusual or potentially malicious User-Agent strings to detect potential exploitation attempts related to CVE-2026-4329.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T05:16:40Z","date_published":"2026-03-26T05:16:40Z","id":"/briefs/2024-01-11-wordpress-blackhole-xss/","summary":"The Blackhole for Bad Bots WordPress plugin through version 3.8 is vulnerable to stored cross-site scripting (XSS) via the User-Agent HTTP header, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the plugin's admin page.","title":"Blackhole for Bad Bots WordPress Plugin Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-11-wordpress-blackhole-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","privilege-escalation","cve-2026-4484"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Masteriyo LMS plugin, a learning management system for WordPress, contains a privilege escalation vulnerability (CVE-2026-4484) affecting versions up to and including 2.1.6. This flaw allows authenticated users, even those with low-level \u0026ldquo;Student\u0026rdquo; access, to elevate their privileges to that of an administrator. The vulnerability stems from a lack of proper authorization checks within the \u003ccode\u003eInstructorsController::prepare_object_for_database\u003c/code\u003e function, enabling malicious users to modify user roles. Successful exploitation grants attackers full control over the WordPress site, leading to potential data breaches, defacement, or complete takeover. This vulnerability poses a significant threat to educational institutions and other organizations using the Masteriyo LMS plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the WordPress site as a student or with any role above student.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the REST API endpoint associated with the \u003ccode\u003eInstructorsController\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a modified user role parameter within the request, specifically attempting to change their role to \u0026ldquo;administrator.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003eThe request is sent to the \u003ccode\u003e/wp-json/masteriyo/v1/instructors\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eInstructorsController::prepare_object_for_database\u003c/code\u003e function processes the request without proper authorization checks.\u003c/li\u003e\n\u003cli\u003eThe function updates the attacker\u0026rsquo;s user role in the WordPress database to \u0026ldquo;administrator\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker logs out and back in to the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker now has full administrator privileges and can perform any action within the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows any authenticated user to gain complete control over the affected WordPress site. This can lead to significant data breaches, where sensitive student or course data is compromised. The attacker can deface the website, install malicious plugins, or even completely take over the server. Given the widespread use of WordPress and the Masteriyo LMS plugin in educational settings, a successful attack could impact thousands of students and instructors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Masteriyo LMS plugin to the latest available version, which patches CVE-2026-4484.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress web server logs for suspicious POST requests to \u003ccode\u003e/wp-json/masteriyo/v1/instructors\u003c/code\u003e attempting to modify user roles.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts targeting the vulnerable \u003ccode\u003eInstructorsController::prepare_object_for_database\u003c/code\u003e function.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T02:16:07Z","date_published":"2026-03-26T02:16:07Z","id":"/briefs/2026-03-masteriyo-privesc/","summary":"The Masteriyo LMS plugin for WordPress is vulnerable to privilege escalation, allowing authenticated users with student-level access or higher to gain administrator privileges by manipulating the 'InstructorsController::prepare_object_for_database' function.","title":"Masteriyo LMS WordPress Plugin Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-masteriyo-privesc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","wordpress","file-deletion","remote-code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe WP Job Portal plugin for WordPress versions up to and including 2.4.9 is susceptible to an arbitrary file deletion vulnerability (CVE-2026-4758). The vulnerability stems from insufficient file path validation within the \u003ccode\u003eWPJOBPORTALcustomfields::removeFileCustom\u003c/code\u003e function. Authenticated attackers with Subscriber-level access or higher can exploit this flaw to delete arbitrary files on the server. Successful exploitation allows attackers to delete critical files such as \u003ccode\u003ewp-config.php\u003c/code\u003e…\u003c/p\u003e\n","date_modified":"2026-03-26T00:16:41Z","date_published":"2026-03-26T00:16:41Z","id":"/briefs/2026-03-wp-job-portal-file-deletion/","summary":"The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation, allowing authenticated attackers with subscriber-level access or higher to delete arbitrary files, potentially leading to remote code execution.","title":"WP Job Portal Plugin Arbitrary File Deletion Vulnerability (CVE-2026-4758)","url":"https://feed.craftedsignal.io/briefs/2026-03-wp-job-portal-file-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe WP Job Portal plugin for WordPress, a widely used plugin for managing job listings, is susceptible to SQL Injection attacks. This vulnerability, identified as CVE-2026-4306, affects all versions up to and including 2.4.8. The flaw stems from the insufficient sanitization of the \u0026lsquo;radius\u0026rsquo; parameter, which is directly incorporated into SQL queries without proper escaping. This lack of input validation enables unauthenticated attackers to inject malicious SQL code into the application\u0026rsquo;s database queries. Successful exploitation could lead to the unauthorized disclosure of sensitive information stored within the WordPress database. Given the popularity of WordPress and the WP Job Portal plugin, a successful attack could impact a large number of websites and expose confidential data, including user credentials, financial details, and other sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious HTTP request targeting the WordPress website running the vulnerable WP Job Portal plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker appends a SQL injection payload to the \u0026lsquo;radius\u0026rsquo; parameter within the HTTP request.\u003c/li\u003e\n\u003cli\u003eThe vulnerable plugin receives the request and incorporates the unsanitized \u0026lsquo;radius\u0026rsquo; parameter into an SQL query within \u003ccode\u003eincludes/ajax.php\u003c/code\u003e or \u003ccode\u003emodules/job/model.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the WordPress database due to the lack of proper input validation and escaping.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the SQL injection to extract sensitive information from the database, such as user credentials, API keys, or other confidential data.\u003c/li\u003e\n\u003cli\u003eThe extracted data may be exfiltrated from the server using various techniques.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially use the compromised data to gain further access to the WordPress site or connected systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL Injection vulnerability (CVE-2026-4306) could lead to the complete compromise of the WordPress database. Attackers could gain access to sensitive information, including user credentials, customer data, and confidential business information. The vulnerability impacts all users running WP Job Portal plugin versions 2.4.8 and earlier. The CVSS v3.1 score is 7.5, indicating a high severity risk. The impact includes unauthorized data access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WP Job Portal plugin to version 2.4.9 or later to patch the SQL Injection vulnerability (CVE-2026-4306).\u003c/li\u003e\n\u003cli\u003eDeploy a web application firewall (WAF) with rules to detect and block SQL Injection attempts targeting the \u0026lsquo;radius\u0026rsquo; parameter in WordPress plugins.\u003c/li\u003e\n\u003cli\u003eEnable detailed logging for your web server (category \u0026ldquo;webserver\u0026rdquo;, product \u0026ldquo;linux|windows\u0026rdquo;) to monitor for suspicious activity and potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-wp-job-portal-sqli/","summary":"The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter, allowing unauthenticated attackers to extract sensitive database information in versions up to 2.4.8.","title":"WP Job Portal Plugin SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-wp-job-portal-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","woocommerce","reviewx","rce","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe ReviewX – WooCommerce Product Reviews plugin for WordPress, a tool designed to enhance product reviews, contains a critical vulnerability. Identified as CVE-2025-10679, this flaw stems from insufficient input validation within the \u003ccode\u003ebulkTenReviews\u003c/code\u003e function. Exploitation allows unauthenticated attackers to invoke arbitrary PHP class methods that either require no input or can utilize default values. This vulnerability affects ReviewX plugin versions up to and including 2.2.12. Successful exploitation can lead to sensitive information disclosure or, under certain server configurations and available methods, remote code execution. This poses a significant risk to e-commerce sites utilizing the vulnerable plugin, potentially impacting customer data and overall site integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the WordPress server targeting the vulnerable \u003ccode\u003ebulkTenReviews\u003c/code\u003e function in the ReviewX plugin.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes malicious input designed to bypass the insufficient input validation within the \u003ccode\u003ebulkTenReviews\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ebulkTenReviews\u003c/code\u003e function processes the attacker-controlled data without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe unsanitized input is passed to a variable function call mechanism, allowing the attacker to specify an arbitrary PHP class method.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this vulnerability to call a PHP class method that requires no inputs or has default values.\u003c/li\u003e\n\u003cli\u003eDepending on the available methods and server configuration, the attacker may be able to trigger sensitive information disclosure.\u003c/li\u003e\n\u003cli\u003eIn more critical scenarios, the attacker might be able to call methods that allow writing to the file system or executing arbitrary commands, leading to remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the WordPress server, enabling them to install malware, steal data, or deface the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-10679 can lead to a range of damaging consequences. Sensitive information, such as customer data and administrative credentials, may be exposed. In the worst-case scenario, attackers can achieve remote code execution, granting them complete control over the affected WordPress server. This can result in website defacement, data theft, malware installation, and denial-of-service attacks. Given the wide usage of WooCommerce and ReviewX, a successful widespread attack could impact numerous e-commerce businesses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the ReviewX plugin to the latest version (greater than 2.2.12) to patch CVE-2025-10679.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ReviewX Arbitrary Method Calls\u003c/code\u003e to detect exploitation attempts targeting the \u003ccode\u003ebulkTenReviews\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to WordPress plugins with unusual parameters, as highlighted in the Sigma rule \u003ccode\u003eDetect ReviewX Arbitrary Method Calls\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview PHP configurations to harden against potential RCE attempts stemming from arbitrary method calls.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-reviewx-rce/","summary":"The ReviewX WordPress plugin is vulnerable to arbitrary method calls, allowing unauthenticated attackers to potentially achieve remote code execution.","title":"ReviewX WordPress Plugin Arbitrary Method Call Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-reviewx-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","authentication-bypass","plugin-vulnerability","cve-2026-4021"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Contest Gallery plugin for WordPress, versions up to and including 28.1.5, is vulnerable to a critical authentication bypass (CVE-2026-4021). This vulnerability stems from how the \u003ccode\u003eusers-registry-check-after-email-or-pin-confirmation.php\u003c/code\u003e script handles email confirmations, combined with an unauthenticated key-based login endpoint in \u003ccode\u003eajax-functions-frontend.php\u003c/code\u003e.  If the \u003ccode\u003eRegMailOptional=1\u003c/code\u003e setting is enabled (non-default), an attacker can register a new user account with a specially…\u003c/p\u003e\n","date_modified":"2026-03-24T00:16:31Z","date_published":"2026-03-24T00:16:31Z","id":"/briefs/2026-03-contest-gallery-auth-bypass/","summary":"CVE-2026-4021 describes an authentication bypass vulnerability in the Contest Gallery plugin for WordPress, allowing unauthenticated attackers to gain admin access by manipulating the user activation key and using an AJAX login endpoint.","title":"Contest Gallery WordPress Plugin Authentication Bypass Vulnerability (CVE-2026-4021)","url":"https://feed.craftedsignal.io/briefs/2026-03-contest-gallery-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","sqli","cve-2026-2580","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory \u0026amp; Filters plugin for WordPress, a widely used plugin for integrating map functionality into WordPress sites, contains a critical time-based SQL Injection vulnerability. Assigned CVE-2026-2580, this flaw affects all versions up to and including 4.9.1. The vulnerability lies within the \u0026lsquo;orderby\u0026rsquo; parameter, where insufficient input sanitization allows unauthenticated attackers to inject malicious SQL queries. By…\u003c/p\u003e\n","date_modified":"2026-03-23T00:16:51Z","date_published":"2026-03-23T00:16:51Z","id":"/briefs/2024-01-wp-maps-sqli/","summary":"The WP Maps WordPress plugin before version 4.9.2 is vulnerable to time-based SQL Injection via the 'orderby' parameter, allowing unauthenticated attackers to extract sensitive information from the database.","title":"WP Maps WordPress Plugin Time-Based SQL Injection Vulnerability (CVE-2026-2580)","url":"https://feed.craftedsignal.io/briefs/2024-01-wp-maps-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-2892"}],"_cs_exploited":false,"_cs_products":["Otter Blocks plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","purchase-bypass","CVE-2026-2892","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Stripe","WordPress"],"content_html":"\u003cp\u003eThe Otter Blocks plugin, a popular WordPress extension, is susceptible to a purchase verification bypass vulnerability identified as CVE-2026-2892. This flaw affects all versions up to and including 3.1.4. The vulnerability stems from the plugin\u0026rsquo;s reliance on an unsigned cookie, \u0026lsquo;o_stripe_data\u0026rsquo;, to determine Stripe product ownership for unauthenticated users. The \u0026lsquo;get_customer_data\u0026rsquo; method uses this cookie, and the subsequent \u0026lsquo;check_purchase\u0026rsquo; method trusts its contents without proper server-side validation against the Stripe API. This lack of verification enables attackers to gain unauthorized access to purchase-gated content. The target product ID is often exposed in the checkout block\u0026rsquo;s HTML source, further simplifying the exploit. Successful exploitation allows attackers to bypass payment requirements, potentially impacting content creators and businesses relying on the plugin for revenue generation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Otter Blocks plugin (version \u0026lt;= 3.1.4).\u003c/li\u003e\n\u003cli\u003eThe attacker examines the HTML source code of a checkout block on the target site to identify the target product ID.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u0026lsquo;o_stripe_data\u0026rsquo; cookie containing the target product ID.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the forged \u0026lsquo;o_stripe_data\u0026rsquo; cookie in their browser.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the purchase-gated content on the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;get_customer_data\u0026rsquo; method reads the forged \u0026lsquo;o_stripe_data\u0026rsquo; cookie.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;check_purchase\u0026rsquo; method incorrectly validates the forged purchase data without server-side verification against the Stripe API.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the purchase-gated content, bypassing the intended payment requirement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-2892 allows unauthenticated attackers to bypass purchase verification mechanisms implemented by the Otter Blocks plugin. This can lead to unauthorized access to premium content, resulting in revenue loss for content creators and businesses using the plugin. The number of potentially affected websites is significant, given the popularity of WordPress and the Otter Blocks plugin. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Otter Blocks plugin to a version greater than 3.1.4 to patch CVE-2026-2892.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect potential exploitation attempts targeting the vulnerable plugin.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for suspicious cookie manipulation activity, specifically targeting the \u0026lsquo;o_stripe_data\u0026rsquo; cookie.\u003c/li\u003e\n\u003cli\u003eImplement server-side validation of purchase data against the Stripe API to prevent cookie forgery attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-06-24T12:00:00Z","date_published":"2024-06-24T12:00:00Z","id":"/briefs/2026-06-otter-blocks-bypass/","summary":"CVE-2026-2892 is a purchase verification bypass vulnerability in the Otter Blocks plugin for WordPress, affecting versions up to 3.1.4, that allows unauthenticated attackers to access restricted content by forging a cookie used for purchase validation.","title":"Otter Blocks Plugin Purchase Verification Bypass Vulnerability (CVE-2026-2892)","url":"https://feed.craftedsignal.io/briefs/2026-06-otter-blocks-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-3844"}],"_cs_exploited":false,"_cs_products":["Breeze Cache plugin"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","file-upload","rce"],"_cs_type":"advisory","_cs_vendors":["Cloudways"],"content_html":"\u003cp\u003eThe Breeze Cache plugin for WordPress, in versions up to and including 2.4.4, contains an arbitrary file upload vulnerability (CVE-2026-3844). This flaw stems from the lack of file type validation within the \u0026lsquo;fetch_gravatar_from_remote\u0026rsquo; function. An unauthenticated attacker can exploit this vulnerability to upload arbitrary files to the affected WordPress site\u0026rsquo;s server. Successful exploitation could lead to remote code execution on the server. It is important to note that the vulnerability can only be exploited if the \u0026ldquo;Host Files Locally - Gravatars\u0026rdquo; setting is enabled within the Breeze Cache plugin. This setting is disabled by default, reducing the attack surface. Defenders should prioritize identifying potentially compromised systems running vulnerable versions of Breeze Cache with the \u0026ldquo;Host Files Locally - Gravatars\u0026rdquo; option enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site running a vulnerable version (\u0026lt;= 2.4.4) of the Breeze Cache plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker confirms the \u0026ldquo;Host Files Locally - Gravatars\u0026rdquo; option is enabled on the target WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u0026lsquo;fetch_gravatar_from_remote\u0026rsquo; function. This request contains a payload designed to upload an arbitrary file to the server.\u003c/li\u003e\n\u003cli\u003eDue to the missing file type validation, the server accepts the malicious file upload without proper sanitization. The uploaded file can be a PHP file, a web shell, or another executable type.\u003c/li\u003e\n\u003cli\u003eThe attacker determines the location where the file has been saved by the plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the uploaded file\u0026rsquo;s location, triggering its execution on the server.\u003c/li\u003e\n\u003cli\u003eThe malicious file executes, granting the attacker remote code execution capabilities on the web server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as installing malware, stealing sensitive data, or further compromising the server and network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to upload arbitrary files to a vulnerable WordPress server. This can lead to complete compromise of the server, allowing for remote code execution. The attacker can then pivot to other systems, steal sensitive information, or cause significant disruption. While the \u0026ldquo;Host Files Locally - Gravatars\u0026rdquo; option is disabled by default, any instance where this option is enabled is at critical risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Breeze Cache plugin to the latest version to patch CVE-2026-3844.\u003c/li\u003e\n\u003cli\u003eDisable the \u0026ldquo;Host Files Locally - Gravatars\u0026rdquo; setting in the Breeze Cache plugin if it is enabled.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file uploads and requests to unusual file extensions using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eImplement strict file upload policies and validation mechanisms on all web applications to prevent arbitrary file uploads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-02-29T10:00:00Z","date_published":"2024-02-29T10:00:00Z","id":"/briefs/2026-04-breeze-cache-rce/","summary":"The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.","title":"Breeze Cache Plugin Arbitrary File Upload Vulnerability (CVE-2026-3844)","url":"https://feed.craftedsignal.io/briefs/2026-04-breeze-cache-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-6229"}],"_cs_exploited":false,"_cs_products":["Royal Elementor Addons \u003c= 1.7.1057"],"_cs_severities":["high"],"_cs_tags":["wordpress","ssrf","cve-2026-6229","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Royal Elementor Addons plugin, a popular WordPress extension, contains a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-6229) in versions up to and including 1.7.1057. This flaw stems from inadequate validation of user-provided URLs within the \u003ccode\u003erender_csv_data()\u003c/code\u003e function. Attackers can bypass the validation by including \u0026lsquo;docs.google.com/spreadsheets\u0026rsquo; in a query parameter. The vulnerability is triggered because the plugin uses these URLs in \u003ccode\u003efopen()\u003c/code\u003e calls without implementing adequate safeguards to prevent access to internal or private network addresses. This vulnerability enables authenticated attackers with Contributor-level access or higher to craft malicious requests, potentially exposing sensitive internal data. Successful exploitation allows attackers to probe internal network resources, access configuration files, and potentially escalate attacks further.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with Contributor-level access or higher.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the vulnerable \u003ccode\u003erender_csv_data()\u003c/code\u003e function within the Royal Elementor Addons plugin.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a user-supplied URL containing \u0026lsquo;docs.google.com/spreadsheets\u0026rsquo; within a query parameter to bypass initial validation checks.\u003c/li\u003e\n\u003cli\u003eThe plugin\u0026rsquo;s \u003ccode\u003erender_csv_data()\u003c/code\u003e function receives the crafted URL without proper sanitization or validation against internal or private network addresses.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efopen()\u003c/code\u003e function is called with the attacker-controlled URL, initiating an outbound request from the WordPress server.\u003c/li\u003e\n\u003cli\u003eIf the URL points to an internal resource, the WordPress server retrieves the resource content.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the content of the internal resource in the response from the WordPress server.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the retrieved content for sensitive information, such as configuration files, API keys, or internal service details.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-6229) can lead to the exposure of sensitive internal information, potentially impacting all organizations using the Royal Elementor Addons plugin for WordPress version 1.7.1057 and below. This may include internal configuration files, API keys, database credentials, or other sensitive data accessible through internal services. The severity is high due to the potential for attackers to pivot from this vulnerability and further compromise the WordPress server or the internal network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Royal Elementor Addons plugin to a version higher than 1.7.1057 to patch CVE-2026-6229.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Royal Elementor Addons SSRF Attempt via URL Parameter\u0026rdquo; to identify malicious requests targeting the \u003ccode\u003erender_csv_data()\u003c/code\u003e function in your web server logs.\u003c/li\u003e\n\u003cli\u003eImplement strict network segmentation and firewall rules to limit access from the WordPress server to internal resources, mitigating the impact of potential SSRF vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T12:00:00Z","date_published":"2024-01-08T12:00:00Z","id":"/briefs/2024-01-royal-elementor-ssrf/","summary":"The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) allowing authenticated attackers with Contributor-level access or higher to make arbitrary requests and retrieve sensitive information from internal services.","title":"Royal Elementor Addons Plugin SSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-royal-elementor-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-5364"}],"_cs_exploited":false,"_cs_products":["Drag and Drop File Upload for Contact Form 7 plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","file-upload","rce","plugin","CVE-2026-5364"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Drag and Drop File Upload for Contact Form 7 plugin for WordPress, in versions up to and including 1.1.3, contains an arbitrary file upload vulnerability tracked as CVE-2026-5364. The flaw stems from insufficient sanitization of file extensions during the upload process. Specifically, the plugin extracts the file extension before sanitization and allows the file type parameter to be controlled by the attacker. Furthermore, validation occurs on the unsanitized extension, while the file is saved with a sanitized extension, stripping special characters like \u0026lsquo;$\u0026rsquo; during the save. While an .htaccess file and name randomization are present, these restrictions may be bypassable in certain configurations or by exploiting other vulnerabilities. This vulnerability could allow unauthenticated attackers to upload arbitrary PHP files to the web server, potentially leading to remote code execution (RCE).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress website using a vulnerable version (\u0026lt;= 1.1.3) of the \u0026ldquo;Drag and Drop File Upload for Contact Form 7\u0026rdquo; plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the plugin\u0026rsquo;s upload endpoint, typically \u003ccode\u003e/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a file with a manipulated extension, such as \u003ccode\u003eevil.php$.jpg\u003c/code\u003e, where \u003ccode\u003eevil.php\u003c/code\u003e is the malicious PHP payload and \u003ccode\u003e$.jpg\u003c/code\u003e is designed to be sanitized to \u003ccode\u003e.jpg\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003efile type\u003c/code\u003e parameter in the request to reflect the original manipulated file extension (\u003ccode\u003eevil.php$.jpg\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe plugin validates the extension against administrator-configured types but, due to the unsanitized extension and attacker control over the file type parameter, the malicious file passes validation.\u003c/li\u003e\n\u003cli\u003eThe plugin sanitizes the extension, removing the \u003ccode\u003e$\u003c/code\u003e character, resulting in a file saved with the extension \u003ccode\u003e.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access the uploaded PHP file via a direct HTTP request to \u003ccode\u003e/wp-content/uploads/\u0026lt;random_name\u0026gt;.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003e.htaccess\u003c/code\u003e restrictions are bypassed (e.g., due to misconfiguration or another vulnerability), the web server executes the malicious PHP code, granting the attacker remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5364 allows unauthenticated attackers to upload and execute arbitrary PHP code on the target WordPress server. This can lead to complete compromise of the website, including defacement, data theft, and installation of backdoors. While the presence of \u003ccode\u003e.htaccess\u003c/code\u003e and name randomization mitigates the risk, these protections may be bypassed, especially when combined with other vulnerabilities or misconfigurations. Given the widespread use of WordPress and its plugins, this vulnerability poses a significant risk to a large number of websites. The CVSS v3.1 base score is 8.1, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u0026ldquo;Drag and Drop File Upload for Contact Form 7\u0026rdquo; plugin to the latest version (greater than 1.1.3) to patch CVE-2026-5364.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to inspect and block requests containing suspicious file extensions in the POST parameters targeting the plugin\u0026rsquo;s upload endpoint (\u003ccode\u003e/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious File Upload via Drag and Drop CF7\u003c/code\u003e to identify exploitation attempts in web server logs (cs-uri-query).\u003c/li\u003e\n\u003cli\u003eReview and harden \u003ccode\u003e.htaccess\u003c/code\u003e configurations to ensure that PHP execution is restricted in the \u003ccode\u003e/wp-content/uploads/\u003c/code\u003e directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-wordpress-plugin-upload/","summary":"The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to 1.1.3, allowing unauthenticated attackers to upload arbitrary PHP files by manipulating the file type parameter and exploiting extension sanitization vulnerabilities.","title":"WordPress Drag and Drop File Upload Plugin Vulnerable to Arbitrary File Upload (CVE-2026-5364)","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-plugin-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-7647"}],"_cs_exploited":false,"_cs_products":["Profile Builder Pro plugin"],"_cs_severities":["critical"],"_cs_tags":["php-object-injection","wordpress","plugin","rce"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Profile Builder Pro plugin for WordPress is susceptible to a critical PHP Object Injection vulnerability (CVE-2026-7647) affecting all versions up to and including 3.14.5. This flaw stems from the plugin\u0026rsquo;s use of the \u003ccode\u003emaybe_unserialize()\u003c/code\u003e function on the attacker-controlled \u003ccode\u003eargs\u003c/code\u003e POST parameter passed to the \u003ccode\u003ewppb_request_users_pins_action_callback()\u003c/code\u003e AJAX handler. Critically, this handler lacks nonce verification, input validation, and type checking, making it accessible to unauthenticated users via both \u003ccode\u003ewp_ajax_\u003c/code\u003e and \u003ccode\u003ewp_ajax_nopriv_\u003c/code\u003e hooks. Successful exploitation allows remote, unauthenticated attackers to inject arbitrary PHP objects into the application\u0026rsquo;s memory space, potentially leading to remote code execution depending on available classes and application configuration. The vulnerability was published on 2026-05-02.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site running a vulnerable version (\u0026lt;= 3.14.5) of the Profile Builder Pro plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the WordPress AJAX endpoint (\u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003ewppb_request_users_pins_action_callback\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eargs\u003c/code\u003e parameter containing a serialized PHP object designed to trigger arbitrary code execution upon deserialization.\u003c/li\u003e\n\u003cli\u003eThe WordPress server receives the request and invokes the \u003ccode\u003ewppb_request_users_pins_action_callback()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable function calls \u003ccode\u003emaybe_unserialize()\u003c/code\u003e on the attacker-controlled \u003ccode\u003eargs\u003c/code\u003e parameter without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP object is deserialized and injected into the application\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eThe injected object\u0026rsquo;s methods and properties are triggered, leading to arbitrary code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary PHP code on the target WordPress server. This can lead to complete system compromise, including data theft, website defacement, and the installation of backdoors for persistent access. Given the widespread use of WordPress and the Profile Builder Pro plugin, a large number of websites are potentially at risk until the plugin is updated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Profile Builder Pro plugin to the latest available version to patch CVE-2026-7647.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Profile Builder Pro PHP Object Injection Attempt\u003c/code\u003e to detect exploitation attempts targeting the vulnerable AJAX endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003ewppb_request_users_pins_action_callback\u003c/code\u003e and suspicious serialized data in the \u003ccode\u003eargs\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-wordpress-profile-builder-rce/","summary":"An unauthenticated PHP Object Injection vulnerability exists in the Profile Builder Pro WordPress plugin (versions up to 3.14.5) due to the insecure use of `maybe_unserialize()` on the 'args' POST parameter in the `wppb_request_users_pins_action_callback()` AJAX handler, potentially leading to arbitrary code execution.","title":"WordPress Profile Builder Pro Plugin PHP Object Injection Vulnerability (CVE-2026-7647)","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-profile-builder-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7106"}],"_cs_exploited":false,"_cs_products":["Custom Role Manager plugin"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","wordpress","cve"],"_cs_type":"advisory","_cs_vendors":["Highland Software"],"content_html":"\u003cp\u003eThe Highland Software Custom Role Manager plugin, versions up to and including 1.0.0, is vulnerable to privilege escalation. The vulnerability, identified as CVE-2026-7106, stems from a lack of sufficient authorization checks within the \u003ccode\u003ehscrm_save_user_roles()\u003c/code\u003e function. This function is accessible to any authenticated user via the \u003ccode\u003epersonal_options_update\u003c/code\u003e action. This allows an attacker with minimal privileges (subscriber level or higher) to potentially elevate their own privileges or those of other users by manipulating user roles through the profile update form. Successful exploitation grants attackers the ability to perform actions reserved for higher-level administrators, potentially leading to complete site compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains valid credentials for a WordPress user account with at least subscriber-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the WordPress site using their credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses their user profile page, typically located at \u003ccode\u003e/wp-admin/profile.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003epersonal_options_update\u003c/code\u003e action, modifying the \u003ccode\u003ewp_capabilities\u003c/code\u003e user meta field. The request is designed to bypass the insufficient authorization checks in the \u003ccode\u003ehscrm_save_user_roles()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe crafted request is submitted through the profile update form. This likely involves intercepting and modifying the POST request sent when the user clicks the \u0026ldquo;Update Profile\u0026rdquo; button.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehscrm_save_user_roles()\u003c/code\u003e function is triggered, and due to the missing authorization checks, the attacker\u0026rsquo;s modified user roles are saved to the database.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s account now possesses elevated privileges, such as administrator or editor roles, depending on the attacker\u0026rsquo;s goal and the payload in the malicious request.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7106 allows attackers with minimal privileges to gain administrative control over the WordPress site. This can lead to a variety of malicious activities, including defacement, malware injection, data theft, and denial of service. Given the widespread use of WordPress, this vulnerability poses a significant risk to websites using the affected plugin. A successful attack can result in complete compromise of the affected website.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Highland Software Custom Role Manager plugin to a patched version that addresses CVE-2026-7106.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress access logs for suspicious POST requests to \u003ccode\u003e/wp-admin/profile.php\u003c/code\u003e targeting the \u003ccode\u003epersonal_options_update\u003c/code\u003e action to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious WordPress Role Updates\u003c/code\u003e to identify attempts to modify user roles from subscriber-level accounts.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions regularly to identify and remediate any unauthorized privilege escalations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wordpress-privesc/","summary":"Highland Software's Custom Role Manager plugin for WordPress, versions 1.0.0 and earlier, contains a privilege escalation vulnerability (CVE-2026-7106) that allows authenticated users with subscriber-level access to modify user roles due to insufficient authorization checks in the hscrm_save_user_roles() function.","title":"WordPress Custom Role Manager Plugin Privilege Escalation via CVE-2026-7106","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-41940"}],"_cs_exploited":false,"_cs_products":["cPanel \u0026 WHM","WP2 (WordPress Squared)"],"_cs_severities":["critical"],"_cs_tags":["cpanel","whm","wp2","wordpress","authentication-bypass","cve-2026-41940","initial-access"],"_cs_type":"advisory","_cs_vendors":["WebPros"],"content_html":"\u003cp\u003eWebPros cPanel \u0026amp; WHM (WebHost Manager) and WP2 (WordPress Squared) are affected by an authentication bypass vulnerability, identified as CVE-2026-41940. This flaw exists within the login flow, potentially granting unauthenticated remote attackers unauthorized access to the control panel. Successful exploitation allows attackers to bypass normal authentication mechanisms and directly access sensitive administrative functions within cPanel \u0026amp; WHM and WP2. Defenders should apply vendor-provided mitigations or discontinue use of the product if mitigations are not available. The vulnerability was disclosed in April 2026, and mitigations should be applied by May 3, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable cPanel \u0026amp; WHM or WP2 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request exploiting the authentication bypass vulnerability in the login flow.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the target server, bypassing authentication checks.\u003c/li\u003e\n\u003cli\u003eThe server incorrectly processes the request, granting the attacker an authenticated session.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the authenticated session to access administrative interfaces and settings.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies server configurations, potentially creating new administrative accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malicious plugins or software through the control panel.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full control over the web server and hosted websites.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41940 can lead to complete compromise of the affected cPanel \u0026amp; WHM or WP2 server. This can result in data breaches, website defacement, malware distribution, and denial-of-service attacks. The impact is significant due to the widespread use of cPanel \u0026amp; WHM in web hosting environments. Compromised servers could be leveraged for further attacks against other systems and networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply mitigations provided by WebPros as detailed in their security update advisory to address CVE-2026-41940.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect cPanel/WHM Authentication Bypass Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eIf mitigations cannot be immediately applied, follow BOD 22-01 guidance for cloud services, potentially isolating the affected system until patched.\u003c/li\u003e\n\u003cli\u003eConsider discontinuing use of the affected product if patches or mitigations are unavailable, as advised in the original CISA KEV entry.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cpanel-auth-bypass/","summary":"CVE-2026-41940 is an authentication bypass vulnerability in WebPros cPanel \u0026 WHM and WP2 (WordPress Squared) that allows unauthenticated remote attackers to gain unauthorized access to the control panel.","title":"WebPros cPanel \u0026 WHM and WP2 Authentication Bypass Vulnerability (CVE-2026-41940)","url":"https://feed.craftedsignal.io/briefs/2024-01-cpanel-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5110"}],"_cs_exploited":false,"_cs_products":["Gravity Forms plugin \u003c= 2.10.0"],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","gravityforms"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Gravity Forms plugin, a widely used WordPress plugin, is susceptible to an unauthenticated stored cross-site scripting (XSS) vulnerability. This flaw, identified as CVE-2026-5110, affects versions up to and including 2.10.0. The vulnerability stems from inadequate input validation and output escaping specifically within the SingleProduct field when it is nested inside a Repeater field. This bypasses normal state validation, allowing attackers to inject malicious HTML and JavaScript into the product name field. The injected payload is then stored unsanitized in the database. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator accesses an entry containing the malicious payload through the WordPress admin interface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious request to a WordPress endpoint utilizing the Gravity Forms plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker injects arbitrary HTML and JavaScript into the \u0026lsquo;product name\u0026rsquo; field (input .1) of a SingleProduct field nested within a Repeater field.\u003c/li\u003e\n\u003cli\u003eDue to insufficient validation within the \u003ccode\u003evalidate_subfield()\u003c/code\u003e method, the malicious input bypasses the state validation mechanism \u003ccode\u003e(failed_state_validation())\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esanitize_entry_value()\u003c/code\u003e method returns the raw, unsanitized value because HTML is not expected for the affected field type.\u003c/li\u003e\n\u003cli\u003eThe malicious input is stored in the WordPress database without proper sanitization or escaping.\u003c/li\u003e\n\u003cli\u003eAn administrator accesses the Gravity Forms entries page in the WordPress admin interface (wp-admin/admin.php?page=gf_entries).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eget_value_entry_detail()\u003c/code\u003e method retrieves the malicious product name from the database and outputs it without proper escaping.\u003c/li\u003e\n\u003cli\u003eThe stored XSS payload executes in the administrator\u0026rsquo;s browser, potentially allowing the attacker to perform actions with the administrator\u0026rsquo;s privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of an administrator\u0026rsquo;s browser session. This can lead to account compromise, data theft, or further malicious activities within the WordPress administration panel. The vulnerability affects all users of the Gravity Forms plugin on WordPress installations with versions up to and including 2.10.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gravity Forms plugin to the latest version (greater than 2.10.0) to patch CVE-2026-5110.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Gravity Forms XSS Attempt\u003c/code\u003e to identify potential exploitation attempts by monitoring for specific patterns in HTTP requests.\u003c/li\u003e\n\u003cli\u003eEnable web server logging to capture detailed information about HTTP requests and responses, enabling the Sigma rule\u0026rsquo;s effectiveness.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-gravity-forms-xss/","summary":"The Gravity Forms plugin for WordPress is vulnerable to unauthenticated stored cross-site scripting (XSS) in versions up to 2.10.0, allowing attackers to inject arbitrary JavaScript code into the product name field within repeater fields, which executes when an administrator views the affected entry.","title":"Gravity Forms Plugin Unauthenticated Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-gravity-forms-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-7649"}],"_cs_exploited":false,"_cs_products":["ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile \u0026 User signup plugin \u003c= 4.0.60"],"_cs_severities":["high"],"_cs_tags":["sql-injection","wordpress","armember","cve-2026-7649"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile \u0026amp; User signup plugin for WordPress is susceptible to time-based blind SQL injection. This vulnerability, identified as CVE-2026-7649, affects all versions up to and including 4.0.60. The root cause lies in the inadequate escaping of the user-supplied \u0026lsquo;orderby\u0026rsquo; parameter and the lack of sufficient preparation in the existing SQL query. An unauthenticated attacker can exploit this weakness by injecting malicious SQL queries, potentially leading to the extraction of sensitive information directly from the WordPress database. This presents a significant risk, as it could expose user credentials, personal data, and other confidential information stored within the database, impacting the confidentiality and integrity of the WordPress installation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable ARMember plugin (version \u0026lt;= 4.0.60).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a page that uses the vulnerable \u0026lsquo;orderby\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u0026lsquo;orderby\u0026rsquo; parameter of the HTTP GET or POST request. This code is designed to exploit the time-based blind SQL injection vulnerability.\u003c/li\u003e\n\u003cli\u003eThe ARMember plugin processes the request without properly sanitizing the \u0026lsquo;orderby\u0026rsquo; parameter, allowing the injected SQL code to be executed within the database query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code uses time-delay functions (e.g., \u003ccode\u003eSLEEP()\u003c/code\u003e) to determine the truthiness of conditions. Based on the response time, the attacker infers whether the injected SQL code is evaluating to true or false.\u003c/li\u003e\n\u003cli\u003eThe attacker iteratively refines the injected SQL code to extract sensitive data, such as table names, column names, and data values, character by character, through observing the time delays.\u003c/li\u003e\n\u003cli\u003eThe attacker dumps sensitive information from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to gain administrative access to the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to extract sensitive information from the WordPress database. This includes user credentials (usernames, email addresses, and password hashes), personal data, and potentially other confidential information stored within the database. The impact could range from unauthorized access to user accounts to complete compromise of the WordPress site and its underlying data. The number of affected sites depends on the prevalence of the ARMember plugin, but given its popularity, the potential impact is widespread.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security patches provided by the ARMember plugin developers immediately to remediate CVE-2026-7649 on all WordPress installations using the plugin.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect ARMember SQL Injection Attempt via Orderby Parameter\u0026rdquo; to your SIEM to detect exploitation attempts against this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL syntax in the \u0026lsquo;orderby\u0026rsquo; parameter to identify potential exploitation attempts (log source: webserver).\u003c/li\u003e\n\u003cli\u003eImplement and enforce strict input validation and sanitization for all user-supplied parameters, especially those used in database queries, to prevent SQL injection vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-armember-sqli/","summary":"A time-based blind SQL Injection vulnerability exists in the ARMember WordPress plugin (\u003c= 4.0.60) due to insufficient input sanitization of the 'orderby' parameter, allowing unauthenticated attackers to extract sensitive database information.","title":"ARMember WordPress Plugin Vulnerable to Time-Based Blind SQL Injection (CVE-2026-7649)","url":"https://feed.craftedsignal.io/briefs/2024-01-armember-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5112"}],"_cs_exploited":false,"_cs_products":["Gravity Forms plugin"],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","gravityforms"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Gravity Forms plugin for WordPress, a widely used form management tool, contains a vulnerability that can be exploited by unauthenticated attackers. Specifically, versions up to and including 2.10.0 are susceptible to Stored Cross-Site Scripting (XSS) due to insufficient input validation and output escaping of Calculation Product field names within Repeater fields. This flaw resides in how the plugin processes and renders form submissions containing malicious HTML within the product name field. The vulnerability allows an attacker to inject arbitrary web scripts that execute in the context of an authenticated administrator\u0026rsquo;s session when they access the entry detail page within the WordPress admin panel. Successful exploitation enables attackers to perform actions with the privileges of the compromised administrator.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious form submission.\u003c/li\u003e\n\u003cli\u003eThe malicious payload is placed in the Calculation Product field\u0026rsquo;s product name (.1) within a Repeater field.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evalidate()\u003c/code\u003e method in the \u003ccode\u003eGF_Field_Calculation\u003c/code\u003e class inadequately validates the product name field, failing to sanitize malicious HTML.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esanitize_entry_value()\u003c/code\u003e method returns the raw, unsanitized value for the product name field, as HTML sanitization is not expected for this field.\u003c/li\u003e\n\u003cli\u003eThe malicious form submission is saved as an entry in WordPress.\u003c/li\u003e\n\u003cli\u003eAn authenticated administrator with the \u003ccode\u003egravityforms_view_entries\u003c/code\u003e capability accesses the entry detail page in \u003ccode\u003ewp-admin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eget_value_entry_detail()\u003c/code\u003e method concatenates the unsanitized product name directly into the output string.\u003c/li\u003e\n\u003cli\u003eThe repeater\u0026rsquo;s \u003ccode\u003eget_value_entry_detail()\u003c/code\u003e method renders the unsanitized output, leading to the execution of the injected XSS payload within the administrator\u0026rsquo;s browser.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript code within the context of an authenticated WordPress administrator\u0026rsquo;s session. This can lead to account takeover, data theft, or further malicious actions performed on the WordPress site. While the number of potentially affected sites is large due to the plugin\u0026rsquo;s popularity, the impact is limited to administrators who access the specific entry containing the malicious payload.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gravity Forms plugin to a version greater than 2.10.0 to patch CVE-2026-5112.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Gravity Forms XSS via Product Name\u003c/code\u003e to detect attempts to inject malicious scripts into product names.\u003c/li\u003e\n\u003cli\u003eReview and audit existing Gravity Forms entries for suspicious content in Calculation Product fields to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-gravityforms-xss/","summary":"The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 2.10.0, allowing unauthenticated attackers to inject arbitrary web scripts via form submissions that execute when an administrator views the entry detail page.","title":"Gravity Forms Plugin Unauthenticated Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-gravityforms-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5464"}],"_cs_exploited":false,"_cs_products":["ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","rce","cve-2026-5464","exactmetrics"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-5464, exists in the ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin, affecting all versions up to and including 9.1.2. The vulnerability allows authenticated attackers with Editor-level access or higher, who also possess the \u0026rsquo;exactmetrics_view_dashboard\u0026rsquo; capability, to install and activate arbitrary WordPress plugins from attacker-controlled URLs. This is possible due to the exposure of the \u0026lsquo;onboarding_key\u0026rsquo; transient and the lack of proper authorization checks on the \u0026rsquo;exactmetrics_connect_process\u0026rsquo; AJAX endpoint. Successful exploitation can lead to Remote Code Execution (RCE) on the target WordPress site. This poses a significant risk to websites using the vulnerable plugin, as attackers can inject malicious code and gain full control of the affected system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to a WordPress site as an Editor or Administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains the \u0026lsquo;onboarding_key\u0026rsquo; by accessing the reports page, which exposes the transient value to users with the \u0026rsquo;exactmetrics_view_dashboard\u0026rsquo; capability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u0026lsquo;onboarding_key\u0026rsquo; to access the \u0026lsquo;/wp-json/exactmetrics/v1/onboarding/connect-url\u0026rsquo; REST endpoint, receiving a one-time hash (OTH) token.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious plugin ZIP file hosted on an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the \u0026rsquo;exactmetrics_connect_process\u0026rsquo; AJAX endpoint, providing the OTH token and the URL of the malicious plugin ZIP file via the \u0026lsquo;file\u0026rsquo; parameter. This endpoint lacks capability checks and nonce verification.\u003c/li\u003e\n\u003cli\u003eThe ExactMetrics plugin downloads the malicious plugin ZIP file from the attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eThe ExactMetrics plugin installs and activates the malicious plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker gains Remote Code Execution on the WordPress server through the installed malicious plugin.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5464 allows attackers to install arbitrary plugins on vulnerable WordPress sites, leading to Remote Code Execution. This grants the attacker complete control over the compromised website, enabling them to inject malicious code, deface the site, steal sensitive data, or use the site for further malicious activities. The number of affected websites depends on the widespread use of the ExactMetrics plugin. Organizations using this plugin are at risk of significant data breaches and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin to the latest version, which patches CVE-2026-5464.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u0026lsquo;/wp-json/exactmetrics/v1/onboarding/connect-url\u0026rsquo; REST endpoint and the \u0026rsquo;exactmetrics_connect_process\u0026rsquo; AJAX endpoint. Implement the Sigma rule provided below to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication to prevent unauthorized access to WordPress accounts.\u003c/li\u003e\n\u003cli\u003eRestrict the \u0026rsquo;exactmetrics_view_dashboard\u0026rsquo; capability to only the necessary users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-exactmetrics-rce/","summary":"The ExactMetrics plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation via a REST API endpoint, potentially leading to remote code execution by authenticated attackers.","title":"ExactMetrics WordPress Plugin Vulnerability Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-02-exactmetrics-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5324"}],"_cs_exploited":false,"_cs_products":["Brizy – Page Builder plugin \u003c= 2.8.11"],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","unauthenticated"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Brizy – Page Builder plugin for WordPress, a popular tool for designing website pages, contains a critical vulnerability that allows unauthenticated users to inject malicious JavaScript code. Specifically, versions up to and including 2.8.11 are affected. This vulnerability arises from a combination of factors, including the lack of nonce verification for form submissions from non-logged-in users, inadequate handling of FileUpload fields when no file is actually uploaded, and the unintended reversal of security encoding through \u003ccode\u003ehtml_entity_decode()\u003c/code\u003e before outputting data. This allows attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator viewing the form\u0026rsquo;s \u0026ldquo;Leads\u0026rdquo; page, potentially leading to account takeover, data theft, or further compromise of the WordPress site.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious payload containing JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker submits this payload through a Brizy form on the WordPress site, exploiting the missing nonce verification in the \u003ccode\u003esubmit_form()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehandleFileTypeFields()\u003c/code\u003e function fails to properly sanitize or overwrite the attacker-supplied values when no file is attached to the form submission.\u003c/li\u003e\n\u003cli\u003eThe injected payload, now stored in the WordPress database, bypasses initial \u003ccode\u003ehtmlentities()\u003c/code\u003e encoding due to later \u003ccode\u003ehtml_entity_decode()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAn administrator logs into the WordPress dashboard and navigates to the \u0026ldquo;Leads\u0026rdquo; page to view form submissions.\u003c/li\u003e\n\u003cli\u003eThe form-data.php template retrieves the stored malicious payload from the database.\u003c/li\u003e\n\u003cli\u003eThe payload is outputted directly within the \u003ccode\u003ehref\u003c/code\u003e attribute of an HTML element without proper escaping using \u003ccode\u003eesc_url()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code executes within the administrator\u0026rsquo;s browser, potentially performing actions such as stealing cookies or redirecting the administrator to a malicious site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a logged-in administrator\u0026rsquo;s browser. This could lead to a full compromise of the WordPress site, including the ability to create new administrative accounts, modify existing content, inject malware into the site\u0026rsquo;s pages, or steal sensitive data. The impact is significant, as it requires no user interaction beyond an administrator viewing the form submissions within the Brizy plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Brizy – Page Builder plugin to the latest version to patch CVE-2026-5324.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Brizy WordPress Plugin XSS Attempt via HTTP Request\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eform-data.php\u003c/code\u003e template and implement proper output escaping using \u003ccode\u003eesc_url()\u003c/code\u003e for all user-supplied data to prevent XSS, as mentioned in the vulnerability description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-brizy-xss/","summary":"The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 2.8.11, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page due to missing nonce verification and improper handling of file upload fields.","title":"Brizy WordPress Plugin Unauthenticated Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-brizy-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Wordpress","version":"https://jsonfeed.org/version/1.1"}