Wordpress — CraftedSignal Threat Feed

Contact Form 7 WordPress Plugin Uncontrolled Resource Consumption Vulnerability

hello@craftedsignal.io — Mon, 04 May 2026 19:16:02 +0000

The Contact Form 7 WordPress plugin, specifically versions up to 2.6.7, contains an uncontrolled resource consumption vulnerability (CVE-2026-25863) within the Wpcf7cfMailParser class. The hide_hidden_mail_fields_regex_callback() method is susceptible to unbounded loop execution due to reading an iteration count directly from user-supplied POST parameters via the REST API endpoint without proper validation. This allows unauthenticated attackers to send a large integer value, triggering multiple preg_replace() operations, leading to server memory exhaustion and crashing the PHP process. This vulnerability enables a denial-of-service condition, potentially impacting all websites using the vulnerable plugin.

Attack Chain

An unauthenticated attacker identifies a WordPress website using Contact Form 7 plugin version 2.6.7 or earlier.
The attacker crafts a malicious HTTP POST request targeting the WordPress REST API endpoint.
The POST request includes a large integer value for the iteration count parameter, which is passed directly to the hide_hidden_mail_fields_regex_callback() method.
The hide_hidden_mail_fields_regex_callback() method, lacking input validation, reads the attacker-controlled integer.
The method initiates an unbounded loop, performing preg_replace() operations based on the attacker-supplied iteration count.
Each preg_replace() operation consumes server memory.
The excessive number of iterations rapidly exhausts available server memory.
The PHP process crashes due to memory exhaustion, resulting in a denial-of-service condition for the website.

Impact

Successful exploitation of this vulnerability leads to a denial-of-service condition. Attackers can crash the PHP process on vulnerable WordPress websites by exhausting server memory. This can result in website downtime, impacting user experience and potentially leading to data loss or corruption. While the exact number of affected websites is unknown, the widespread use of Contact Form 7 makes this vulnerability a significant threat.

Recommendation

Upgrade the Contact Form 7 WordPress plugin to a version greater than 2.6.7 to patch CVE-2026-25863.
Deploy the Sigma rule Detect Contact Form 7 Uncontrolled Resource Consumption Attempt to your SIEM to detect malicious POST requests targeting the WordPress REST API.
Monitor web server logs for abnormally large POST request sizes to the WordPress REST API endpoint, as this may indicate an attempted exploitation of CVE-2026-25863.

WordPress Easy PayPal Events & Tickets Plugin Information Disclosure Vulnerability

hello@craftedsignal.io — Mon, 04 May 2026 18:16:29 +0000

The Easy PayPal Events & Tickets plugin for WordPress, versions 1.3 and earlier, contains an information disclosure vulnerability (CVE-2026-41471). This vulnerability allows unauthenticated attackers to iterate through WordPress post IDs via the scan_qr.php endpoint. By sequentially accessing these IDs, attackers can retrieve customer order records stored within the WordPress database. The plugin was officially closed as of March 18, 2026, meaning websites using the plugin prior to this date are vulnerable. This allows for the potential harvesting of sensitive customer data including names, addresses, and purchase histories.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable Easy PayPal Events & Tickets plugin (version 1.3 or earlier).
The attacker crafts a malicious HTTP request targeting the scan_qr.php endpoint.
The attacker modifies the request to iterate through sequential WordPress post IDs.
The server processes the request without proper authentication or authorization checks.
The scan_qr.php endpoint queries the WordPress database for order records associated with the provided post ID.
If a valid order record is found, the server returns the information in the HTTP response.
The attacker parses the HTTP response to extract customer order information.
The attacker repeats steps 2-7, incrementing the post ID to enumerate all order records.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to retrieve all customer order records stored in the WordPress database. This can lead to the disclosure of sensitive customer information, including names, email addresses, purchase history, and potentially other personal details. The number of affected victims depends on the popularity and usage of the vulnerable plugin. If the database contains financial information the impact could be severe.

Recommendation

Deploy the Sigma rule detecting requests to the scan_qr.php endpoint with iterative post IDs to identify potential exploitation attempts.
If still using the Easy PayPal Events & Tickets plugin, remove the plugin, as it was closed as of 2026-03-18.
Monitor web server logs for suspicious activity targeting the scan_qr.php endpoint.
Review the WordPress access logs for requests originating from unusual IP addresses accessing the scan_qr.php endpoint.

WordPress Easy PayPal Events & Tickets Plugin Authentication Bypass Vulnerability

hello@craftedsignal.io — Mon, 04 May 2026 18:16:27 +0000

The Easy PayPal Events & Tickets plugin for WordPress, version 1.3 and earlier, contains a critical hardcoded authentication bypass vulnerability (CVE-2026-32834) within its QR code scanning functionality. This flaw allows unauthenticated remote attackers to bypass hash verification by supplying the string ’test’ as the hash parameter when accessing the add_wpeevent_button_qr action. This bypass enables attackers to retrieve sensitive order details associated with any post ID, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information. The vulnerable plugin was officially closed on March 18, 2026, making it imperative to identify and mitigate any remaining installations to prevent potential data breaches.

Attack Chain

Attacker identifies a WordPress site using the Easy PayPal Events & Tickets plugin (version 1.3 or earlier).
Attacker crafts a malicious HTTP GET request targeting the /wp-admin/admin-ajax.php endpoint.
The request includes the action parameter set to add_wpeevent_button_qr.
The request includes a hash parameter set to the hardcoded value test.
The request includes a post_id parameter, either guessed or obtained through other means.
The vulnerable plugin bypasses authentication due to the hardcoded hash.
The plugin processes the request and retrieves sensitive order details associated with the provided post_id.
The attacker receives the sensitive data, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information.

Impact

Successful exploitation of this vulnerability grants unauthenticated attackers access to sensitive customer and transaction data associated with events and tickets managed through the Easy PayPal Events & Tickets plugin. The leaked information, including customer email addresses and PayPal transaction IDs, can be used for further malicious activities such as phishing campaigns, identity theft, and financial fraud. The number of affected WordPress sites is unknown, but any site using a vulnerable version of the plugin is at risk.

Recommendation

Deploy the Sigma rule Detect WordPress Easy PayPal Events & Tickets Authentication Bypass Attempt to your SIEM to detect exploitation attempts targeting the vulnerable endpoint.
Inspect web server logs for requests to /wp-admin/admin-ajax.php with the action parameter set to add_wpeevent_button_qr and the hash parameter set to test to identify potential exploitation attempts.
Monitor network traffic for suspicious data exfiltration following the identified exploitation attempts to mitigate potential damage.
If the plugin is still installed, remove it immediately.

NEX-Forms WordPress Plugin Vulnerable to Stored Cross-Site Scripting (CVE-2026-5063)

hello@craftedsignal.io — Sun, 03 May 2026 06:15:57 +0000

The NEX-Forms – Ultimate Forms Plugin for WordPress, versions up to and including 9.1.11, is susceptible to a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-5063). This flaw stems from inadequate input sanitization and output escaping within the submit_nex_form() function. Unauthenticated attackers can exploit this vulnerability by injecting malicious JavaScript code through POST parameter key names. Successful exploitation allows the attacker to execute arbitrary scripts in the context of a user’s browser when they access a page containing the injected script, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability was reported to Wordfence and a patch has been released.

Attack Chain

The attacker crafts a malicious HTTP POST request to a WordPress page that utilizes the vulnerable NEX-Forms plugin.
The POST request includes specially crafted parameter key names designed to inject JavaScript code.
The submit_nex_form() function processes the POST request without properly sanitizing or escaping the malicious input.
The injected JavaScript code is stored in the WordPress database.
A legitimate user accesses a page where the form data, including the malicious script, is displayed.
The stored JavaScript code executes within the user’s browser in the context of the WordPress page.
The attacker can then perform actions such as stealing cookies, redirecting the user, or modifying the page content.

Impact

Successful exploitation of this stored XSS vulnerability allows an unauthenticated attacker to inject arbitrary JavaScript code into pages using the NEX-Forms plugin. This can lead to various malicious outcomes, including user session hijacking, website defacement, or redirection to phishing sites. As the vulnerability is stored, every user who visits a page containing the malicious script will be affected until the vulnerability is patched and the malicious input is removed. The severity is rated as HIGH with a CVSS base score of 7.2.

Recommendation

Upgrade the NEX-Forms – Ultimate Forms Plugin for WordPress to a version beyond 9.1.11 to patch CVE-2026-5063.
Deploy the Sigma rule Detect Suspicious NEX-Forms POST Requests to identify potential exploitation attempts.
Monitor web server logs for suspicious POST requests containing potentially malicious JavaScript code in parameter names.

WordPress WCFM Plugin Vulnerable to IDOR Leading to Account Deletion

hello@craftedsignal.io — Sat, 02 May 2026 14:16:17 +0000

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin, a popular WordPress plugin, is affected by an Insecure Direct Object Reference (IDOR) vulnerability. This flaw, present in versions up to and including 6.7.25, stems from a lack of proper validation on the customerid parameter within the wcfm_delete_wcfm_customer function. An attacker with Vendor-level privileges or higher can exploit this vulnerability to delete any user account on the WordPress instance, including those with administrative rights. This can lead to complete compromise of the affected website.

Attack Chain

An attacker authenticates to the WordPress site with Vendor-level access or higher.
The attacker crafts a malicious HTTP request targeting the wcfm_delete_wcfm_customer function.
The attacker includes the customerid parameter in the request, setting its value to the ID of the target user account they wish to delete.
Due to the missing validation on the customerid parameter, the application directly uses the provided ID to locate the user account.
The wcfm_delete_wcfm_customer function proceeds to delete the user account identified by the attacker-supplied customerid.
The targeted user account is successfully deleted from the WordPress instance.
If the deleted user account was an administrator, the attacker can effectively take control of the website.

Impact

Successful exploitation of this IDOR vulnerability allows an attacker to delete arbitrary user accounts, including those with administrative privileges. This can lead to a complete compromise of the affected WordPress website. An attacker could then deface the website, steal sensitive data, or use it to launch further attacks. Due to the popularity of the plugin, a large number of WooCommerce stores are potentially affected.

Recommendation

Apply the latest available patch or upgrade to a version of the WCFM plugin greater than 6.7.25 to remediate CVE-2026-2554.
Monitor web server logs for suspicious requests to wcfm_delete_wcfm_customer with unusual customerid values, using the Sigma rule provided below.
Implement input validation on the customerid parameter within the wcfm_delete_wcfm_customer function to prevent arbitrary user deletion.

Salon Booking System WordPress Plugin Arbitrary File Read Vulnerability

hello@craftedsignal.io — Sat, 02 May 2026 12:16:16 +0000

The Salon Booking System – Free Version plugin for WordPress, versions up to and including 10.30.25, contains an arbitrary file read vulnerability. This flaw stems from the plugin’s public booking flow, where it accepts attacker-controlled file-field values. These values are subsequently used as trusted paths when creating email attachments for booking confirmations. This allows an unauthenticated attacker to supply a path to any file accessible to the web server, triggering its inclusion as an attachment in the booking confirmation email, effectively enabling arbitrary file exfiltration. Exploitation requires no authentication and can be triggered remotely.

Attack Chain

An unauthenticated attacker accesses the public booking form of a WordPress site running the vulnerable Salon Booking System plugin.
The attacker crafts a malicious request to the booking form, injecting a file path (e.g., /etc/passwd) into a file-field parameter.
The plugin processes the booking request and stores the attacker-supplied file path.
The plugin generates a booking confirmation email.
The plugin uses the stored, attacker-controlled file path to attach the specified file to the confirmation email.
The booking confirmation email, now containing the arbitrary file as an attachment, is sent to the user who initiated the booking (which could be the attacker or an unwitting third party).
The attacker retrieves the email (if sent to the attacker) or intercepts it (if sent to a third party) and extracts the attached file.
The attacker gains unauthorized access to the contents of the exfiltrated file.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to read arbitrary files from the affected WordPress server. This could lead to the disclosure of sensitive information, such as configuration files, database credentials, or other confidential data. The vulnerability affects versions of the Salon Booking System plugin up to and including 10.30.25. The number of affected WordPress installations is unknown, but could be substantial given the plugin’s popularity.

Recommendation

Upgrade the Salon Booking System plugin to the latest version to patch CVE-2026-6320.
Monitor web server logs (category webserver, product linux) for suspicious requests containing absolute or relative file paths in file-field parameters, using a detection rule similar to the ones provided below.
Implement strict input validation and sanitization for all user-supplied data, especially file paths.
Review and restrict file system permissions to limit the files accessible to the web server process.

Paid Memberships Pro Plugin Vulnerability Allows Unauthorized Stripe Webhook Modification

hello@craftedsignal.io — Sat, 02 May 2026 12:16:16 +0000

The Paid Memberships Pro plugin, a popular WordPress plugin for managing paid subscriptions, contains a vulnerability (CVE-2026-4100) that allows authenticated attackers with minimal privileges (Subscriber-level access) to manipulate Stripe webhook configurations. This flaw exists in versions up to and including 3.6.5 due to missing capability checks on specific AJAX handlers. An attacker exploiting this vulnerability can delete, create, or rebuild the site’s Stripe webhook, leading to significant disruptions in payment processing, subscription renewal synchronization, cancellation handling, and management of failed payments. This vulnerability puts revenue streams and customer relationships at risk for any organization using the affected plugin versions.

Attack Chain

An attacker gains Subscriber-level access to the WordPress site, either through registration or compromised credentials.
The attacker crafts a malicious AJAX request targeting the wp_ajax_pmpro_stripe_create_webhook endpoint.
Alternatively, the attacker crafts a malicious AJAX request to the wp_ajax_pmpro_stripe_delete_webhook endpoint.
Or, the attacker crafts a malicious AJAX request to the wp_ajax_pmpro_stripe_rebuild_webhook endpoint.
Due to missing capability checks, the server processes the request without proper authorization.
The Stripe webhook configuration is modified, deleted, or rebuilt based on the attacker’s request.
Legitimate payment processing and subscription management processes fail due to the altered webhook configuration.
The attacker effectively disrupts the site’s ability to collect payments and manage subscriptions.

Impact

Successful exploitation of this vulnerability allows an attacker to completely disrupt a WordPress site’s payment processing and subscription management functionalities. This can result in significant financial losses due to interrupted sales and subscription renewals. Furthermore, the disruption can damage customer trust and lead to churn as users experience issues with their subscriptions. The vulnerability affects all sites using Paid Memberships Pro plugin versions up to 3.6.5.

Recommendation

Immediately update the Paid Memberships Pro plugin to the latest version to patch CVE-2026-4100.
Monitor WordPress web server logs for POST requests to /wp-admin/admin-ajax.php with the action parameter set to pmpro_stripe_create_webhook, pmpro_stripe_delete_webhook, or pmpro_stripe_rebuild_webhook using the “Detect Suspicious PMPro Stripe Webhook AJAX Requests” Sigma rule.
Review user roles and permissions to minimize the number of users with Subscriber-level access as a temporary mitigation.

Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4062)

hello@craftedsignal.io — Sat, 02 May 2026 12:16:16 +0000

The Geo Mashup plugin for WordPress, in versions up to and including 1.13.18, contains a Time-Based SQL Injection vulnerability (CVE-2026-4062). The vulnerability exists within the ‘object_ids’ and ’exclude_object_ids’ parameters. Insufficient escaping of user-supplied input, specifically within the IN(...) and NOT IN(...) SQL context, coupled with inadequate preparation of the existing SQL query, allows for the injection. The esc_sql() function is applied but is rendered ineffective due to its inability to protect against parenthesis or SQL keyword injection within the unquoted IN(...) / NOT IN(...) context. A numeric-only sanitizer exists in sanitize_query_args(), but this is only applied in the AJAX code path and not in the render-map.php or template tag code paths. This flaw enables unauthenticated attackers to append malicious SQL queries, facilitating the extraction of sensitive information from the WordPress database through a time-based blind SQL injection technique.

Attack Chain

An unauthenticated attacker identifies the vulnerable Geo Mashup plugin running on a WordPress site.
The attacker crafts a malicious HTTP request targeting an endpoint that utilizes the ‘object_ids’ or ’exclude_object_ids’ parameters.
The attacker injects a time-based SQL injection payload into the ‘object_ids’ or ’exclude_object_ids’ parameter. This payload leverages SQL functions like SLEEP() or BENCHMARK() to introduce delays based on conditional SQL logic.
The vulnerable code fails to properly sanitize the injected SQL code due to the ineffective esc_sql() function in the IN/NOT IN context.
The injected SQL payload is appended to the existing SQL query executed by the Geo Mashup plugin.
The database server executes the combined query, including the injected time-based SQL injection.
The attacker monitors the response time of the HTTP request. A delayed response indicates that the injected SQL logic evaluated to true.
By repeatedly sending requests with different SQL injection payloads, the attacker can extract sensitive information from the database one character at a time.

Impact

Successful exploitation of this vulnerability can lead to the complete compromise of the WordPress database. An attacker can extract sensitive information such as user credentials, API keys, configuration details, and other confidential data. This can result in data breaches, unauthorized access to the WordPress site, and potential further attacks on connected systems. The CVSS v3.1 base score for this vulnerability is 7.5, indicating a high severity.

Recommendation

Upgrade the Geo Mashup plugin to a version greater than 1.13.18 to remediate CVE-2026-4062.
Deploy the Sigma rule Detect Geo Mashup Time-Based SQL Injection Attempts to identify potential exploitation attempts targeting the vulnerable parameters.
Monitor web server logs for suspicious requests containing SQL injection payloads in the ‘object_ids’ or ’exclude_object_ids’ parameters to detect exploitation attempts.

Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4061)

hello@craftedsignal.io — Sat, 02 May 2026 12:16:16 +0000

The Geo Mashup plugin for WordPress is vulnerable to time-based SQL injection, as detailed in CVE-2026-4061. This vulnerability affects all versions of the plugin up to and including 1.13.18. The root cause lies in the SearchResults hook, where the map_post_type parameter is mishandled. Specifically, the code first calls stripslashes_deep($_POST), effectively removing WordPress’s magic quotes protection. Subsequently, the unsanitized map_post_type value is directly concatenated into an IN(...) clause without proper escaping using esc_sql() or $wpdb->prepare(). While the ‘any’ branch of the code correctly applies array_map('esc_sql', ...), the alternative branch lacks this crucial sanitization step. Successful exploitation requires the Geo Search feature to be enabled in the plugin’s settings. This vulnerability allows unauthenticated attackers to inject malicious SQL queries, potentially leading to the extraction of sensitive database information through time-based blind techniques.

Attack Chain

The attacker identifies a WordPress site using a vulnerable version of the Geo Mashup plugin (<= 1.13.18) with the Geo Search feature enabled.
The attacker crafts a malicious HTTP POST request targeting the SearchResults hook with a specially crafted map_post_type parameter containing SQL injection payload.
The vulnerable code within the Geo Mashup plugin processes the POST request, removing magic quotes using stripslashes_deep($_POST).
The unsanitized map_post_type value is then concatenated directly into an SQL query within an IN(...) clause without proper escaping.
The injected SQL code executes within the database query, allowing the attacker to manipulate the query’s behavior.
The attacker uses time-based SQL injection techniques (e.g., IF(condition, SLEEP(5), 0)) within the injected payload to infer information based on the response time.
By repeatedly sending modified requests and observing the response times, the attacker can extract sensitive data, character by character, from the database.
The attacker extracts sensitive information such as usernames, passwords, API keys, or other confidential data stored in the WordPress database.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to extract sensitive information from the WordPress database. The severity of the impact depends on the sensitivity of the data stored in the database, but could include exposure of user credentials, confidential business data, or other sensitive information. Because it affects any installation with the Geo Search feature enabled, a large number of websites using the Geo Mashup plugin may be vulnerable. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.

Recommendation

Upgrade the Geo Mashup plugin to the latest version (later than 1.13.18) to patch CVE-2026-4061.
Deploy the provided Sigma rule to detect potential exploitation attempts targeting the vulnerable SearchResults hook using a malicious map_post_type parameter.
Review web server logs for suspicious POST requests to /wp-admin/admin-ajax.php (common AJAX endpoint in WordPress) containing potentially malicious SQL injection payloads in the map_post_type parameter.

WordPress Widget Options Plugin Remote Code Execution Vulnerability (CVE-2026-2052)

hello@craftedsignal.io — Sat, 02 May 2026 08:16:27 +0000

The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin, versions 4.2.2 and earlier, contains a Remote Code Execution (RCE) vulnerability (CVE-2026-2052). This flaw stems from the plugin’s Display Logic feature, which utilizes the eval() function to process user-supplied expressions. The plugin’s implemented blocklist/allowlist is insufficient, making it bypassable through techniques involving array_map with string concatenation. Furthermore, the plugin lacks proper authorization enforcement on the extended_widget_opts_block attribute. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject and execute arbitrary code on the underlying server. The vendor partially addressed this vulnerability in version 4.2.0.

Attack Chain

An attacker authenticates to the WordPress application as a Contributor or higher-level user.
The attacker navigates to the Widget Options settings within the WordPress admin panel.
The attacker crafts a malicious Display Logic expression designed to execute arbitrary PHP code. This involves bypassing the blocklist/allowlist using techniques such as array_map and string concatenation.
The attacker injects the malicious Display Logic expression into the extended_widget_opts_block attribute.
The WordPress application processes the widget options, including the malicious Display Logic expression. Due to the lack of proper sanitization and authorization, the eval() function executes the attacker-supplied PHP code.
The attacker’s code executes with the permissions of the web server user, potentially allowing the attacker to read or write files, execute system commands, or compromise the entire server.
The attacker may establish persistence by writing a backdoor to a file on the server or by creating a new administrator account.

Impact

Successful exploitation of CVE-2026-2052 allows an attacker to execute arbitrary code on the WordPress server. This can lead to complete compromise of the website, including data theft, defacement, and the installation of malware. Since the vulnerability requires Contributor access or higher, the impact is significant if such accounts are compromised through other means (e.g., phishing, credential stuffing). The lack of proper input sanitization and authorization makes this a critical vulnerability.

Recommendation

Upgrade the “The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets” plugin to the latest version to patch CVE-2026-2052.
Deploy the Sigma rule “Detect WordPress Widget Options RCE Attempt” to your SIEM to detect exploitation attempts.
Review user roles and permissions to minimize the number of users with Contributor or higher-level access.
Monitor web server logs for unusual activity, particularly requests to /wp-admin/options.php related to widget options.

PixelYourSite Pro WordPress Plugin SSRF Vulnerability (CVE-2026-7049)

hello@craftedsignal.io — Sat, 02 May 2026 06:16:04 +0000

CVE-2026-7049 is a server-side request forgery (SSRF) vulnerability found in the PixelYourSite Pro WordPress plugin. Specifically, all versions up to and including 12.5.0.1 are affected. This vulnerability allows unauthenticated attackers to send requests to arbitrary internal or external resources, as viewed from the web server. Although the fetched response bodies are not directly returned to the attacker (making it a blind SSRF), the application parses these responses internally, creating opportunities for reconnaissance and potentially for exploiting vulnerable internal services. Successful exploitation could expose sensitive information or allow unauthorized modification of internal systems.

Attack Chain

An unauthenticated attacker identifies the scan_video parameter as an SSRF entry point.
The attacker crafts a malicious HTTP request targeting the WordPress server with the vulnerable PixelYourSite Pro plugin. The request includes the scan_video parameter set to a URL pointing to an internal resource (e.g., internal IP address or hostname).
The WordPress server receives the malicious request.
The PixelYourSite Pro plugin processes the request and initiates an HTTP request to the URL specified in the scan_video parameter.
The WordPress server makes a request to the internal resource.
The response from the internal resource is received by the WordPress server.
The PixelYourSite Pro plugin parses the response body, potentially revealing information about the internal service.
Depending on the targeted internal service and the attacker’s crafted request, the attacker might be able to modify information or execute commands on the internal service, even though the response is not directly returned to the attacker.

Impact

Successful exploitation of CVE-2026-7049 allows an unauthenticated attacker to perform reconnaissance of internal network resources. The blind nature of the SSRF limits the attacker’s immediate visibility into the response, but internal parsing of the response allows for potential information disclosure and exploitation of vulnerable internal services. The scope of the impact depends heavily on the configuration of the internal network and the services exposed.

Recommendation

Upgrade the PixelYourSite Pro plugin to a version greater than 12.5.0.1 to patch CVE-2026-7049.
Deploy the Sigma rule Detect Suspicious PixelYourSite Pro SSRF Attempts to monitor for exploitation attempts targeting the scan_video parameter.
Review and restrict internal network access to sensitive services to mitigate the potential impact of SSRF vulnerabilities.

Gravity Forms Plugin Stored XSS Vulnerability (CVE-2026-5113)

hello@craftedsignal.io — Sat, 02 May 2026 06:16:04 +0000

The Gravity Forms plugin for WordPress, a popular form builder, contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2026-5113. This flaw affects versions up to and including 2.10.0. The vulnerability stems from a flawed state validation mechanism combined with insufficient output escaping within the Consent field’s hidden inputs. An unauthenticated attacker can exploit this by injecting malicious JavaScript code into form entries. This malicious code is then executed when an authenticated administrator accesses the Entries List page within the WordPress administration panel, potentially leading to account compromise or other malicious actions performed within the administrator’s session. Successful exploitation allows attackers to execute arbitrary web scripts in the context of an administrator’s browser.

Attack Chain

An unauthenticated attacker crafts a malicious payload containing XSS code within a Gravity Forms Consent field. The payload leverages HTML tags like that wp_kses() will strip.
The attacker submits the crafted form entry to the WordPress site.
The Gravity Forms plugin’s state validation mechanism calculates two hashes: one for the raw input and another after sanitization via wp_kses().
Due to the nature of the XSS payload, the wp_kses() function strips the tag, resulting in a matching hash for the sanitized input.
The flawed validation logic fails to detect the malicious intent because at least one hash matches the original state, allowing the malicious raw value (containing the XSS payload) to be stored in the database.
An authenticated administrator logs into the WordPress administration panel.
The administrator navigates to the Entries List page for the affected Gravity Form.
The stored malicious consent label is retrieved from the database and output without proper escaping, causing the XSS payload to execute within the administrator’s browser session.

Impact

Successful exploitation of CVE-2026-5113 allows unauthenticated attackers to execute arbitrary web scripts within the context of an authenticated administrator’s browser session. This can lead to a variety of malicious outcomes, including account compromise, data theft, modification of website content, or further propagation of the attack to other administrative users. The severity of the impact depends on the privileges held by the compromised administrator account.

Recommendation

Upgrade the Gravity Forms plugin to the latest version, which includes a fix for CVE-2026-5113.
Implement a Web Application Firewall (WAF) rule to filter out requests containing potentially malicious XSS payloads targeting the Gravity Forms Consent field.
Monitor web server logs for suspicious activity related to form submissions containing encoded or obfuscated JavaScript code. Analyze HTTP request parameters for unusual characters or patterns indicative of XSS attempts.
Enable output escaping on form entries to prevent stored XSS attacks.

WP Mail Gateway Plugin Vulnerability Leads to Privilege Escalation

hello@craftedsignal.io — Sat, 02 May 2026 05:16:01 +0000

The WP Mail Gateway plugin, a WordPress extension, contains a vulnerability (CVE-2026-6963) that allows authenticated users with minimal privileges (Subscriber level or higher) to gain administrative access. The flaw resides in the wmg_save_provider_config AJAX action, which lacks proper authorization checks. This omission enables attackers to manipulate SMTP settings, redirect outgoing emails, and ultimately trigger password reset emails intended for administrators. The vulnerability affects all versions of the WP Mail Gateway plugin up to and including version 1.8. Successful exploitation grants attackers complete control over the WordPress site, making it a critical security concern for any organization using the vulnerable plugin.

Attack Chain

An attacker logs into a WordPress site with a Subscriber-level account or higher.
The attacker crafts a malicious AJAX request targeting the wmg_save_provider_config action.
This request modifies the SMTP settings, redirecting outgoing emails to an attacker-controlled server.
The attacker initiates a password reset request for an administrator account.
The password reset email is intercepted by the attacker’s server.
The attacker uses the password reset link to gain access to the administrator’s account.
The attacker logs into the WordPress dashboard with administrator privileges.
The attacker can now perform any administrative action, including installing malicious plugins, modifying site content, or creating new administrator accounts.

Impact

Successful exploitation of CVE-2026-6963 allows an attacker to completely compromise a WordPress website. Even low-privileged users can elevate their access to administrator, giving them full control over the site. This can lead to data breaches, website defacement, malware deployment, and other malicious activities. The vulnerability affects all installations of the WP Mail Gateway plugin up to version 1.8, potentially impacting thousands of WordPress sites.

Recommendation

Upgrade the WP Mail Gateway plugin to a version beyond 1.8 to patch CVE-2026-6963.
Monitor WordPress logs for suspicious AJAX requests targeting the wmg_save_provider_config action using the Sigma rule provided below. Enable webserver logging to capture HTTP POST requests.
Implement the provided Sigma rule to detect modifications to WordPress options related to SMTP configuration. Enable relevant logging for registry modifications.

WordPress User Verification Plugin Authentication Bypass Vulnerability

hello@craftedsignal.io — Sat, 02 May 2026 05:16:01 +0000

The User Verification by PickPlugins plugin, a popular WordPress plugin, contains a critical authentication bypass vulnerability (CVE-2026-7458) affecting all versions up to and including 2.0.46. The flaw resides within the user_verification_form_wrap_process_otpLogin function, where a loose PHP comparison operator is used to validate OTP codes. This weakness allows unauthenticated attackers to bypass the OTP verification process and log in as any user with a verified email address, potentially gaining administrative access. Successful exploitation requires the attacker to submit the string “true” as the OTP value. This vulnerability poses a significant risk to WordPress sites using the affected plugin, potentially leading to complete site compromise.

Attack Chain

An unauthenticated attacker identifies a WordPress site using a vulnerable version of the User Verification by PickPlugins plugin (<= 2.0.46).
The attacker navigates to the OTP login form provided by the plugin.
The attacker enters the email address of a target user, such as an administrator.
The attacker intercepts the OTP request and instead of a numerical code, submits the string “true” as the OTP value.
The vulnerable user_verification_form_wrap_process_otpLogin function processes the submitted OTP. Due to the loose PHP comparison (e.g., == instead of ===), the string “true” evaluates to true, bypassing the intended OTP validation.
The plugin incorrectly authenticates the attacker as the targeted user.
The attacker gains unauthorized access to the targeted user’s account, potentially gaining administrative privileges.
The attacker can now perform actions such as modifying website content, installing malicious plugins, or exfiltrating sensitive data.

Impact

Successful exploitation of CVE-2026-7458 allows unauthenticated attackers to bypass the OTP verification mechanism and gain unauthorized access to any user account with a verified email address on a vulnerable WordPress site. This can lead to complete compromise of the affected WordPress site, enabling attackers to modify content, inject malicious code, steal sensitive data, or use the site for malicious purposes. Given the plugin’s popularity, this vulnerability could impact a large number of WordPress websites.

Recommendation

Upgrade the User Verification by PickPlugins plugin to the latest version (greater than 2.0.46) to patch CVE-2026-7458.
Monitor WordPress access logs for unusual login attempts or the presence of “true” as OTP values to identify potential exploitation attempts. Deploy the Detect Successful Authentication Bypass via True OTP Sigma rule.
Implement stricter input validation and sanitization for OTP codes to prevent similar bypass vulnerabilities.

WordPress Import and Export Users Plugin Privilege Escalation Vulnerability

hello@craftedsignal.io — Sat, 02 May 2026 05:16:01 +0000

The Import and export users and customers plugin for WordPress, a plugin used to manage user data, is vulnerable to privilege escalation. This vulnerability, identified as CVE-2026-7641, affects all versions of the plugin up to and including 2.0.8. The vulnerability stems from an incomplete blocklist in the save_extra_user_profile_fields() function. This function fails to adequately filter meta keys for subsites within a WordPress Multisite network, allowing attackers to manipulate user roles. Successful exploitation allows authenticated attackers with Subscriber-level access or higher to escalate their privileges to Administrator on any subsite within the Multisite network. Exploitation requires the targeted WordPress instance to be part of a Multisite network and have specific settings enabled.

Attack Chain

An administrator imports a CSV file containing multisite-prefixed capability column headers (e.g., wp_2_capabilities) using the affected plugin.
The administrator enables the “Show fields in profile?” option within the plugin settings. This action stores the imported column headers (including the multisite capabilities) in the acui_columns option.
A low-privileged user (e.g., Subscriber) authenticates to the WordPress subsite.
The attacker navigates to their user profile page (/wp-admin/profile.php). The plugin displays the previously imported multisite capability fields as editable options on the profile page.
The attacker crafts a profile update request, setting the value of the wp_{subsite_id}_capabilities meta key to a:1:{s:13:"administrator";b:1;} which grants administrator privileges.
The attacker submits the crafted profile update to /wp-admin/profile.php.
The save_extra_user_profile_fields() function processes the update. Due to the incomplete blocklist, the function fails to prevent the modification of the wp_{subsite_id}_capabilities meta key.
The update_user_meta() function writes the attacker-controlled value directly to the user’s metadata, granting them Administrator privileges on the specified subsite.

Impact

Successful exploitation of CVE-2026-7641 allows an attacker to gain complete control over a WordPress subsite within a Multisite network. This can lead to unauthorized access to sensitive data, modification of website content, installation of malicious plugins or themes, and potential compromise of the entire Multisite network. Given the widespread use of WordPress and the Import and export users and customers plugin, a successful attack can have significant repercussions for affected organizations.

Recommendation

Upgrade the Import and export users and customers plugin to the latest version to patch CVE-2026-7641.
Apply the Sigma rule WordPress Multisite Privilege Escalation via Profile Update to detect exploitation attempts against /wp-admin/profile.php.
Review the acui_columns option in the WordPress database to identify any instances where multisite-prefixed capability column headers have been imported, and remove those fields.
Monitor WordPress user profile updates for unusual modifications to user capabilities using the WordPress User Role Change Detection rule.

WordPress User Registration Advanced Fields Plugin Arbitrary File Upload Vulnerability

hello@craftedsignal.io — Sat, 02 May 2026 05:16:00 +0000

The User Registration Advanced Fields plugin for WordPress, specifically versions up to and including 1.6.20, contains an arbitrary file upload vulnerability (CVE-2026-4882) due to insufficient file type validation in the URAF_AJAX::method_upload function. This flaw enables unauthenticated attackers to upload any file type to the affected server, which can lead to remote code execution if the uploaded file is strategically placed and executed. The vulnerability is exploitable only if a “Profile Picture” field is active within the registration form. This poses a significant threat to websites using the plugin, as attackers can potentially gain full control of the server.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable User Registration Advanced Fields plugin (<= 1.6.20) with the “Profile Picture” field enabled.
The attacker crafts a malicious HTTP request to the URAF_AJAX::method_upload function, bypassing any client-side file type checks.
The attacker uploads a web shell (e.g., a PHP file) disguised as a legitimate file type or without any extension to evade basic detection mechanisms.
The vulnerable plugin saves the file to the WordPress uploads directory without proper validation.
The attacker identifies the exact file path of the uploaded web shell on the server.
The attacker sends another HTTP request directly to the uploaded web shell.
The web shell executes on the server, providing the attacker with remote code execution capabilities.
The attacker can then leverage the web shell to perform various malicious activities, such as installing malware, defacing the website, or exfiltrating sensitive data.

Impact

Successful exploitation of this vulnerability (CVE-2026-4882) allows unauthenticated attackers to upload arbitrary files to a vulnerable WordPress website, potentially leading to remote code execution. This can result in complete compromise of the affected website, including data theft, website defacement, and malware infections. The CVSS v3.1 base score for this vulnerability is 9.8, indicating a critical severity level. The impact includes potential damage to reputation, financial losses, and legal liabilities.

Recommendation

Upgrade the User Registration Advanced Fields plugin to the latest version (greater than 1.6.20) to patch CVE-2026-4882.
Implement file type validation on the server-side, restricting allowed file extensions for profile picture uploads.
Monitor web server logs for suspicious file upload activity targeting the URAF_AJAX::method_upload function to detect potential exploitation attempts. Deploy the Sigma rule Detect Suspicious WordPress File Uploads to your SIEM.
Implement strict file permission policies to prevent uploaded files from being executed as scripts.

WP Editor Plugin CSRF Vulnerability

hello@craftedsignal.io — Fri, 01 May 2026 12:16:16 +0000

The WP Editor plugin, a WordPress plugin, contains a Cross-Site Request Forgery (CSRF) vulnerability affecting versions up to and including 1.2.9.2. This vulnerability stems from a lack of nonce verification in the ‘add_plugins_page’ and ‘add_themes_page’ functions. An unauthenticated attacker can exploit this vulnerability by crafting a malicious request designed to overwrite arbitrary plugin and theme PHP files with attacker-controlled code. The success of this attack hinges on the attacker’s ability to deceive a site administrator into triggering the forged request, typically by clicking a specially crafted link. This flaw allows for potential arbitrary code execution on the targeted WordPress site.

Attack Chain

The attacker identifies a vulnerable WordPress site running a WP Editor plugin version <= 1.2.9.2.
The attacker crafts a malicious HTTP request targeting the ‘add_plugins_page’ or ‘add_themes_page’ functions. This request includes parameters designed to overwrite a specific plugin or theme PHP file with attacker-supplied code.
The attacker social engineers a WordPress administrator into clicking a malicious link or visiting a compromised website containing the forged request. This could be achieved via phishing emails or other deceptive techniques.
If the administrator is logged into the WordPress dashboard, their browser automatically sends the forged request to the vulnerable WordPress site.
Due to the missing nonce verification, the WordPress site processes the request without validating its origin.
The target plugin or theme PHP file is overwritten with the attacker’s malicious code.
The attacker’s code is executed when the plugin or theme is loaded or accessed.
The attacker achieves arbitrary code execution on the WordPress server, potentially leading to complete site compromise.

Impact

Successful exploitation of this CSRF vulnerability allows an unauthenticated attacker to inject arbitrary PHP code into a WordPress website. This can lead to a full compromise of the website, including data theft, defacement, or the installation of backdoors for persistent access. Given the widespread use of WordPress and the WP Editor plugin, a large number of websites are potentially at risk. Successful attacks can result in significant reputational damage and financial losses for affected website owners.

Recommendation

Upgrade the WP Editor plugin to the latest available version, which includes a fix for CVE-2026-3772.
Implement strong CSRF protection measures on all WordPress forms and administrative functions.
Deploy the provided Sigma rule to detect attempts to exploit this vulnerability through suspicious requests to the add_plugins_page or add_themes_page endpoints.

WordPress Temporary Login Plugin Authentication Bypass (CVE-2026-7567)

hello@craftedsignal.io — Fri, 01 May 2026 10:15:58 +0000

CVE-2026-7567 is an authentication bypass vulnerability that affects the Temporary Login plugin for WordPress, specifically versions up to and including 1.0.0. The vulnerability stems from a failure to properly validate the ’temp-login-token’ GET parameter within the maybe_login_temporary_user() function. By supplying an array as the value for this parameter, attackers can circumvent the intended empty() check. This leads to the sanitize_key() function returning an empty string, which is then used in a database query to fetch users. WordPress ignores empty meta_value parameters, causing the query to return all users with the _temporary_login_token meta key. Consequently, an unauthenticated attacker can effectively authenticate as any user with an active temporary login session by sending a single, maliciously crafted GET request. This poses a severe risk to website security, as it allows unauthorized access to user accounts and potentially sensitive data.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable Temporary Login plugin (version <= 1.0.0).
The attacker crafts a malicious GET request targeting the WordPress site’s login endpoint, including the ’temp-login-token’ parameter as an array (e.g., temp-login-token[]=).
The web server receives the GET request.
The maybe_login_temporary_user() function processes the request.
Due to improper input validation, the empty() check is bypassed when the ’temp-login-token’ parameter is an array.
sanitize_key() processes the array and returns an empty string as the meta_value.
WordPress executes a database query using the empty meta_value, effectively retrieving all users with active temporary login tokens.
The attacker is granted unauthorized access to the account of a targeted temporary user, bypassing normal authentication procedures.

Impact

Successful exploitation of CVE-2026-7567 allows unauthenticated attackers to bypass login restrictions and gain unauthorized access to WordPress user accounts utilizing the vulnerable Temporary Login plugin. The severity is high, as it allows complete compromise of user accounts without requiring any valid credentials. The impact includes potential data theft, account takeover, website defacement, and other malicious activities, depending on the privileges of the compromised user account.

Recommendation

Apply the available patch or upgrade the Temporary Login plugin to a version greater than 1.0.0 to remediate CVE-2026-7567.
Deploy the Sigma rule Detect WordPress Temporary Login Authentication Bypass Attempt to detect exploitation attempts by monitoring HTTP requests with array-based temp-login-token parameters in the query string.
Implement input validation on the web server to reject requests containing array-based parameters where scalar strings are expected.

BuddyPress Xprofile Custom Fields Type 2.6.3 Remote Code Execution via Arbitrary File Deletion

hello@craftedsignal.io — Wed, 29 Apr 2026 20:16:26 +0000

BuddyPress Xprofile Custom Fields Type 2.6.3 is vulnerable to a remote code execution vulnerability, identified as CVE-2018-25308. This flaw enables authenticated users to execute arbitrary code on the server by deleting arbitrary files. The attack involves manipulating unescaped POST parameters, specifically field_hiddenfile and field_deleteimg, during profile editing actions. Successful exploitation allows attackers to unlink files from the server, potentially disrupting services or gaining unauthorized access. This vulnerability was published on 2026-04-29 and poses a significant threat to BuddyPress installations that have not applied the necessary patches.

Attack Chain

An attacker authenticates to a BuddyPress site running the vulnerable Xprofile Custom Fields Type 2.6.3 plugin.
The attacker navigates to their profile editing page.
The attacker crafts a malicious HTTP POST request to the profile update endpoint.
Within the POST request, the field_hiddenfile and field_deleteimg parameters are manipulated to point to arbitrary files on the server.
The server-side script processes the crafted POST request without proper sanitization or validation of the file paths.
The unlink() function or an equivalent file deletion function is called with the attacker-controlled file paths.
The targeted files are deleted from the server file system.
The attacker can potentially delete critical system files or web application files, leading to remote code execution or denial of service.

Impact

Successful exploitation of CVE-2018-25308 allows authenticated attackers to delete arbitrary files on the server. This can lead to a denial-of-service condition if critical system files are removed. The vulnerability can also potentially lead to remote code execution if the attacker is able to delete and replace executable files or inject malicious code into configuration files. While the number of victims is unknown, all BuddyPress installations using the vulnerable plugin are susceptible.

Recommendation

Apply any available patches or updates for BuddyPress Xprofile Custom Fields Type to address CVE-2018-25308.
Implement input validation and sanitization on the server-side to prevent manipulation of file paths in POST parameters.
Monitor web server logs for suspicious POST requests targeting the profile update endpoint with unusual field_hiddenfile and field_deleteimg parameter values (reference the attack chain).
Deploy the Sigma rule provided to detect exploitation attempts based on the manipulation of specific POST parameters (reference the Sigma rule).

WordPress Create DB Tables Plugin Authorization Bypass Vulnerability (CVE-2026-4119)

hello@craftedsignal.io — Wed, 22 Apr 2026 09:16:49 +0000

The Create DB Tables plugin, versions 1.2.1 and earlier, suffers from an authorization bypass vulnerability (CVE-2026-4119). This flaw stems from the plugin’s failure to implement capability checks or nonce verification for its admin_post action hooks, specifically those responsible for creating (admin_post_add_table) and deleting (admin_post_delete_db_table) database tables. Because the admin_post hook only requires a user to be logged in, any authenticated user, including those with the lowest Subscriber role, can access these endpoints. This oversight allows malicious actors to create arbitrary database tables or, more critically, delete existing ones, including vital WordPress core tables. The vulnerability was published on 2026-04-22, and given the severity, defenders should immediately address this risk. The affected versions of the plugin should be updated or removed to prevent potential exploitation.

Attack Chain

An attacker registers an account on a vulnerable WordPress site, gaining Subscriber-level access.
The attacker crafts a POST request to wp-admin/admin-post.php with the action parameter set to add_table or delete_db_table.
The attacker provides the db_table parameter with the name of the table to be deleted, if exploiting the delete_db_table action.
The server processes the request without proper authorization checks, because current_user_can() and wp_verify_nonce() are missing.
The cdbt_delete_db_table() function executes a DROP TABLE SQL query based on the user-supplied db_table parameter.
If the attacker targets a critical WordPress core table like wp_users or wp_options, the site’s functionality will be severely impacted.
Alternatively, if exploiting the add_table action, the cdbt_create_new_table() function executes a CREATE TABLE SQL query, creating an arbitrary database table.
Successful exploitation can lead to complete destruction of the WordPress installation or the introduction of malicious database tables.

Impact

Successful exploitation of this vulnerability allows any authenticated user to delete arbitrary database tables, including critical WordPress core tables. This can lead to complete site destruction and data loss. An attacker could delete the wp_users table, effectively locking out all administrators and other users, or delete the wp_options table, causing the site to revert to its default state or become completely unusable. The CVSS v3.1 base score for this vulnerability is 9.1, highlighting the critical nature of the risk.

Recommendation

Immediately update the Create DB Tables plugin to a version higher than 1.2.1, where this vulnerability is patched.
Monitor web server logs for POST requests to wp-admin/admin-post.php with action=delete_db_table or action=add_table (see rule: “Detect Unauthorized DB Table Modification”).
Implement a Web Application Firewall (WAF) rule to block requests to wp-admin/admin-post.php with the vulnerable actions unless originating from an administrator (see rule: “WAF - Block Unauthorized DB Table Modification”).

WordPress HTTP Headers Plugin Remote Code Execution via File Path Manipulation (CVE-2026-4132)

hello@craftedsignal.io — Wed, 22 Apr 2026 09:16:24 +0000

The HTTP Headers plugin for WordPress, versions up to and including 1.19.2, is vulnerable to remote code execution (RCE) due to a file path manipulation vulnerability (CVE-2026-4132). This vulnerability stems from the plugin’s insufficient validation of the ‘hh_htpasswd_path’ option, which controls the location of the .htpasswd file. Furthermore, the ‘hh_www_authenticate_user’ option, used for setting the username for HTTP Basic Authentication, lacks proper sanitization. This allows attackers with administrator privileges to specify an arbitrary file path for the htpasswd file and inject unsanitized content into it. By crafting a malicious username containing PHP code and setting the htpasswd path to a web-accessible directory, an attacker can execute arbitrary code on the server. This exploit requires administrator-level access to the WordPress dashboard.

Attack Chain

The attacker authenticates to the WordPress dashboard with administrator privileges.
The attacker navigates to the HTTP Headers plugin settings page.
The attacker modifies the ‘hh_htpasswd_path’ option, setting it to a web-accessible directory (e.g., /var/www/html/wp-content/uploads/.shell.php).
The attacker modifies the ‘hh_www_authenticate_user’ option, injecting PHP code into the username field (e.g., ).
The apache_auth_credentials() function uses sprintf to combine the malicious username with a SHA hash, creating a crafted htpasswd entry.
The update_auth_credentials() function then writes the crafted content, including the injected PHP code, to the attacker-controlled file path using file_put_contents().
The attacker accesses the newly created PHP file via a web browser (e.g., http://example.com/wp-content/uploads/.shell.php?cmd=id).
The injected PHP code executes, allowing the attacker to run arbitrary commands on the server.

Impact

Successful exploitation of this vulnerability grants the attacker remote code execution on the affected WordPress server. This can lead to complete compromise of the server, including data theft, website defacement, malware deployment, and further attacks against internal networks. Given the widespread use of WordPress and its plugins, a successful exploit could impact a large number of websites and organizations.

Recommendation

Immediately update the HTTP Headers plugin to a patched version (if available) to remediate CVE-2026-4132.
Monitor web server logs for requests to unusual file paths that match the ‘hh_htpasswd_path’ setting specified in the plugin configuration to detect potential exploitation attempts.
Implement the Sigma rule to detect file creation events in web-accessible directories with PHP extensions that are triggered by the web server process.
Restrict access to the WordPress administrator dashboard to only trusted individuals and enforce strong password policies to prevent unauthorized access to plugin settings.

MetaSlider Responsive Slider Plugin Deserialization Vulnerability (CVE-2026-39467)

hello@craftedsignal.io — Tue, 21 Apr 2026 10:16:29 +0000

CVE-2026-39467 is a critical vulnerability affecting the MetaSlider Responsive Slider plugin for WordPress. Specifically, it is a Deserialization of Untrusted Data vulnerability that can lead to Object Injection. The vulnerability exists in versions up to and including 3.106.0. An attacker can exploit this vulnerability to inject arbitrary PHP objects into the application, potentially leading to remote code execution. This is possible because the plugin deserializes data without proper validation, allowing malicious actors to manipulate serialized data and inject harmful objects. The vulnerability was reported by Patchstack. Given the widespread use of WordPress and the MetaSlider plugin, this vulnerability poses a significant risk to a large number of websites.

Attack Chain

Attacker sends a crafted HTTP request to a WordPress endpoint that processes MetaSlider plugin data.
The request contains a serialized PHP object designed for malicious purposes.
The MetaSlider plugin deserializes the untrusted data without proper sanitization or validation using unserialize().
The deserialization process instantiates the malicious PHP object.
The injected object executes its malicious payload, potentially writing files to the server.
The attacker leverages the file write capability to plant a PHP webshell in the WordPress uploads directory.
The attacker accesses the webshell via a direct HTTP request.
The attacker executes arbitrary commands on the server via the webshell, gaining full control.

Impact

Successful exploitation of CVE-2026-39467 allows an unauthenticated attacker to inject arbitrary PHP objects, leading to remote code execution on the target WordPress server. This could result in complete compromise of the website, including data theft, defacement, or further attacks on internal networks. Given the popularity of MetaSlider, potentially thousands of websites are vulnerable.

Recommendation

Upgrade the MetaSlider Responsive Slider plugin to the latest version to patch CVE-2026-39467.
Implement the Sigma rule Detect MetaSlider Object Injection Attempt to detect exploitation attempts in web server logs.
Monitor web server logs for suspicious POST requests containing serialized PHP objects to WordPress endpoints.

Everest Forms Plugin Arbitrary File Read and Deletion Vulnerability

hello@craftedsignal.io — Mon, 20 Apr 2026 20:35:20 +0000

The Everest Forms plugin for WordPress, versions 3.4.4 and earlier, contains an arbitrary file read and deletion vulnerability (CVE-2026-5478). This flaw stems from the plugin’s improper handling of the old_files parameter within form submissions. Specifically, the plugin trusts attacker-controlled data as legitimate server-side upload state and insecurely converts URLs into local filesystem paths without adequate sanitization. This lack of input validation enables unauthenticated attackers to inject path traversal sequences, leading to the disclosure of sensitive files like wp-config.php, which contains database credentials and authentication salts. Furthermore, the flawed path resolution is utilized in a post-email cleanup routine, resulting in arbitrary file deletion via the unlink() function, potentially causing a denial-of-service condition. Successful exploitation requires a form with a file-upload or image-upload field and the “store entry information” feature disabled.

Attack Chain

An unauthenticated attacker crafts a malicious HTTP POST request to a WordPress page containing an Everest Forms form with a file upload field.
The attacker includes the old_files parameter in the POST data, injecting a path traversal payload (e.g., ../../../../wp-config.php) into its value.
The WordPress application processes the form submission, and the Everest Forms plugin extracts the old_files parameter.
The plugin’s flawed logic converts the attacker-supplied URL into a local file system path using regex-based string replacement without canonicalization or directory boundary enforcement.
The plugin attaches the resolved file (e.g., /var/www/wordpress/../../../../wp-config.php) to the notification email.
After sending the notification email, the post-email cleanup routine utilizes the same flawed path resolution to determine the file to delete.
The unlink() function is called on the resolved path, leading to the deletion of the targeted file (e.g., wp-config.php).
The attacker gains access to sensitive information (database credentials, salts) or causes a denial of service by deleting critical system files.

Impact

Successful exploitation of CVE-2026-5478 allows unauthenticated attackers to read arbitrary files on the WordPress server, potentially exposing sensitive information like database credentials and authentication salts stored in wp-config.php. This could lead to full site compromise, including data theft, defacement, or further malicious activities. Furthermore, the ability to delete arbitrary files enables attackers to cause a denial-of-service condition by removing critical system or application files. The impact is significant as it affects all versions of the Everest Forms plugin up to and including 3.4.4.

Recommendation

Immediately update the Everest Forms plugin to a version higher than 3.4.4 to patch CVE-2026-5478.
Deploy the Sigma rule “Detect Everest Forms Arbitrary File Read Attempt” to identify potential exploitation attempts in web server logs.
Enable web server logging to capture HTTP POST requests, which are crucial for detecting path traversal attempts (cs-uri-query, cs-method in webserver logs).
Monitor file deletion events on the WordPress server, especially those initiated by the web server user, using a file integrity monitoring (FIM) solution (file_event logs).
Implement input validation and sanitization for all user-supplied data, especially file paths, to prevent path traversal vulnerabilities.

WP Customer Area Plugin Arbitrary File Read and Deletion Vulnerability

hello@craftedsignal.io — Fri, 17 Apr 2026 17:17:07 +0000

The WP Customer Area plugin, a popular WordPress plugin, is susceptible to an arbitrary file read and deletion vulnerability. This flaw, identified as CVE-2026-3464, resides within the ‘ajax_attach_file’ function and stems from inadequate file path validation. All versions of the plugin up to and including 8.3.4 are affected. The vulnerability enables authenticated attackers with minimal privileges (e.g., Subscriber), granted access by an administrator, to read arbitrary files on the server, potentially exposing sensitive data. Attackers can also delete arbitrary files, which, in certain cases (such as deleting wp-config.php), can pave the way for remote code execution. This vulnerability poses a significant risk to WordPress websites utilizing the WP Customer Area plugin.

Attack Chain

An attacker gains authenticated access to a WordPress site with the WP Customer Area plugin enabled, with privileges granted by an administrator (e.g., as a Subscriber).
The attacker crafts a malicious HTTP request targeting the ‘ajax_attach_file’ function.
The crafted request includes a manipulated file path, bypassing input validation.
The plugin, failing to properly sanitize the file path, attempts to read or delete the file specified in the malicious request.
If reading, the contents of the targeted file are returned to the attacker in the HTTP response.
If deleting, the targeted file is removed from the server.
If the attacker targets a sensitive file, such as wp-config.php, and successfully deletes it, the WordPress installation becomes unstable and potentially allows for re-installation and control by the attacker.
The attacker exploits the instability to achieve remote code execution, potentially installing a web shell or other malicious code.

Impact

Successful exploitation of this vulnerability (CVE-2026-3464) allows attackers to read sensitive files, potentially including database credentials, API keys, and other confidential information. Moreover, the ability to delete arbitrary files can lead to denial-of-service conditions or, more critically, remote code execution. The number of affected websites is potentially large, given the popularity of the WP Customer Area plugin. A successful attack can result in complete compromise of the WordPress website and its underlying server.

Recommendation

Upgrade the WP Customer Area plugin to a version greater than 8.3.4 to patch CVE-2026-3464.
Monitor web server logs for requests containing suspicious file paths targeting the ‘ajax_attach_file’ function (see Sigma rule below).
Implement stricter file path validation on the web server to prevent arbitrary file access.
Apply the provided Sigma rules to your SIEM to detect and alert on malicious attempts to exploit this vulnerability.

Unlimited Elements for Elementor WordPress Plugin Arbitrary File Read (CVE-2026-4659)

hello@craftedsignal.io — Fri, 17 Apr 2026 07:23:36 +0000

The Unlimited Elements for Elementor plugin, versions 2.0.6 and earlier, contains an arbitrary file read vulnerability (CVE-2026-4659). This vulnerability stems from inadequate sanitization of path traversal sequences within the URLtoRelative() and urlToPath() functions, particularly when combined with the ability to enable debug output. The URLtoRelative() function inadequately strips the base URL without properly sanitizing path traversal characters (../). Successful exploitation allows authenticated attackers with Author-level permissions or higher to access and read arbitrary local files on the WordPress host. This can include sensitive configuration files like wp-config.php, potentially exposing database credentials and other sensitive information.

Attack Chain

An attacker authenticates to the WordPress application with Author-level or higher privileges.
The attacker identifies the Repeater JSON/CSV URL parameter within the Unlimited Elements widget settings.
The attacker crafts a malicious URL containing path traversal sequences (e.g., http://site.com/../../../../etc/passwd) in the Repeater JSON/CSV URL parameter.
The crafted URL is passed to the URLtoRelative() function, which removes the base URL but fails to sanitize the path traversal sequences.
The resulting path (e.g., /../../../../etc/passwd) is concatenated with the base path by the application.
The cleanPath() function normalizes directory separators, but does not remove traversal components, leaving the path vulnerable.
The application resolves the path, leading to access of the targeted file (e.g., /etc/passwd).
The attacker retrieves the contents of the arbitrary file, such as wp-config.php, potentially extracting sensitive information.

Impact

Successful exploitation of this vulnerability allows attackers to read arbitrary files on the WordPress host. This can lead to the exposure of sensitive data, including database credentials, API keys, and other configuration settings stored in files like wp-config.php. The impact ranges from data leakage to potential full compromise of the WordPress installation and the underlying server, depending on the contents of the accessed files and the attacker’s subsequent actions. The number of potentially affected WordPress sites is substantial, given the popularity of the Elementor plugin.

Recommendation

Upgrade the Unlimited Elements for Elementor plugin to a version greater than 2.0.6 to patch CVE-2026-4659.
Monitor web server logs for HTTP requests containing path traversal sequences (../) in the URI, focusing on requests targeting WordPress plugins; use the provided Sigma rule to facilitate this detection.
Implement stricter input validation and sanitization for URL parameters within WordPress plugins, specifically when handling file paths, to prevent path traversal vulnerabilities.

Plisio Accept Cryptocurrencies Plugin Missing Authorization Vulnerability (CVE-2026-6372)

hello@craftedsignal.io — Thu, 16 Apr 2026 12:00:00 +0000

CVE-2026-6372 is a missing authorization vulnerability affecting the Plisio Accept Cryptocurrencies with Plisio WordPress plugin, specifically versions from initial releases through 2.0.5. Discovered by Patchstack, the vulnerability stems from incorrectly configured access control security levels within the plugin. An attacker can exploit this flaw to bypass payment verification processes, potentially leading to unauthorized transactions or manipulation of payment-related functionalities. Given the increasing adoption of cryptocurrency payments, this vulnerability presents a significant risk to e-commerce sites using the affected plugin. Successful exploitation can result in financial losses and reputational damage.

Attack Chain

Attacker identifies a WordPress site using the vulnerable Plisio plugin (version <= 2.0.5).
Attacker analyzes the plugin’s code or intercepts network traffic to identify the specific endpoint or function responsible for payment verification lacking proper authorization checks.
The attacker crafts a malicious HTTP request to the vulnerable endpoint, bypassing the intended authentication or authorization mechanisms.
The crafted request modifies payment parameters (e.g., amount, recipient) without proper validation.
The modified request is sent to the server, which processes it without correctly verifying the user’s authority.
The server updates the payment status, marking it as “paid” or “verified,” even though the actual payment might be incomplete, altered, or entirely missing.
The WordPress site delivers goods or services based on the fraudulently verified payment status.

Impact

Successful exploitation of CVE-2026-6372 allows attackers to bypass payment verification processes in e-commerce sites using the Plisio Accept Cryptocurrencies plugin. This can lead to financial losses for the site owner due to unauthorized transactions. The vulnerability affects all installations using versions up to and including 2.0.5. Given the potential for widespread impact on any site accepting cryptocurrency via this plugin, this issue represents a high risk.

Recommendation

Upgrade the Plisio Accept Cryptocurrencies with Plisio plugin to a version greater than 2.0.5 to patch CVE-2026-6372.
Deploy the Sigma rule Detect Plisio Payment Bypass Attempt to monitor for exploit attempts targeting the vulnerable endpoint.
Examine web server logs for suspicious POST requests to payment processing endpoints associated with the Plisio plugin, filtering for unexpected parameter modifications (log source: webserver).

AcyMailing Plugin Privilege Escalation Vulnerability (CVE-2026-3614)

hello@craftedsignal.io — Thu, 16 Apr 2026 06:16:18 +0000

The AcyMailing plugin for WordPress, a popular email marketing tool, contains a critical privilege escalation vulnerability, tracked as CVE-2026-3614. Affecting versions 9.11.0 through 10.8.1, the vulnerability stems from a missing capability check on the wp_ajax_acymailing_router AJAX handler. This oversight allows authenticated attackers with minimal privileges (Subscriber level or higher) to bypass access controls intended to restrict access to administrative functions. Successful exploitation of this flaw allows attackers to perform actions reserved for administrators, including modifying configuration settings, enabling autologin features, and ultimately, compromising the entire WordPress installation. This is a critical vulnerability due to the widespread use of AcyMailing and the potential for complete site takeover.

Attack Chain

Attacker gains subscriber-level access to the WordPress site (e.g., through registration or compromised credentials).
Attacker crafts a malicious AJAX request targeting the wp_ajax_acymailing_router endpoint. This request attempts to access admin-only controllers without proper authentication.
Due to the missing capability check, the server processes the request, granting the attacker access to restricted administrative functions within AcyMailing.
The attacker enables the autologin feature within AcyMailing’s configuration, using the exposed administrative controller.
The attacker creates a new AcyMailing subscriber. Crucially, the attacker injects a malicious cms_id value into the subscriber’s data. This cms_id is crafted to point to the WordPress user account they wish to impersonate (e.g., an administrator account).
The attacker retrieves the autologin URL generated for the newly created (and malicious) subscriber.
The attacker accesses the autologin URL.
The AcyMailing plugin, configured with the now-enabled autologin feature, authenticates the attacker as the user specified by the injected cms_id, granting them full administrative access to the WordPress site.

Impact

Successful exploitation of CVE-2026-3614 allows an attacker to escalate privileges from a subscriber to an administrator. This grants the attacker complete control over the WordPress website, including the ability to modify content, install malicious plugins, create new administrator accounts, and potentially compromise the underlying server. This vulnerability impacts any WordPress site running a vulnerable version of the AcyMailing plugin (9.11.0 through 10.8.1). The severity is critical due to the ease of exploitation and the potential for complete system compromise.

Recommendation

Immediately update the AcyMailing plugin to the latest version (greater than 10.8.1) to patch CVE-2026-3614.
Deploy the Sigma rule “AcyMailing Unauthorized AJAX Access Attempt” to detect attempts to exploit the vulnerability by monitoring for access to the wp_ajax_acymailing_router endpoint from non-administrator users.
Monitor web server logs for suspicious POST requests to /wp-admin/admin-ajax.php with the action=acymailing_router parameter, as this is the entry point for exploiting CVE-2026-3614.

Riaxe Product Customizer WordPress Plugin SQL Injection Vulnerability

hello@craftedsignal.io — Thu, 16 Apr 2026 06:16:17 +0000

The Riaxe Product Customizer plugin, a WordPress plugin, is susceptible to SQL Injection attacks. This vulnerability resides within the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint, specifically through the ‘options’ parameter keys nested within the ‘product_data’. All versions of the plugin up to and including 2.1.2 are affected. Due to insufficient input sanitization and inadequate preparation of SQL queries, unauthenticated attackers can inject malicious SQL code. Successful exploitation enables attackers to execute arbitrary SQL queries, potentially leading to sensitive data extraction. This poses a significant risk to WordPress sites utilizing the affected plugin, as attackers could gain access to user credentials, financial information, or other confidential data stored in the database. Defenders should prioritize patching or removing the plugin to mitigate this threat.

Attack Chain

An unauthenticated attacker identifies a WordPress site using a vulnerable version (<=2.1.2) of the Riaxe Product Customizer plugin.
The attacker crafts a malicious HTTP POST request targeting the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint.
The crafted request includes a ‘product_data’ parameter containing a manipulated ‘options’ array.
Within the ‘options’ array, the attacker injects SQL code into one or more of the parameter keys.
The WordPress server processes the request without properly sanitizing the injected SQL code.
The application constructs a SQL query using the unsanitized input, effectively injecting the malicious code into the query.
The database server executes the attacker-controlled SQL query.
The attacker extracts sensitive information from the database, such as user credentials, by using the SQL injection vulnerability.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-3599) allows unauthenticated attackers to extract sensitive information from the WordPress database. This may include user credentials (usernames, email addresses, and password hashes), customer data, financial information, and other confidential data stored within the database. The impact can range from defacement of the website and data theft, to complete compromise of the WordPress site and its associated server. Due to the widespread use of WordPress and its plugins, this vulnerability poses a significant threat to a potentially large number of websites.

Recommendation

Upgrade the Riaxe Product Customizer plugin to a version higher than 2.1.2 to patch CVE-2026-3599.
Deploy the Sigma rule Detect SQL Injection Attempts via Riaxe Product Customizer Plugin to your SIEM to detect exploitation attempts.
Monitor web server logs for suspicious POST requests to the /wp-json/InkXEProductDesignerLite/add-item-to-cart endpoint.

Riaxe Product Customizer WordPress Plugin Privilege Escalation Vulnerability (CVE-2026-3596)

hello@craftedsignal.io — Thu, 16 Apr 2026 06:16:15 +0000

The Riaxe Product Customizer plugin for WordPress, versions 2.1.2 and earlier, contains a critical privilege escalation vulnerability (CVE-2026-3596). This flaw stems from an unauthenticated AJAX action, ‘wp_ajax_nopriv_install-imprint’, which is improperly secured. The corresponding function, ink_pd_add_option(), allows unauthenticated users to modify arbitrary WordPress options by sending POST requests. There are no nonce checks, capability checks, or input validation performed on the ‘option’ and ‘opt_value’ parameters, making it trivial to manipulate sensitive site settings. Successful exploitation allows attackers to grant themselves administrative privileges. This vulnerability poses a significant risk to any WordPress site using the affected plugin.

Attack Chain

An unauthenticated attacker identifies a WordPress site using a vulnerable version of the Riaxe Product Customizer plugin (<= 2.1.2).
The attacker crafts a malicious HTTP POST request targeting the /wp-admin/admin-ajax.php endpoint.
The POST request includes the action parameter set to install-imprint, triggering the vulnerable AJAX action wp_ajax_nopriv_install-imprint.
The attacker sets the option parameter to default_role and the opt_value parameter to administrator within the POST request. This will change the default user role to administrator.
The attacker sets the option parameter to users_can_register and the opt_value parameter to 1 within the POST request. This enables user registration on the WordPress site.
The ink_pd_add_option() function executes, calling delete_option() and add_option() with the attacker-supplied values, effectively updating the WordPress options table.
The attacker registers a new user account on the WordPress site.
Because user registration is enabled and the default user role is set to administrator, the attacker’s new account is granted administrator privileges, allowing full control over the WordPress site.

Impact

Successful exploitation of CVE-2026-3596 allows unauthenticated attackers to gain complete control over a vulnerable WordPress website. This can lead to website defacement, data theft, malware distribution, and denial of service. Given the widespread use of WordPress, this vulnerability has the potential to affect a large number of websites across various sectors. A successful attack would result in the attacker having the same access as the original website administrator.

Recommendation

Immediately remove the Riaxe Product Customizer plugin from WordPress installations if it is present. This will eliminate the attack vector (plugin removal).
Monitor web server logs (category: webserver, product: linux or windows) for POST requests to /wp-admin/admin-ajax.php with the action parameter set to install-imprint using the Sigma rule provided below.
Consider implementing a Web Application Firewall (WAF) rule to block requests matching the exploit pattern described in the Attack Chain.
Review WordPress user accounts for any unauthorized administrators.

WC Lovers WCFM Marketplace SQL Injection Vulnerability (CVE-2025-63029)

hello@craftedsignal.io — Wed, 15 Apr 2026 17:17:00 +0000

CVE-2025-63029 describes an SQL Injection vulnerability affecting the WC Lovers WCFM (WooCommerce Frontend Manager) Marketplace WordPress plugin. This vulnerability, present in versions up to and including 3.7.1, stems from improper neutralization of special elements within SQL commands. An attacker exploiting this flaw can inject malicious SQL code, potentially leading to unauthorized data access, modification, or deletion within the WordPress database. Given the widespread use of WordPress and the WCFM Marketplace plugin, this vulnerability poses a significant risk to e-commerce websites and their associated sensitive information. Successful exploitation could result in compromised customer data, financial losses, and reputational damage.

Attack Chain

The attacker identifies a vulnerable WCFM Marketplace instance running a version <= 3.7.1.
The attacker crafts a malicious HTTP request containing SQL injection payloads in a vulnerable parameter.
The WCFM Marketplace plugin fails to properly sanitize the attacker-controlled input.
The unsanitized input is incorporated into an SQL query executed against the WordPress database.
The injected SQL code modifies the intended query logic.
The database server executes the attacker’s malicious SQL query.
The attacker gains unauthorized access to sensitive data stored in the database, such as user credentials, financial information, or product details.
The attacker may modify or delete data, escalate privileges, or potentially gain control of the WordPress site.

Impact

Successful exploitation of CVE-2025-63029 can have severe consequences. An attacker could gain complete control over the affected WordPress site’s database. This can lead to the theft of sensitive customer data (e.g., usernames, passwords, addresses, payment information), modification of product listings and pricing, or even complete site defacement or takeover. The number of potentially affected sites is substantial, considering the popularity of the WCFM Marketplace plugin.

Recommendation

Upgrade the WC Lovers WCFM Marketplace plugin to the latest available version, which includes a patch for CVE-2025-63029.
Deploy the Sigma rule “Detect Suspicious WCFM Marketplace SQL Injection Attempts” to your SIEM to identify potential exploitation attempts targeting this vulnerability.
Monitor web server logs for suspicious HTTP requests containing potential SQL injection payloads targeting the WCFM Marketplace plugin.
Review and harden database access controls to minimize the impact of potential SQL injection attacks.

Smart Post Show WordPress Plugin PHP Object Injection Vulnerability

hello@craftedsignal.io — Tue, 14 Apr 2026 06:17:10 +0000

The Smart Post Show WordPress plugin, specifically the Post Grid, Post Carousel & Slider, and List Category Posts components, contains a PHP Object Injection vulnerability. This flaw affects all versions up to and including 3.0.12. The vulnerability resides in the import_shortcodes() function, where the deserialization of untrusted input occurs. This vulnerability requires an authenticated attacker with administrative privileges or higher. Successful exploitation requires the presence of a suitable Property-Oriented Programming (POP) chain within another installed plugin or theme. Without a POP chain, the injected object has no immediate impact. However, with a POP chain, attackers can potentially delete arbitrary files, retrieve sensitive data, or execute arbitrary code on the server.

Attack Chain

An attacker gains administrative-level access to the WordPress dashboard, either through credential compromise or vulnerability exploitation.
The attacker navigates to the Smart Post Show plugin settings page within the WordPress admin panel.
The attacker crafts a malicious payload containing a serialized PHP object designed to trigger a POP chain.
The attacker injects the malicious payload into the import_shortcodes() function, likely through a form field or file upload.
The import_shortcodes() function deserializes the attacker-controlled input, creating the malicious PHP object.
If a suitable POP chain exists within other installed plugins or themes, the deserialization triggers the chain.
The POP chain executes a series of predefined actions based on the objects and methods involved.
The final objective is achieved, such as deleting arbitrary files, retrieving sensitive data, or executing arbitrary code on the server.

Impact

The PHP Object Injection vulnerability in the Smart Post Show WordPress plugin allows attackers to potentially gain remote code execution on the affected server. The impact is contingent on the existence of a POP chain within other installed plugins or themes. If successful, an attacker could potentially compromise the entire web server, leading to data breaches, defacement, or complete system takeover. Given the widespread use of WordPress and this plugin, a successful exploit could affect numerous websites across various sectors.

Recommendation

Upgrade the Smart Post Show plugin to a version greater than 3.0.12 to patch CVE-2026-3017.
Deploy the Sigma rule “Detect WordPress Plugin Deserialization Attempt” to monitor for suspicious deserialization activity on WordPress servers.
Audit all installed WordPress plugins and themes for potential POP chains that could be exploited in conjunction with this vulnerability.

LearnPress WordPress Plugin Unauthorized Data Deletion Vulnerability (CVE-2026-4365)

hello@craftedsignal.io — Tue, 14 Apr 2026 02:16:57 +0000

The LearnPress plugin for WordPress, in versions up to and including 4.3.2.8, is susceptible to unauthorized data deletion. The vulnerability stems from a missing capability check on the delete_question_answer() function. The plugin exposes a wp_rest nonce in public frontend HTML, and this nonce serves as the sole security check for the lp-load-ajax AJAX dispatcher. As the delete_question_answer action lacks capability or ownership validation, unauthenticated attackers can exploit this flaw to delete arbitrary quiz answer options. This is achieved by sending a crafted POST request containing a publicly available nonce. Exploitation does not require any prior authentication.

Attack Chain

An unauthenticated attacker identifies a LearnPress installation with a vulnerable version (<= 4.3.2.8).
The attacker accesses the public frontend of the WordPress site.
The attacker retrieves the wp_rest nonce from the lpData variable in the HTML source code. This nonce is used for AJAX requests.
The attacker crafts a POST request to the wp-admin/admin-ajax.php endpoint.
The crafted POST request includes the action parameter set to delete_question_answer.
The request also includes the nonce parameter with the value of the retrieved wp_rest nonce.
The request includes the answer_id parameter set to the ID of the quiz answer option to be deleted.
The server, lacking proper capability checks, processes the request and deletes the specified quiz answer option from the database. This results in data loss and potentially disrupts the functionality of quizzes within the LearnPress plugin.

Impact

Successful exploitation allows unauthenticated attackers to arbitrarily delete quiz answer options within the LearnPress plugin. This can lead to data loss, disruption of quizzes, and potentially compromise the integrity of educational content. The CVSS v3.1 base score for this vulnerability is 9.1, indicating a critical severity. The number of victims and specific sectors targeted are currently unknown, but any website using the vulnerable LearnPress plugin is at risk.

Recommendation

Upgrade the LearnPress plugin to a version greater than 4.3.2.8 to patch CVE-2026-4365.
Deploy the Sigma rule “Detect LearnPress Unauthorized Data Deletion Attempt” to your SIEM to identify potential exploitation attempts.
Monitor web server logs for POST requests to wp-admin/admin-ajax.php with the action parameter set to delete_question_answer and investigate suspicious activity.

Case Theme User WordPress Plugin Local File Inclusion Vulnerability (CVE-2025-5804)

hello@craftedsignal.io — Sat, 11 Apr 2026 12:00:00 +0000

A local file inclusion (LFI) vulnerability, identified as CVE-2025-5804, affects the Case Theme User WordPress plugin before version 1.0.4. The vulnerability stems from insufficient validation of filenames passed to PHP’s include or require statements. This allows an unauthenticated attacker to potentially include arbitrary local files on the server hosting the WordPress instance. Successful exploitation could lead to sensitive information disclosure, arbitrary code execution, or denial of service. The vulnerability was reported and patched by Patchstack. Users of the Case Theme User plugin are advised to upgrade to version 1.0.4 or later to mitigate this risk.

Attack Chain

An attacker identifies a vulnerable Case Theme User plugin running on a WordPress site.
The attacker crafts a malicious HTTP request targeting a PHP file within the plugin that uses an include or require statement.
The attacker modifies a GET or POST parameter associated with the vulnerable include or require statement, injecting a path to a local file (e.g., /etc/passwd).
The web server processes the request, and the PHP interpreter attempts to include the file specified in the attacker-controlled parameter.
Due to the LFI vulnerability, the server includes the attacker-specified local file.
If the included file contains sensitive data, such as configuration files or credentials, the attacker can extract this information from the server’s response.
In more advanced scenarios, the attacker might attempt to include PHP files containing malicious code, achieving remote code execution on the server.

Impact

Successful exploitation of CVE-2025-5804 can lead to a range of impacts, including sensitive information disclosure such as WordPress configuration files (wp-config.php), which contain database credentials. Arbitrary code execution is possible if the attacker can include a file containing malicious PHP code. This could allow the attacker to gain complete control of the WordPress site and the underlying server. The number of affected sites depends on the adoption rate of the vulnerable Case Theme User plugin, but given the widespread use of WordPress, the potential impact could be significant.

Recommendation

Immediately update the Case Theme User WordPress plugin to version 1.0.4 or later to patch CVE-2025-5804.
Deploy the Sigma rule Detect Case Theme User LFI Attempt to your SIEM to identify potential exploitation attempts based on suspicious file paths in HTTP requests.
Monitor web server logs for unusual file access patterns, particularly requests containing “..”, “%2e%2e”, or other directory traversal sequences, to catch LFI attempts (see log source webserver).

CactusThemes VideoPro Theme Local File Inclusion Vulnerability (CVE-2025-58913)

hello@craftedsignal.io — Sat, 11 Apr 2026 12:00:00 +0000

A local file inclusion (LFI) vulnerability has been identified in the CactusThemes VideoPro WordPress theme. Assigned CVE-2025-58913, this vulnerability exists due to the improper handling of filenames passed to include or require statements within the PHP code of the theme. Specifically, versions of VideoPro from its initial release up to and including version 2.3.8.1 are affected. Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to further compromise. The vulnerability was reported by Patchstack. Defenders should prioritize patching or removing the vulnerable theme.

Attack Chain

The attacker identifies a VideoPro installation running a vulnerable version (<= 2.3.8.1).
The attacker crafts a malicious HTTP request targeting a PHP script within the VideoPro theme that uses include or require statements.
The attacker injects a path traversal sequence (e.g., ../../../../etc/passwd) into the filename parameter of the HTTP request.
The vulnerable PHP script, without proper sanitization of the filename, attempts to include the attacker-specified file.
If successful, the contents of the file (e.g., /etc/passwd) are exposed within the web server’s response.
The attacker analyzes the exposed file contents for sensitive information such as user credentials or configuration details.
The attacker uses the obtained information to further compromise the server or other related systems.

Impact

Successful exploitation of CVE-2025-58913 allows an attacker to read arbitrary files on the webserver hosting the vulnerable WordPress instance. This can lead to the exposure of sensitive data such as configuration files containing database credentials, WordPress salts, or even source code. If sensitive credentials are leaked, an attacker could pivot to other systems or gain administrative access to the WordPress site. The vulnerable VideoPro theme is used by an unknown number of WordPress websites, representing a significant attack surface.

Recommendation

Upgrade the CactusThemes VideoPro theme to a patched version (later than 2.3.8.1) or remove the theme entirely from WordPress installations to remediate CVE-2025-58913.
Deploy the Sigma rule “Detect VideoPro LFI Attempts via Path Traversal” to identify exploitation attempts against vulnerable VideoPro installations using path traversal sequences in URI queries.
Monitor web server logs (category webserver, product linux) for suspicious requests containing path traversal sequences (e.g., ../, ../../) in the URI query string, which may indicate LFI attempts.

wpForo Forum Plugin Arbitrary File Deletion Vulnerability (CVE-2026-5809)

hello@craftedsignal.io — Sat, 11 Apr 2026 08:16:05 +0000

The wpForo Forum plugin, a popular WordPress plugin, is susceptible to an arbitrary file deletion vulnerability (CVE-2026-5809) affecting versions up to and including 3.0.2. The vulnerability stems from insufficient validation of user-supplied data within the topic_add() and topic_edit() action handlers. Specifically, the plugin improperly handles array values in the $_REQUEST data, storing them as postmeta without proper filtering. An authenticated attacker (subscriber-level or higher) can exploit this by injecting a malicious file path into the data[body][fileurl] parameter. This injected path is subsequently used in a file deletion function without adequate sanitization, leading to potential deletion of critical system files. This vulnerability allows attackers to potentially cripple the WordPress installation or gain further access to the server.

Attack Chain

An attacker authenticates to the WordPress site with at least subscriber-level privileges.
The attacker crafts a malicious HTTP request targeting the topic_add() or topic_edit() action handler.
Within the request, the attacker includes the data[body][fileurl] parameter containing the path to the file they wish to delete (e.g., /var/www/html/wp-config.php).
The wpForo plugin stores the attacker-supplied fileurl value as postmeta associated with the forum topic without proper validation.
The attacker crafts another request, this time including the wpftcf_delete[]=body parameter, targeting the topic_edit action.
The add_file() method retrieves the poisoned fileurl from the stored postmeta record.
The plugin attempts to sanitize the path using wpforo_fix_upload_dir(), but this function only modifies paths within the legitimate wpForo upload directory, leaving other paths untouched.
The plugin calls wp_delete_file() on the unsanitized path, resulting in the deletion of the targeted file if the PHP process has write permissions.

Impact

Successful exploitation of this vulnerability allows an authenticated attacker to delete arbitrary files on the server, provided the PHP process has the necessary write permissions. This can lead to a denial of service by deleting core WordPress files or configuration files such as wp-config.php. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high severity. This could lead to complete compromise of the WordPress installation and potential further exploitation of the server.

Recommendation

Upgrade the wpForo Forum plugin to a version higher than 3.0.2 to patch CVE-2026-5809.
Deploy the Sigma rule “Detect wpForo Arbitrary File Deletion Attempt” to your SIEM to detect potential exploitation attempts by monitoring HTTP requests to WordPress.
Implement stricter file permission controls to limit the PHP process’s write access to only necessary directories and files.
Monitor web server logs for suspicious POST requests containing the wpftcf_delete parameter, as highlighted in the Attack Chain.

BuddyPress Groupblog Plugin Privilege Escalation Vulnerability (CVE-2026-5144)

hello@craftedsignal.io — Sat, 11 Apr 2026 02:19:36 +0000

The BuddyPress Groupblog plugin, versions 1.9.3 and below, contains a critical privilege escalation vulnerability (CVE-2026-5144). This flaw allows authenticated attackers with minimal privileges (Subscriber or higher) to escalate privileges to Administrator on the main WordPress Multisite site. The vulnerability stems from a lack of authorization checks in the group blog settings handler. Specifically, the plugin improperly validates the groupblog-blogid, default-member, and groupblog-silent-add parameters. This vulnerability allows an attacker to associate their group with the main site (blog ID 1) and automatically assign the ‘administrator’ role to new group members. Successful exploitation grants attackers full control over the WordPress Multisite network, posing a significant risk to data confidentiality, integrity, and availability.

Attack Chain

Attacker creates a new group on the WordPress Multisite network with a Subscriber account.
Attacker accesses the group’s settings page.
Attacker modifies the groupblog-blogid parameter, setting it to “1” to associate the group with the main site. This is done by crafting a malicious HTTP POST request to the group settings handler.
The attacker modifies the default-member parameter to “administrator”. This parameter controls the default role assigned to new members.
The attacker enables the groupblog-silent-add parameter. This setting automatically adds new group members to the associated blog (main site) with the specified default role (administrator).
Attacker creates a second user account or convinces another user to join their malicious group.
When the new user joins the attacker’s group, the groupblog-silent-add setting automatically adds the new user to the main site with the administrator role.
The attacker (via the new user account) now has administrator access to the main WordPress Multisite site.

Impact

Successful exploitation of CVE-2026-5144 grants an attacker complete control over the targeted WordPress Multisite network. This allows them to modify content, install malicious plugins, create new administrator accounts, and potentially compromise the underlying server. The impact is especially severe for organizations relying on WordPress Multisite for critical applications, as it can lead to data breaches, service disruptions, and significant financial losses. The vulnerability affects all installations using the BuddyPress Groupblog plugin up to version 1.9.3, potentially impacting thousands of websites.

Recommendation

Immediately update the BuddyPress Groupblog plugin to a version greater than 1.9.3 to patch CVE-2026-5144.
Monitor web server logs for POST requests to /wp-admin/options.php with parameters groupblog-blogid, default-member, and groupblog-silent-add to detect potential exploitation attempts, using the provided Sigma rule.
Implement strict access control policies to limit the ability of low-privileged users to modify group settings and install plugins.
Enable logging of user role changes to detect unauthorized privilege escalation attempts.

Zootemplate Cerato Theme Reflected XSS Vulnerability (CVE-2025-58920)

hello@craftedsignal.io — Fri, 10 Apr 2026 14:16:25 +0000

A reflected XSS vulnerability, identified as CVE-2025-58920, affects the Zootemplate Cerato WordPress theme. The vulnerability resides in versions ranging from n/a through 2.2.18. It stems from the improper neutralization of input during web page generation, which can allow an attacker to inject malicious scripts into a web page viewed by other users. Successful exploitation could allow an attacker to steal cookies, redirect users to malicious websites, or deface web pages. Given the widespread use of WordPress and its themes, this vulnerability poses a risk to websites using the affected Cerato theme.

Attack Chain

An attacker identifies a vulnerable endpoint within the Cerato theme that does not properly sanitize user input.
The attacker crafts a malicious URL containing a JavaScript payload within a parameter.
The attacker distributes the malicious URL via email, social media, or other means.
A victim clicks the malicious URL, sending a request to the vulnerable WordPress site.
The WordPress server, using the Cerato theme, reflects the attacker’s JavaScript payload in the response without proper sanitization.
The victim’s browser executes the malicious JavaScript code.
The attacker gains the ability to perform actions on behalf of the victim, such as stealing cookies or redirecting the user.

Impact

Successful exploitation of this reflected XSS vulnerability can lead to several adverse effects. An attacker could steal a user’s session cookies, gaining unauthorized access to their account. Victims can be redirected to phishing sites, potentially compromising their credentials. Further, attackers might inject malicious content into the web page, defacing the site or spreading malware. The impact of this vulnerability is limited by the need for user interaction (clicking a malicious link), but the potential for widespread exploitation remains significant for sites using the vulnerable Cerato theme.

Recommendation

Upgrade the Zootemplate Cerato WordPress theme to a version beyond 2.2.18 to remediate CVE-2025-58920.
Deploy the Sigma rule to detect exploitation attempts against this vulnerability (see the “Reflected XSS Attempt via GET” rule below).
Implement a web application firewall (WAF) with rules to detect and block common XSS payloads to mitigate this and similar vulnerabilities.

Gravity SMTP Plugin Missing Authorization Vulnerability (CVE-2026-4162)

hello@craftedsignal.io — Fri, 10 Apr 2026 10:16:04 +0000

The Gravity SMTP plugin, a WordPress extension facilitating email sending through SMTP, contains a missing authorization vulnerability (CVE-2026-4162) affecting versions 2.1.4 and earlier. This flaw allows authenticated users with minimal subscriber-level permissions to perform administrative actions such as uninstalling and deactivating the plugin, as well as deleting its associated options. The vulnerability stems from the plugin failing to properly validate user authorization before executing sensitive functions. Additionally, the vulnerability can be exploited via a Cross-Site Request Forgery (CSRF) attack. Patches have been released in Gravity SMTP version 2.1.5 to address this security concern. Exploitation of this vulnerability allows low-privileged users to disrupt email functionality and potentially compromise WordPress configurations.

Attack Chain

An attacker authenticates to the WordPress site with subscriber-level or higher privileges.
The attacker crafts a malicious HTTP request to uninstall the Gravity SMTP plugin, leveraging the missing authorization vulnerability. This request targets the WordPress plugin management endpoint.
Alternatively, the attacker crafts a CSRF attack that tricks a privileged user into triggering the malicious HTTP request to uninstall the plugin.
The WordPress server receives the crafted request without proper authorization checks.
The plugin’s uninstall function is executed, removing the Gravity SMTP plugin from the WordPress installation.
The attacker crafts another HTTP request to delete Gravity SMTP plugin options.
The WordPress server processes the request, and the plugin options are deleted from the database.
The Gravity SMTP plugin is uninstalled and deactivated, and its settings are removed, disrupting the email functionality of the WordPress site.

Impact

Successful exploitation of CVE-2026-4162 allows attackers with low-level privileges on a WordPress site to disable email functionality and manipulate plugin settings. While the number of affected installations remains unknown, the impact can be significant for organizations heavily reliant on WordPress for communication or critical business processes, potentially leading to disruption of services, loss of email functionality, and unauthorized access to sensitive data or configurations. The CVSS v3.1 score of 7.1 indicates a high severity, considering the ease of exploitation and the potential for widespread disruption.

Recommendation

Upgrade the Gravity SMTP plugin to version 2.1.5 or later to patch CVE-2026-4162.
Monitor WordPress access logs for unauthorized requests targeting the plugin management endpoints to detect potential exploitation attempts. Deploy the Sigma rule Detect WordPress Plugin Uninstall via Missing Auth to identify suspicious activity.
Implement CSRF protection mechanisms within WordPress plugins to mitigate the risk of CSRF-based exploitation.
Review WordPress user roles and permissions to minimize the attack surface and restrict access to sensitive functionalities.

Perfmatters WordPress Plugin Arbitrary File Overwrite Vulnerability (CVE-2026-4351)

hello@craftedsignal.io — Fri, 10 Apr 2026 02:37:36 +0000

The Perfmatters plugin for WordPress, in versions up to and including 2.5.9, is vulnerable to an arbitrary file overwrite vulnerability (CVE-2026-4351). This vulnerability stems from the PMCS::action_handler() method’s processing of bulk activate/deactivate actions without proper authorization checks or nonce verification. The unsanitized $_GET['snippets'][] values are then passed to Snippet::activate()/Snippet::deactivate(), which subsequently call Snippet::update() and file_put_contents() with a traversed path. An authenticated attacker with subscriber-level privileges can exploit this flaw to overwrite arbitrary files on the server with a fixed PHP docblock, leading to a potential denial-of-service condition by corrupting critical files such as .htaccess or index.php. This vulnerability allows low-privileged users to gain elevated privileges on the system.

Attack Chain

Attacker authenticates to the WordPress site with subscriber-level access.
Attacker crafts a malicious HTTP GET request targeting the WordPress installation.
The GET request includes the pmcs_action parameter set to bulk_activate or bulk_deactivate.
The GET request includes the snippets[] parameter containing a path traversal payload, such as ../../../.htaccess.
The PMCS::action_handler() function processes the request without proper authorization or nonce validation.
The Snippet::activate() or Snippet::deactivate() functions are called, leading to Snippet::update().
Snippet::update() then calls file_put_contents() with the attacker-controlled path.
The attacker overwrites the targeted file (e.g., .htaccess, index.php) with a fixed PHP docblock, leading to a denial of service or further compromise.

Impact

Successful exploitation allows an attacker to overwrite arbitrary files on the WordPress server. Overwriting critical files like .htaccess or index.php can result in a denial-of-service condition, rendering the website unavailable. In some cases, this could be leveraged for further compromise by injecting malicious code into other PHP files or modifying server configurations. The vulnerability affects all installations using the Perfmatters plugin version 2.5.9 or earlier.

Recommendation

Immediately update the Perfmatters plugin to the latest version to patch CVE-2026-4351.
Deploy the Sigma rule Detect Perfmatters Arbitrary File Overwrite Attempt to monitor for exploitation attempts targeting this vulnerability via HTTP GET requests.
Monitor web server logs for suspicious GET requests containing pmcs_action=bulk_activate or pmcs_action=bulk_deactivate and path traversal sequences within the snippets[] parameter.
Implement strict file permission controls to limit the impact of potential file overwrite vulnerabilities.

Smart Slider 3 Pro Compromised Update Leads to Remote Code Execution

hello@craftedsignal.io — Thu, 09 Apr 2026 23:17:00 +0000

Smart Slider 3 Pro version 3.5.1.35, a popular WordPress and Joomla plugin, is vulnerable to remote code execution due to a compromised update system. This vulnerability, tracked as CVE-2026-34424, allows unauthenticated attackers to inject a multi-stage remote access toolkit. The attackers leverage this toolkit to execute arbitrary code and commands, effectively taking control of the affected web server. This vulnerability poses a significant threat to websites using the vulnerable plugin, potentially leading to data theft, website defacement, or use of the server for malicious purposes. Defenders should prioritize patching or removing the affected plugin version immediately.

Attack Chain

The attacker compromises the Smart Slider 3 Pro update server.
A malicious update is pushed to vulnerable Smart Slider 3 Pro installations (version 3.5.1.35).
The plugin downloads and installs the malicious update, injecting the multi-stage remote access toolkit.
The attacker triggers pre-authentication remote shell execution by sending crafted HTTP headers to the web server.
An authenticated backdoor is established, allowing the attacker to execute arbitrary PHP code or OS commands.
The attacker creates hidden administrator accounts within WordPress or Joomla to maintain persistent access.
Credentials and access keys are exfiltrated from the compromised system.
Persistence is maintained through multiple injection points, including modifications to must-use plugins and core files.

Impact

Successful exploitation of CVE-2026-34424 leads to complete compromise of the affected web server. Attackers can gain unauthorized access to sensitive data, including user credentials, database information, and proprietary code. Websites can be defaced, injected with malware, or used as part of a botnet. The vulnerability affects all users of Smart Slider 3 Pro version 3.5.1.35, regardless of the underlying operating system. Given the widespread use of WordPress and Joomla, a large number of websites are potentially at risk.

Recommendation

Immediately remove or update Smart Slider 3 Pro to a patched version newer than 3.5.1.35 to remediate CVE-2026-34424.
Monitor web server logs for suspicious HTTP requests with unusual headers indicative of attempted pre-authentication shell execution as described in the Attack Chain.
Implement the provided Sigma rules to detect suspicious process creation and file modifications related to the injected toolkit.
Audit user accounts for unauthorized administrator accounts as the attacker creates hidden accounts.

WordPress adivaha Travel Plugin SQL Injection Vulnerability (CVE-2023-54359)

hello@craftedsignal.io — Thu, 09 Apr 2026 21:16:05 +0000

The adivaha Travel plugin 2.3 for WordPress is susceptible to a time-based blind SQL injection vulnerability (CVE-2023-54359). This flaw allows unauthenticated attackers to inject malicious SQL code through the ‘pid’ GET parameter in requests to the /mobile-app/v3/ endpoint. By crafting specific ‘pid’ values with XOR-based payloads, attackers can manipulate database queries. This vulnerability can be exploited to extract sensitive database information or to cause a denial-of-service condition on the affected WordPress site. Publicly available exploits exist, increasing the risk of widespread exploitation.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable adivaha Travel Plugin version 2.3.
The attacker crafts a malicious HTTP GET request targeting the /mobile-app/v3/ endpoint.
The attacker injects SQL code into the pid GET parameter, utilizing XOR-based payloads to bypass input validation or sanitization.
The server processes the malicious SQL query against the WordPress database.
Due to the time-based blind SQL injection, the attacker infers information about the database by observing the response time of the server.
Through repeated requests, the attacker extracts sensitive data from the database, such as user credentials, API keys, or other confidential information.
Alternatively, the attacker injects SQL code to cause a denial-of-service condition, such as by creating a very long delay.
The attacker uses the exfiltrated data for malicious purposes or further compromise of the WordPress site.

Impact

Successful exploitation of this SQL injection vulnerability can lead to the extraction of sensitive information from the WordPress database, potentially compromising user accounts, customer data, and other confidential information. Attackers could gain complete control over the affected website, leading to defacement, malware distribution, or further attacks on other systems. A successful denial-of-service attack could also disrupt the availability of the website, impacting business operations and user experience.

Recommendation

Apply any available patches or updates for the adivaha Travel Plugin to remediate CVE-2023-54359.
Deploy the Sigma rule Detect Suspicious adivaha Travel Plugin SQL Injection Attempt to your SIEM to identify potential exploitation attempts targeting the /mobile-app/v3/ endpoint.
Inspect web server logs for requests to /mobile-app/v3/ containing suspicious characters or SQL syntax in the pid parameter to identify exploitation attempts (reference: vulnerable endpoint /mobile-app/v3/).
Monitor network traffic for connections to the URLs listed in the IOCs (reference: https://www.exploit-db.com/exploits/51655 and https://www.vulncheck.com/advisories/wordpress-adivaha-travel-plugin-sql-injection-via-pid).

WooCommerce Ajax Product Filter Plugin Vulnerable to SQL Injection (CVE-2026-3396)

hello@craftedsignal.io — Wed, 08 Apr 2026 12:16:21 +0000

The WooCommerce Ajax Product Filter (WCAPF) plugin, a WordPress extension, is susceptible to a time-based SQL Injection vulnerability (CVE-2026-3396). This flaw stems from inadequate input sanitization of the post-author parameter and insufficient preparation within the existing SQL query structure. Specifically, all versions of the plugin up to and including version 4.2.3 are affected. An unauthenticated attacker can exploit this vulnerability by injecting malicious SQL code into the post-author parameter. Successful exploitation allows the attacker to manipulate database queries and extract sensitive information without requiring authentication. This vulnerability poses a significant risk to e-commerce sites using the WCAPF plugin, as attackers could potentially access customer data, administrative credentials, or other confidential information.

Attack Chain

An unauthenticated attacker identifies a WooCommerce website using a vulnerable version (<=4.2.3) of the WCAPF plugin.
The attacker crafts a malicious HTTP request targeting an endpoint that utilizes the vulnerable post-author parameter.
The crafted request includes SQL injection payload within the post-author parameter, designed to extract data using time-based techniques. For example, the attacker might use a SLEEP() function to introduce delays based on conditional database queries.
The web server processes the request and passes the unsanitized post-author parameter to the database query.
The injected SQL code manipulates the original query, causing the database to execute the attacker’s malicious commands.
Based on the response time (due to the SLEEP() function), the attacker infers whether their injected SQL query was successful in retrieving specific data.
The attacker iteratively refines their SQL injection payload to extract sensitive information, such as user credentials or customer details.
The attacker exfiltrates the obtained data, potentially using it for identity theft, financial fraud, or further attacks against the compromised website.

Impact

Successful exploitation of CVE-2026-3396 can lead to the complete compromise of the vulnerable WooCommerce website’s database. An attacker could potentially access sensitive customer data, including names, addresses, credit card details, and purchase history. Furthermore, administrative credentials could be stolen, allowing the attacker to gain full control over the website. This can result in significant financial losses, reputational damage, and legal liabilities for the affected e-commerce business. While the exact number of affected websites is unknown, any online store using the WCAPF plugin versions 4.2.3 or earlier is potentially at risk.

Recommendation

Upgrade the WCAPF plugin to a version greater than 4.2.3 to patch CVE-2026-3396 (references: CVE-2026-3396).
Deploy the Sigma rule Detect WooCommerce SQL Injection Attempt to identify potential exploitation attempts in web server logs (references: Sigma rule).
Implement input validation and sanitization on the post-author parameter to prevent SQL injection attacks (references: Attack Chain).
Monitor web server logs for suspicious requests containing SQL injection payloads, particularly those targeting WCAPF plugin endpoints (references: Sigma rule, Attack Chain).

WordPress Plugin Vulnerability: Arbitrary File Upload in Gerador de Certificados – DevApps

hello@craftedsignal.io — Wed, 08 Apr 2026 07:16:22 +0000

The Gerador de Certificados – DevApps plugin for WordPress, versions up to and including 1.3.6, contains an arbitrary file upload vulnerability (CVE-2026-4808). This flaw stems from a lack of file type validation within the moveUploadedFile() function. Authenticated users with administrator privileges or higher can exploit this vulnerability by uploading arbitrary files to the affected server. Successful exploitation could allow an attacker to execute arbitrary code on the server, leading to a complete system compromise. This vulnerability poses a significant threat to websites using the affected plugin, potentially impacting data confidentiality, integrity, and availability.

Attack Chain

An attacker authenticates to the WordPress site with administrator-level privileges.
The attacker navigates to the Gerador de Certificados – DevApps plugin’s upload functionality.
The attacker crafts a malicious file (e.g., a PHP file) with a disguised extension or no extension.
The attacker uploads the malicious file through the plugin’s interface, bypassing the missing file type validation in the moveUploadedFile() function.
The plugin saves the file to a publicly accessible directory on the server.
The attacker identifies the location of the uploaded file.
The attacker sends an HTTP request to the uploaded file’s location.
The server executes the malicious code within the uploaded file, granting the attacker remote code execution capabilities.

Impact

Successful exploitation of this vulnerability allows attackers with administrator privileges to upload arbitrary files to the web server. This can lead to remote code execution, potentially allowing the attacker to gain full control of the WordPress website and the underlying server. This could lead to data theft, website defacement, or use of the server for malicious purposes such as hosting phishing sites or launching attacks against other systems. The number of affected sites is potentially very large.

Recommendation

Upgrade the Gerador de Certificados – DevApps plugin to the latest version, which includes a fix for CVE-2026-4808.
Implement web server configurations to prevent the execution of scripts in upload directories.
Enable web server logging and monitor for suspicious file uploads and access attempts to unusual file types.
Deploy the Sigma rule to detect attempts to access PHP files within the wp-content/uploads directory.

Product Feed PRO for WooCommerce Plugin CSRF Vulnerability (CVE-2026-3499)

hello@craftedsignal.io — Wed, 08 Apr 2026 02:16:04 +0000

The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin, a WordPress plugin, suffers from a Cross-Site Request Forgery (CSRF) vulnerability. Present in versions 13.4.6 through 13.5.2.1, this flaw allows unauthenticated attackers to execute administrative functions if they can successfully coerce a site administrator into performing an action, such as clicking a specially crafted link. The vulnerability stems from the plugin’s failure to implement proper nonce validation on several AJAX actions, including ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed. This vulnerability poses a significant risk to WooCommerce store owners using the affected plugin.

Attack Chain

The attacker crafts a malicious URL containing a request to one of the vulnerable AJAX actions (e.g., ajax_migrate_to_custom_post_type).
The attacker distributes the malicious URL via email, social media, or another channel, attempting to trick a WordPress administrator into clicking the link.
The administrator, while authenticated to the WordPress admin panel, clicks the malicious link.
The administrator’s browser sends the forged request to the WordPress server, including the administrator’s session cookies.
Due to the missing or incorrect nonce validation, the WordPress server processes the request as if it were a legitimate action performed by the administrator.
Depending on the specific AJAX action targeted, the attacker can trigger feed migration, clear custom attribute caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, or delete duplicate feed posts.
The attacker repeats this process to perform other administrative actions, gaining control over the plugin’s settings and data.
The attacker potentially manipulates product feeds to inject malicious content, redirect users, or compromise the WooCommerce store’s SEO.

Impact

Successful exploitation of this CSRF vulnerability (CVE-2026-3499) could allow an attacker to manipulate a WooCommerce store’s product feeds, potentially leading to data corruption, SEO poisoning, or the injection of malicious content. If successful, attackers could modify product information, redirect users to phishing sites, or damage the store’s reputation. The severity of the impact depends on the targeted AJAX action, but the potential for unauthorized administrative control is significant. Given the wide usage of WooCommerce and the Product Feed PRO plugin, a large number of online stores are potentially at risk.

Recommendation

Upgrade the Product Feed PRO for WooCommerce plugin to a patched version greater than 13.5.2.1 to remediate CVE-2026-3499.
Deploy the provided Sigma rules to your SIEM to detect exploitation attempts targeting the vulnerable AJAX actions.
Implement web application firewall (WAF) rules to block requests to the vulnerable AJAX endpoints originating from suspicious referrers.
Educate WordPress administrators on the risks of CSRF attacks and the importance of verifying links before clicking them.

Everest Forms WordPress Plugin PHP Object Injection Vulnerability

hello@craftedsignal.io — Wed, 08 Apr 2026 02:16:04 +0000

The Everest Forms plugin for WordPress, a widely used form builder, contains a critical PHP Object Injection vulnerability (CVE-2026-3296) affecting versions up to and including 3.4.3. This vulnerability stems from the insecure deserialization of user-supplied data within the html-admin-page-entries-view.php file. Specifically, the plugin uses PHP’s unserialize() function on form entry metadata stored in the wp_evf_entrymeta table without specifying allowed classes, creating an exploitable condition. An unauthenticated attacker can inject malicious serialized PHP objects through any public form field. The sanitize_text_field() function fails to prevent these attacks because it doesn’t strip serialization control characters. This allows attackers to execute arbitrary PHP code on the WordPress server when an administrator views form entries. This vulnerability poses a significant risk to WordPress sites using the Everest Forms plugin.

Attack Chain

An unauthenticated attacker submits a malicious serialized PHP object through a public Everest Forms form field.
The submitted payload bypasses the sanitize_text_field() function due to the function’s failure to remove serialization control characters.
The crafted serialized object is stored in the wp_evf_entrymeta database table associated with the form entry.
An administrator accesses the WordPress administration panel and navigates to the Everest Forms entries section.
The html-admin-page-entries-view.php file is executed to display form entries and their associated metadata.
The plugin retrieves the stored serialized object from the wp_evf_entrymeta table.
The unserialize() function is called on the retrieved data without the allowed_classes parameter, triggering PHP Object Injection.
The injected PHP object is instantiated, leading to arbitrary PHP code execution on the server, potentially granting the attacker complete control over the WordPress site.

Impact

Successful exploitation of this vulnerability (CVE-2026-3296) can lead to complete compromise of the WordPress website. An attacker can gain remote code execution, allowing them to inject malware, deface the site, steal sensitive data (including user credentials and financial information), or use the compromised server as part of a botnet. Given the widespread use of the Everest Forms plugin, a large number of WordPress sites are potentially vulnerable. The CVSS v3.1 base score of 9.8 reflects the critical severity of this vulnerability.

Recommendation

Immediately update the Everest Forms plugin to the latest version (greater than 3.4.3) to patch CVE-2026-3296.
Deploy the Sigma rule Detect Suspicious unserialize Call in Everest Forms to identify potential exploitation attempts in web server logs.
Monitor web server logs for suspicious POST requests to WordPress form submission endpoints containing serialized PHP objects, as detected by the Detect Suspicious Form Submission with Serialized Data Sigma rule.
Implement a Web Application Firewall (WAF) rule to block requests containing serialized PHP objects in form submission data.

CSRF Vulnerability in WordPress Under Construction Plugin (CVE-2026-34896)

hello@craftedsignal.io — Tue, 07 Apr 2026 09:16:21 +0000

A cross-site request forgery (CSRF) vulnerability, identified as CVE-2026-34896, affects the Analytify Under Construction, Coming Soon & Maintenance Mode WordPress plugin. This vulnerability allows an attacker to trick a user into performing actions they did not intend to, such as modifying plugin settings or performing administrative tasks, provided the targeted user is authenticated to the WordPress site. The vulnerability exists in versions from n/a through 2.1.1. The vulnerability was reported to affect a publicly available plugin, increasing the scope of potentially impacted websites. Successful exploitation could lead to arbitrary code execution depending on the privileges of the targeted user and plugin functionality that can be abused.

Attack Chain

An attacker identifies a vulnerable WordPress site running the affected plugin.
The attacker crafts a malicious HTML page containing a CSRF exploit. This page contains a crafted HTTP request designed to trigger a specific action within the plugin (e.g., changing settings) when submitted by an authenticated user.
The attacker distributes the malicious HTML page via email, social media, or other means to a targeted WordPress administrator or user.
The targeted user, while logged into the vulnerable WordPress site, visits the malicious HTML page.
The user’s browser automatically submits the crafted HTTP request to the WordPress site without the user’s knowledge or consent.
The WordPress site, believing the request originated from the authenticated user, processes the request and executes the attacker’s desired action.
The attacker’s malicious action, such as changing plugin settings, is successfully performed on the vulnerable WordPress site.
Depending on the privileges of the compromised user and vulnerable plugin settings, the attacker may be able to achieve arbitrary code execution, site defacement, or data theft.

Impact

Successful exploitation of this CSRF vulnerability (CVE-2026-34896) in the Analytify Under Construction, Coming Soon & Maintenance Mode WordPress plugin could lead to unauthorized modification of website settings, potentially resulting in site defacement, malware injection, or complete website takeover. The impact depends on the targeted user’s privileges and the plugin’s configurable options. While the exact number of affected websites is unknown, the plugin’s popularity suggests a potentially broad impact across various sectors using WordPress for their online presence.

Recommendation

Upgrade the Analytify Under Construction, Coming Soon & Maintenance Mode WordPress plugin to a version beyond 2.1.1 to patch CVE-2026-34896.
Deploy the Sigma rule Detect WordPress Plugin Setting Changes via POST to monitor for unauthorized changes to WordPress plugins.
Educate WordPress users on the risks of CSRF attacks and the importance of verifying the legitimacy of links and websites before clicking them.

Amelia WordPress Plugin IDOR Vulnerability CVE-2026-5465

hello@craftedsignal.io — Tue, 07 Apr 2026 07:16:24 +0000

The Amelia WordPress plugin, specifically the “Booking for Appointments and Events Calendar”, contains an Insecure Direct Object Reference (IDOR) vulnerability (CVE-2026-5465) in versions up to and including 2.1.3. This flaw resides within the UpdateProviderCommandHandler and stems from insufficient validation when a Provider (Employee) user modifies their profile. The critical issue is the ability to manipulate the externalId field, which directly corresponds to a WordPress user ID. By injecting an arbitrary externalId value during a profile update, an authenticated attacker with Provider-level access or higher can bypass authorization checks. This oversight permits the attacker to execute functions such as wp_set_password() and wp_update_user() on behalf of any other user, including those with Administrator privileges. This vulnerability allows for complete account takeover, representing a significant risk for organizations utilizing the vulnerable plugin.

Attack Chain

An attacker gains authenticated access to a WordPress instance with the Amelia plugin installed, possessing at least Provider (Employee) level privileges.
The attacker navigates to their user profile within the Amelia plugin interface.
The attacker intercepts the HTTP request generated when updating their profile using a tool like Burp Suite or browser developer tools.
The attacker modifies the externalId parameter within the intercepted HTTP request, replacing its original value with the WordPress user ID of the target account they wish to compromise (e.g., the Administrator account, typically user ID 1).
The attacker sends the modified HTTP request to the server.
Due to the IDOR vulnerability, the UpdateProviderCommandHandler fails to validate the manipulated externalId value.
The Amelia plugin’s backend utilizes the attacker-controlled externalId to call wp_set_password() and/or wp_update_user() on the target account.
The attacker successfully changes the password or other profile details of the target account, achieving complete account takeover and escalating privileges.

Impact

Successful exploitation of CVE-2026-5465 allows an attacker with minimal privileges (Provider/Employee role) to compromise any other account on the WordPress instance, including Administrator accounts. This grants the attacker full control over the WordPress site, enabling them to install malicious plugins, modify content, exfiltrate sensitive data, or further compromise the underlying server. The number of potential victims is directly proportional to the number of websites utilizing the vulnerable Amelia plugin. Given the plugin’s popularity, a successful mass exploitation could impact thousands of websites across various sectors.

Recommendation

Immediately update the Amelia WordPress plugin to the latest version (greater than 2.1.3) to patch CVE-2026-5465.
Monitor web server logs for POST requests to the /wp-admin/admin-ajax.php endpoint with the action parameter set to am_update_provider and a modified externalId parameter in the request body. Implement the Sigma rule Detect Amelia Plugin IDOR Attack to detect such activity.
Implement strong password policies and multi-factor authentication for all WordPress accounts, including those with limited privileges, to mitigate the impact of potential account compromises.
Review and audit existing WordPress user accounts and their assigned roles to identify and remove any unnecessary or excessive privileges.

Ninja Forms File Upload Plugin Vulnerability Leads to RCE

hello@craftedsignal.io — Tue, 07 Apr 2026 05:16:06 +0000

The Ninja Forms - File Uploads plugin for WordPress, specifically versions up to and including 3.3.26, contains an arbitrary file upload vulnerability (CVE-2026-0740). This flaw stems from a lack of proper file type validation within the NF_FU_AJAX_Controllers_Uploads::handle_upload function. An unauthenticated attacker can exploit this vulnerability to upload arbitrary files to the affected WordPress server. Successful exploitation could enable remote code execution, allowing the attacker to compromise the web server and potentially the underlying network. The vulnerability was partially addressed in version 3.3.25 and fully resolved in version 3.3.27. This vulnerability poses a significant risk to organizations using the vulnerable plugin, potentially leading to data breaches, website defacement, or complete system compromise.

Attack Chain

An unauthenticated attacker sends a crafted HTTP POST request to the WordPress server targeting the wp-admin/admin-ajax.php endpoint.
The POST request includes a malicious file disguised as a legitimate file type, exploiting the missing file type validation in the NF_FU_AJAX_Controllers_Uploads::handle_upload function.
The handle_upload function processes the request without properly validating the file type, allowing the malicious file to be uploaded to the server.
The uploaded file is stored in the WordPress uploads directory, typically located within the wp-content/uploads/ninja-forms-uploads/ directory.
The attacker crafts the malicious file (e.g., a PHP script) to execute arbitrary code on the server when accessed.
The attacker accesses the uploaded malicious file via a direct HTTP request to the file’s location within the uploads directory.
The web server executes the malicious file (e.g., a PHP script), granting the attacker the ability to execute arbitrary commands on the server.
The attacker leverages the executed code to gain a persistent foothold on the server, install malware, or exfiltrate sensitive data.

Impact

Successful exploitation of CVE-2026-0740 allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution. This can result in complete compromise of the WordPress website, including data breaches, website defacement, and installation of backdoors. The impact is significant due to the widespread use of WordPress and the Ninja Forms plugin. Even a single successful attack can lead to substantial financial losses, reputational damage, and legal liabilities. Websites utilizing versions of the Ninja Forms File Uploads plugin prior to 3.3.27 are vulnerable.

Recommendation

Upgrade the Ninja Forms File Uploads plugin to version 3.3.27 or later to fully patch CVE-2026-0740.
Implement web application firewall (WAF) rules to detect and block malicious file upload attempts targeting the wp-admin/admin-ajax.php endpoint.
Monitor web server access logs for suspicious requests to the wp-content/uploads/ninja-forms-uploads/ directory.
Deploy the Sigma rule “Detect Ninja Forms Arbitrary File Upload Attempt” to identify potential exploitation attempts in web server logs.
Enforce strict file type validation on all file upload forms, even after upgrading the plugin, as a defense-in-depth measure.

Media Library Assistant WordPress Plugin SQL Injection Vulnerability

hello@craftedsignal.io — Mon, 06 Apr 2026 15:17:11 +0000

CVE-2026-34885 describes an SQL Injection vulnerability affecting the Media Library Assistant WordPress plugin. This plugin, developed by David Lingren, is vulnerable in versions up to and including 3.34. The vulnerability stems from improper neutralization of special elements used in SQL commands, potentially allowing attackers to inject malicious SQL code. Exploitation could lead to unauthorized data access, modification, or deletion within the WordPress database. Given the widespread use of WordPress and its plugin ecosystem, this vulnerability presents a significant risk to websites utilizing the affected plugin. Successful exploitation could compromise sensitive information, deface websites, or even gain administrative control.

Attack Chain

An attacker identifies a WordPress website using Media Library Assistant version 3.34 or earlier.
The attacker crafts a malicious HTTP request containing SQL injection payload in a plugin parameter, such as a search query or media metadata field.
The crafted request is sent to the vulnerable endpoint within the Media Library Assistant plugin.
The plugin fails to properly sanitize or neutralize the SQL injection payload.
The unsanitized payload is incorporated into an SQL query executed against the WordPress database.
The injected SQL code manipulates the query logic, allowing the attacker to bypass security checks.
The attacker extracts sensitive data from the database, such as user credentials, posts, or other stored information.
The attacker could potentially modify or delete data, or even gain administrative access to the WordPress site.

Impact

Successful exploitation of this SQL injection vulnerability could lead to a range of damaging outcomes. Attackers could gain unauthorized access to sensitive data stored within the WordPress database, including user credentials, customer information, and proprietary content. This data could be exfiltrated and sold on the dark web or used for further malicious activities. Website defacement, data modification, and complete site compromise are also potential consequences. The number of affected websites is potentially large, given the popularity of WordPress and its extensive plugin ecosystem.

Recommendation

Upgrade the Media Library Assistant WordPress plugin to a version higher than 3.34 to patch CVE-2026-34885.
Deploy the Sigma rule Detect SQL Injection Attempts via HTTP Request to identify potential exploitation attempts in web server logs.
Implement a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attacks against WordPress plugins.
Enable regular security audits of WordPress installations and plugins to identify and address vulnerabilities promptly.

WordPress Widgets for Social Photo Feed Plugin Stored XSS Vulnerability

hello@craftedsignal.io — Sat, 04 Apr 2026 09:16:20 +0000

The Widgets for Social Photo Feed plugin for WordPress, versions up to and including 1.7.9, contains a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-5425). This vulnerability stems from insufficient input sanitization and output escaping of the ‘feed_data’ parameter keys. An unauthenticated attacker can exploit this flaw by injecting malicious JavaScript code into the WordPress database. When a user visits a page containing a vulnerable widget, the injected script executes within their browser, potentially leading to session hijacking, account takeover, or other malicious activities. This vulnerability was reported by Wordfence and patched in version 1.8 of the plugin.

Attack Chain

The unauthenticated attacker identifies a WordPress site using a vulnerable version (<= 1.7.9) of the Widgets for Social Photo Feed plugin.
The attacker crafts a malicious HTTP request targeting the plugin’s functionality that handles the feed_data parameter. This request contains XSS payload within the parameter keys.
The WordPress server receives the crafted HTTP request. The vulnerable plugin processes the request without proper input sanitization or output escaping.
The malicious XSS payload is stored in the WordPress database, associated with the plugin’s settings or data.
A legitimate user visits a page on the WordPress site where the affected widget is displayed.
The WordPress server retrieves the plugin data, including the stored XSS payload, from the database.
The server renders the page with the unsanitized XSS payload embedded within the HTML output.
The user’s browser receives the HTML page containing the malicious script and executes it. This could lead to redirection, information theft, or further compromise of the user’s session.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a website user’s browser. This can result in session hijacking, defacement of the website, redirection to malicious sites, or the theft of sensitive information. While the exact number of vulnerable installations is not available, the widespread use of WordPress plugins makes this a potentially significant threat, particularly for sites that do not promptly apply security updates.

Recommendation

Upgrade the Widgets for Social Photo Feed plugin to version 1.8 or later to patch CVE-2026-5425.
Deploy the Sigma rule Detect WordPress Social Photo Feed XSS Attempt to identify exploitation attempts in web server logs.
Implement a web application firewall (WAF) rule to filter out requests containing potentially malicious JavaScript code in the feed_data parameter.

ProfilePress WordPress Plugin Membership Payment Bypass Vulnerability

hello@craftedsignal.io — Sat, 04 Apr 2026 09:16:20 +0000

The ProfilePress plugin for WordPress, specifically the “Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content” version 4.16.11 and earlier, contains a vulnerability (CVE-2026-3445) that allows authenticated attackers to bypass membership payment requirements. This flaw stems from a missing ownership verification on the change_plan_sub_id parameter within the process_checkout() function. An attacker with subscriber-level access can exploit this by referencing another user’s active subscription during the checkout process. This manipulation affects proration calculations, ultimately enabling the attacker to obtain paid lifetime membership plans without submitting legitimate payment. This vulnerability is triggered via the ppress_process_checkout AJAX action, making it critical for defenders to implement appropriate detection and mitigation strategies.

Attack Chain

An attacker registers a new account on the WordPress site with the vulnerable ProfilePress plugin installed, obtaining subscriber-level access.
The attacker identifies a valid, active subscription ID belonging to another user within the ProfilePress system.
The attacker initiates the purchase of a paid membership plan (e.g., a lifetime membership).
During the checkout process, the attacker intercepts the HTTP request sent to the ppress_process_checkout AJAX action.
The attacker modifies the change_plan_sub_id parameter within the request, replacing the expected value with the subscription ID of the other user.
The server-side process_checkout() function fails to properly validate the ownership of the provided change_plan_sub_id.
Due to the manipulated change_plan_sub_id, the proration calculations are skewed, resulting in a significantly reduced or zeroed payment amount.
The attacker completes the checkout process without making a legitimate payment and is granted access to the paid membership plan.

Impact

Successful exploitation of CVE-2026-3445 allows attackers to bypass payment requirements and gain unauthorized access to premium content and features offered through the ProfilePress plugin. This can result in significant revenue loss for website owners relying on paid memberships. The number of affected websites is potentially large, given the popularity of WordPress and the ProfilePress plugin. This vulnerability could also damage the reputation of the affected website and erode trust among legitimate paying members.

Recommendation

Upgrade to ProfilePress version 4.16.12 or later to patch CVE-2026-3445 (reference: vulnerability description).
Deploy the Sigma rule Detect ProfilePress Membership Bypass Attempt to your SIEM and tune for your environment to detect potential exploitation attempts by monitoring for the use of the ppress_process_checkout AJAX action with suspicious change_plan_sub_id values (reference: Sigma rule).
Monitor web server logs for POST requests to the /wp-admin/admin-ajax.php endpoint with the action parameter set to ppress_process_checkout to identify potential exploit attempts (reference: Attack Chain).

Perfmatters WordPress Plugin Arbitrary File Deletion Vulnerability (CVE-2026-4350)

hello@craftedsignal.io — Fri, 03 Apr 2026 08:16:17 +0000

The Perfmatters plugin, a popular WordPress performance optimization tool, contains a critical vulnerability (CVE-2026-4350) affecting versions up to and including 2.5.9.1. This flaw enables authenticated attackers with Subscriber-level access, the lowest privilege level in WordPress, to delete arbitrary files on the server. The vulnerability stems from the PMCS::action_handler() method’s failure to sanitize the $_GET['delete'] parameter. This lack of validation allows for path traversal attacks using sequences like ../, enabling attackers to navigate outside the intended storage directory and delete any accessible file. Successful exploitation can lead to the deletion of critical files such as wp-config.php, effectively disabling the website and potentially allowing a full site takeover.

Attack Chain

Attacker identifies a WordPress site using a vulnerable version (<=2.5.9.1) of the Perfmatters plugin.
Attacker gains Subscriber-level access to the WordPress site. This can be achieved through registration or compromised credentials.
Attacker crafts a malicious HTTP GET request targeting the WordPress site. The request includes the delete parameter with a path traversal payload. For example: ?delete=../../../../wp-config.php.
The request is sent to the PMCS::action_handler() method within the Perfmatters plugin.
The PMCS::action_handler() method processes the unsanitized $_GET['delete'] parameter.
The plugin concatenates the malicious path with the storage directory.
The unlink() function executes, deleting the file specified by the attacker’s path traversal payload.
If the attacker successfully deletes wp-config.php, the WordPress site becomes inaccessible and redirects to the installation wizard, potentially allowing for complete site takeover.

Impact

Successful exploitation of CVE-2026-4350 allows attackers to delete arbitrary files on a vulnerable WordPress server. A key target is wp-config.php, which contains sensitive database credentials. Deleting this file forces WordPress into the installation wizard, potentially leading to a full site takeover. The impact ranges from defacement and data loss to complete control of the website, impacting businesses, organizations, and individuals relying on WordPress for their online presence. The ease of exploitation due to the low privilege requirements makes this a high-risk vulnerability.

Recommendation

Immediately update the Perfmatters plugin to the latest version to patch CVE-2026-4350.
Implement the provided Sigma rule Detect Perfmatters Arbitrary File Deletion Attempt to identify potential exploitation attempts based on cs-uri-query in web server logs.
Consider implementing rate limiting on requests to wp-admin/options.php to mitigate potential brute-force exploitation attempts targeting this vulnerability.
Review web server access logs for unusual patterns in cs-uri-query parameters containing ../ sequences, as these may indicate path traversal attempts.

WordPress Webmention Plugin SSRF Vulnerability (CVE-2026-0686)

hello@craftedsignal.io — Thu, 02 Apr 2026 08:16:27 +0000

The Webmention plugin for WordPress, a plugin designed to facilitate webmention communications, contains a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2026-0686. This vulnerability affects all versions of the plugin up to and including 5.6.2. The vulnerability resides within the ‘MF2::parse_authorpage’ function, accessible through the ‘Receiver::post’ function. An unauthenticated attacker can exploit this flaw to force the WordPress server to make HTTP requests to arbitrary external or internal locations. This can be leveraged to gather sensitive information from internal services, bypass firewalls, or potentially modify data depending on the accessibility of internal resources. The vulnerable code was present as of April 2026 in the version 5.6.2 branch.

Attack Chain

An unauthenticated attacker crafts a malicious webmention request targeting a WordPress site running the vulnerable Webmention plugin.
The WordPress site receives the webmention request and processes it using the ‘Receiver::post’ function.
The ‘Receiver::post’ function calls the ‘MF2::parse_authorpage’ function to parse the author page URL specified in the webmention request.
The ‘MF2::parse_authorpage’ function, due to lack of proper validation, makes an HTTP request to an attacker-controlled or internal URL specified within the webmention data.
The WordPress server initiates a connection to the specified URL, potentially bypassing firewall restrictions or accessing internal services not directly exposed to the internet.
The response from the targeted URL is processed by the plugin, potentially revealing information about the internal network or services.
Depending on the targeted internal service and the attacker’s crafted request, the attacker might be able to modify data or execute commands.
Successful exploitation leads to information disclosure, internal service compromise, or potential remote code execution depending on the vulnerable internal service.

Impact

Successful exploitation of CVE-2026-0686 allows unauthenticated attackers to perform Server-Side Request Forgery attacks against WordPress sites utilizing the Webmention plugin. This can lead to the exposure of sensitive information from internal services, such as configuration files or database credentials. Furthermore, attackers could potentially leverage this vulnerability to interact with and potentially compromise other internal systems that are not directly accessible from the internet, leading to a full compromise of the affected network. While the exact number of affected WordPress installations is unknown, the widespread use of the Webmention plugin makes this a significant risk.

Recommendation

Upgrade the Webmention plugin to a version higher than 5.6.2 to patch CVE-2026-0686.
Deploy the Sigma rule “Detect Webmention SSRF Attempt via Request to Internal IP” to identify exploitation attempts in web server logs.
Monitor web server logs for unusual outbound connections originating from the WordPress server to internal IP addresses.
Implement network segmentation to limit the impact of potential SSRF attacks, restricting access from the WordPress server to only necessary internal services.

MW WP Form WordPress Plugin Arbitrary File Move Vulnerability (CVE-2026-4347)

hello@craftedsignal.io — Thu, 02 Apr 2026 06:16:23 +0000

The MW WP Form plugin for WordPress is susceptible to an arbitrary file moving vulnerability identified as CVE-2026-4347. This flaw stems from a lack of proper file path validation within the ‘generate_user_filepath’ and ‘move_temp_file_to_upload_dir’ functions. All versions of the plugin up to and including 5.1.0 are affected. An unauthenticated attacker can exploit this vulnerability to move arbitrary files on the server, potentially overwriting or relocating critical system files. The most severe outcome is remote code execution, which can be achieved by moving files such as ‘wp-config.php’ to a location where its contents are exposed. The vulnerability is only exploitable when a file upload field exists on a form and the “Saving inquiry data in database” option is enabled, narrowing the attack surface but increasing the risk for affected installations.

Attack Chain

An unauthenticated attacker identifies a WordPress site using a vulnerable version of the MW WP Form plugin (<= 5.1.0) with a file upload field enabled and the “Saving inquiry data in database” option turned on.
The attacker crafts a malicious request to the WordPress site, targeting the file upload functionality of the MW WP Form plugin.
The attacker manipulates the file path within the request, exploiting the insufficient validation in the ‘generate_user_filepath’ function to specify a target file for movement.
The ‘move_temp_file_to_upload_dir’ function is triggered, attempting to move the uploaded file to the attacker-controlled path.
Due to the lack of proper validation, the targeted file (e.g., wp-config.php) is successfully moved to a new location on the server.
If wp-config.php is moved to a publicly accessible directory, the database credentials and other sensitive information become exposed.
The attacker retrieves the exposed wp-config.php file, extracting database credentials and other sensitive information.
Using the obtained database credentials, the attacker gains unauthorized access to the WordPress database, potentially leading to remote code execution or complete site compromise.

Impact

Successful exploitation of CVE-2026-4347 allows unauthenticated attackers to move arbitrary files within the WordPress server’s file system. This can lead to the exposure of sensitive configuration files like ‘wp-config.php’, leading to full database and site compromise. While the number of affected installations is currently unknown, a successful attack can have devastating consequences, including data theft, website defacement, and remote code execution. The impact is limited to sites using the vulnerable MW WP Form plugin with specific configuration settings enabled.

Recommendation

Upgrade the MW WP Form plugin to the latest version (greater than 5.1.0) to patch CVE-2026-4347.
As a preventative measure, implement file integrity monitoring on critical files like ‘wp-config.php’ to detect unauthorized modifications or movement. Use file_event logs to trigger alerts.
Deploy the Sigma rule “Detect MW WP Form Arbitrary File Move Attempt” to identify potential exploitation attempts in web server logs.
Review WordPress access logs for suspicious file upload requests, focusing on requests to the MW WP Form plugin’s upload handler.

Query Monitor WordPress Plugin Vulnerable to Reflected XSS (CVE-2026-4267)

hello@craftedsignal.io — Tue, 31 Mar 2026 12:16:31 +0000

The Query Monitor plugin for WordPress, a developer tool panel, is susceptible to a reflected Cross-Site Scripting (XSS) vulnerability. Identified as CVE-2026-4267, this flaw exists in all versions up to and including 3.20.3. The vulnerability arises from the plugin’s failure to adequately sanitize input and escape output related to the $_SERVER['REQUEST_URI'] parameter. An unauthenticated attacker can exploit this by injecting malicious web scripts into pages, posing a threat to users who…

Contact Form by Supsystic WordPress Plugin SSTI Vulnerability (CVE-2026-4257)

hello@craftedsignal.io — Mon, 30 Mar 2026 22:16:20 +0000

The Contact Form by Supsystic plugin, a popular WordPress plugin, is susceptible to a critical Server-Side Template Injection (SSTI) vulnerability, identified as CVE-2026-4257. This vulnerability affects all versions up to and including 1.7.36. The root cause lies in the plugin’s use of the Twig template engine (Twig_Loader_String) without proper sandboxing. This, combined with the cfsPreFill functionality, allows unauthenticated attackers to inject arbitrary Twig expressions into form…

Oxygen Theme WordPress Plugin Vulnerable to Server-Side Request Forgery (CVE-2025-12886)

hello@craftedsignal.io — Sat, 28 Mar 2026 04:16:49 +0000

The Oxygen Theme WordPress plugin, versions 6.0.8 and earlier, contains a Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-12886). This flaw allows unauthenticated attackers to send crafted requests to the WordPress server, potentially forcing it to make outbound connections to internal or external resources. The vulnerability is located within the laborator_calc_route AJAX action. By exploiting this, attackers can potentially access sensitive internal resources, bypass firewall…

Fluent Booking WordPress Plugin Stored XSS Vulnerability

hello@craftedsignal.io — Thu, 26 Mar 2026 14:16:09 +0000

CVE-2026-2231 describes a stored cross-site scripting (XSS) vulnerability within the Fluent Booking WordPress plugin. This vulnerability affects all versions up to and including 2.0.01. The root cause is insufficient input sanitization and output escaping of multiple parameters handled by the plugin. An unauthenticated attacker can exploit this vulnerability to inject malicious JavaScript code into the WordPress site. The injected script executes in the context of the victim’s browser when they access the page containing the injected code, potentially leading to session hijacking, defacement, or other malicious activities. Successful exploitation grants the attacker the same privileges as the victim user.

Attack Chain

An unauthenticated attacker identifies a vulnerable parameter within the Fluent Booking plugin, specifically related to booking data.
The attacker crafts a malicious payload containing JavaScript code.
The attacker submits a request to the WordPress site with the crafted payload embedded within the vulnerable parameter (e.g., booking name, location, or other fields).
The WordPress server stores the malicious payload in the database due to insufficient sanitization.
A legitimate user (e.g., an administrator or another user viewing bookings) accesses a page displaying the stored booking data.
The malicious JavaScript code embedded in the booking data is rendered in the user’s browser.
The injected script executes in the context of the user’s session.
The attacker can potentially steal cookies, redirect the user to a malicious website, or perform other actions with the user’s privileges.

Impact

Successful exploitation of this stored XSS vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a logged-in user’s browser. This can lead to account compromise, including administrator accounts, potentially leading to full control of the WordPress website. Website defacement, data theft, and redirection to phishing sites are also potential impacts. Given the widespread use of WordPress and the Fluent Booking plugin, a successful widespread exploit could affect a large number of websites.

Recommendation

Upgrade the Fluent Booking plugin to a version greater than 2.0.01 to patch CVE-2026-2231.
Deploy the Sigma rule Detect Suspicious URI Parameters in WordPress to detect potential XSS attempts against WordPress sites.
Monitor web server logs for suspicious URI parameters and user input, as detected by the Detect WordPress XSS via URI Parameters Sigma rule.
Implement a web application firewall (WAF) with rules to filter out common XSS payloads.
Regularly audit and sanitize user input within WordPress plugins and themes to prevent stored XSS vulnerabilities.

Blackhole for Bad Bots WordPress Plugin Stored XSS Vulnerability

hello@craftedsignal.io — Thu, 26 Mar 2026 05:16:40 +0000

The Blackhole for Bad Bots plugin for WordPress, up to and including version 3.8, contains a stored cross-site scripting (XSS) vulnerability. The vulnerability stems from insufficient input sanitization and output escaping of the User-Agent HTTP header when capturing bot data. Specifically, the plugin uses sanitize_text_field() which strips HTML tags but does not escape HTML entities. This data is then stored using update_option() and later displayed on the Bad Bots log page. The stored data is output into HTML input value attributes and HTML span content without proper escaping via esc_attr() or esc_html(). This allows an unauthenticated attacker to inject arbitrary web scripts that are executed when an administrator views the Blackhole Bad Bots admin page, potentially leading to privilege escalation or other malicious actions.

Attack Chain

An unauthenticated attacker sends a request to the WordPress site with a malicious User-Agent header containing XSS payload.
The Blackhole for Bad Bots plugin captures the User-Agent string using sanitize_text_field(), which inadequately sanitizes the input.
The plugin stores the inadequately sanitized User-Agent string in the WordPress options database using update_option().
A WordPress administrator navigates to the Blackhole Bad Bots admin page.
The plugin retrieves the stored User-Agent strings from the database.
The plugin outputs the stored User-Agent string directly into HTML input value attributes (lines 75-83) without esc_attr() and into HTML span content without esc_html() on the admin page.
The administrator’s browser executes the injected XSS payload.
The XSS payload can perform actions such as stealing the administrator’s session cookie, redirecting the administrator to a malicious site, or performing actions on behalf of the administrator.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute in the context of an administrator’s browser session. This can lead to various malicious outcomes, including account takeover, data theft, and defacement of the WordPress site. Given the widespread use of WordPress and the Blackhole for Bad Bots plugin, a successful exploit could impact a significant number of websites.

Recommendation

Upgrade the Blackhole for Bad Bots plugin to a version greater than 3.8 to remediate CVE-2026-4329.
Implement a Web Application Firewall (WAF) rule to filter requests containing suspicious User-Agent headers that might exploit CVE-2026-4329.
Monitor web server logs for requests with unusual or potentially malicious User-Agent strings to detect potential exploitation attempts related to CVE-2026-4329.

Masteriyo LMS WordPress Plugin Privilege Escalation Vulnerability

hello@craftedsignal.io — Thu, 26 Mar 2026 02:16:07 +0000

The Masteriyo LMS plugin, a learning management system for WordPress, contains a privilege escalation vulnerability (CVE-2026-4484) affecting versions up to and including 2.1.6. This flaw allows authenticated users, even those with low-level “Student” access, to elevate their privileges to that of an administrator. The vulnerability stems from a lack of proper authorization checks within the InstructorsController::prepare_object_for_database function, enabling malicious users to modify user roles. Successful exploitation grants attackers full control over the WordPress site, leading to potential data breaches, defacement, or complete takeover. This vulnerability poses a significant threat to educational institutions and other organizations using the Masteriyo LMS plugin.

Attack Chain

Attacker authenticates to the WordPress site as a student or with any role above student.
Attacker crafts a malicious HTTP request targeting the REST API endpoint associated with the InstructorsController.
The attacker includes a modified user role parameter within the request, specifically attempting to change their role to “administrator.”
The request is sent to the /wp-json/masteriyo/v1/instructors endpoint.
The InstructorsController::prepare_object_for_database function processes the request without proper authorization checks.
The function updates the attacker’s user role in the WordPress database to “administrator”.
The attacker logs out and back in to the WordPress site.
The attacker now has full administrator privileges and can perform any action within the WordPress site.

Impact

Successful exploitation of this vulnerability allows any authenticated user to gain complete control over the affected WordPress site. This can lead to significant data breaches, where sensitive student or course data is compromised. The attacker can deface the website, install malicious plugins, or even completely take over the server. Given the widespread use of WordPress and the Masteriyo LMS plugin in educational settings, a successful attack could impact thousands of students and instructors.

Recommendation

Immediately update the Masteriyo LMS plugin to the latest available version, which patches CVE-2026-4484.
Monitor WordPress web server logs for suspicious POST requests to /wp-json/masteriyo/v1/instructors attempting to modify user roles.
Deploy the Sigma rule provided below to detect potential exploitation attempts targeting the vulnerable InstructorsController::prepare_object_for_database function.

WP Job Portal Plugin Arbitrary File Deletion Vulnerability (CVE-2026-4758)

hello@craftedsignal.io — Thu, 26 Mar 2026 00:16:41 +0000

The WP Job Portal plugin for WordPress versions up to and including 2.4.9 is susceptible to an arbitrary file deletion vulnerability (CVE-2026-4758). The vulnerability stems from insufficient file path validation within the WPJOBPORTALcustomfields::removeFileCustom function. Authenticated attackers with Subscriber-level access or higher can exploit this flaw to delete arbitrary files on the server. Successful exploitation allows attackers to delete critical files such as wp-config.php…

WP Job Portal Plugin SQL Injection Vulnerability

hello@craftedsignal.io — Tue, 24 Mar 2026 12:00:00 +0000

The WP Job Portal plugin for WordPress, a widely used plugin for managing job listings, is susceptible to SQL Injection attacks. This vulnerability, identified as CVE-2026-4306, affects all versions up to and including 2.4.8. The flaw stems from the insufficient sanitization of the ‘radius’ parameter, which is directly incorporated into SQL queries without proper escaping. This lack of input validation enables unauthenticated attackers to inject malicious SQL code into the application’s database queries. Successful exploitation could lead to the unauthorized disclosure of sensitive information stored within the WordPress database. Given the popularity of WordPress and the WP Job Portal plugin, a successful attack could impact a large number of websites and expose confidential data, including user credentials, financial details, and other sensitive information.

Attack Chain

An unauthenticated attacker crafts a malicious HTTP request targeting the WordPress website running the vulnerable WP Job Portal plugin.
The attacker appends a SQL injection payload to the ‘radius’ parameter within the HTTP request.
The vulnerable plugin receives the request and incorporates the unsanitized ‘radius’ parameter into an SQL query within includes/ajax.php or modules/job/model.php.
The injected SQL code is executed against the WordPress database due to the lack of proper input validation and escaping.
The attacker leverages the SQL injection to extract sensitive information from the database, such as user credentials, API keys, or other confidential data.
The extracted data may be exfiltrated from the server using various techniques.
The attacker could potentially use the compromised data to gain further access to the WordPress site or connected systems.

Impact

Successful exploitation of this SQL Injection vulnerability (CVE-2026-4306) could lead to the complete compromise of the WordPress database. Attackers could gain access to sensitive information, including user credentials, customer data, and confidential business information. The vulnerability impacts all users running WP Job Portal plugin versions 2.4.8 and earlier. The CVSS v3.1 score is 7.5, indicating a high severity risk. The impact includes unauthorized data access.

Recommendation

Upgrade the WP Job Portal plugin to version 2.4.9 or later to patch the SQL Injection vulnerability (CVE-2026-4306).
Deploy a web application firewall (WAF) with rules to detect and block SQL Injection attempts targeting the ‘radius’ parameter in WordPress plugins.
Enable detailed logging for your web server (category “webserver”, product “linux|windows”) to monitor for suspicious activity and potential exploitation attempts.

ReviewX WordPress Plugin Arbitrary Method Call Vulnerability

hello@craftedsignal.io — Tue, 24 Mar 2026 12:00:00 +0000

The ReviewX – WooCommerce Product Reviews plugin for WordPress, a tool designed to enhance product reviews, contains a critical vulnerability. Identified as CVE-2025-10679, this flaw stems from insufficient input validation within the bulkTenReviews function. Exploitation allows unauthenticated attackers to invoke arbitrary PHP class methods that either require no input or can utilize default values. This vulnerability affects ReviewX plugin versions up to and including 2.2.12. Successful exploitation can lead to sensitive information disclosure or, under certain server configurations and available methods, remote code execution. This poses a significant risk to e-commerce sites utilizing the vulnerable plugin, potentially impacting customer data and overall site integrity.

Attack Chain

The attacker sends a crafted HTTP request to the WordPress server targeting the vulnerable bulkTenReviews function in the ReviewX plugin.
The crafted request includes malicious input designed to bypass the insufficient input validation within the bulkTenReviews function.
The bulkTenReviews function processes the attacker-controlled data without proper sanitization.
The unsanitized input is passed to a variable function call mechanism, allowing the attacker to specify an arbitrary PHP class method.
The attacker leverages this vulnerability to call a PHP class method that requires no inputs or has default values.
Depending on the available methods and server configuration, the attacker may be able to trigger sensitive information disclosure.
In more critical scenarios, the attacker might be able to call methods that allow writing to the file system or executing arbitrary commands, leading to remote code execution.
The attacker gains control of the WordPress server, enabling them to install malware, steal data, or deface the website.

Impact

Successful exploitation of CVE-2025-10679 can lead to a range of damaging consequences. Sensitive information, such as customer data and administrative credentials, may be exposed. In the worst-case scenario, attackers can achieve remote code execution, granting them complete control over the affected WordPress server. This can result in website defacement, data theft, malware installation, and denial-of-service attacks. Given the wide usage of WooCommerce and ReviewX, a successful widespread attack could impact numerous e-commerce businesses.

Recommendation

Immediately update the ReviewX plugin to the latest version (greater than 2.2.12) to patch CVE-2025-10679.
Deploy the Sigma rule Detect ReviewX Arbitrary Method Calls to detect exploitation attempts targeting the bulkTenReviews function.
Monitor web server logs for suspicious POST requests to WordPress plugins with unusual parameters, as highlighted in the Sigma rule Detect ReviewX Arbitrary Method Calls.
Review PHP configurations to harden against potential RCE attempts stemming from arbitrary method calls.

Contest Gallery WordPress Plugin Authentication Bypass Vulnerability (CVE-2026-4021)

hello@craftedsignal.io — Tue, 24 Mar 2026 00:16:31 +0000

The Contest Gallery plugin for WordPress, versions up to and including 28.1.5, is vulnerable to a critical authentication bypass (CVE-2026-4021). This vulnerability stems from how the users-registry-check-after-email-or-pin-confirmation.php script handles email confirmations, combined with an unauthenticated key-based login endpoint in ajax-functions-frontend.php. If the RegMailOptional=1 setting is enabled (non-default), an attacker can register a new user account with a specially…

WP Maps WordPress Plugin Time-Based SQL Injection Vulnerability (CVE-2026-2580)

hello@craftedsignal.io — Mon, 23 Mar 2026 00:16:51 +0000

The WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin for WordPress, a widely used plugin for integrating map functionality into WordPress sites, contains a critical time-based SQL Injection vulnerability. Assigned CVE-2026-2580, this flaw affects all versions up to and including 4.9.1. The vulnerability lies within the ‘orderby’ parameter, where insufficient input sanitization allows unauthenticated attackers to inject malicious SQL queries. By…

Otter Blocks Plugin Purchase Verification Bypass Vulnerability (CVE-2026-2892)

hello@craftedsignal.io — Mon, 24 Jun 2024 12:00:00 +0000

The Otter Blocks plugin, a popular WordPress extension, is susceptible to a purchase verification bypass vulnerability identified as CVE-2026-2892. This flaw affects all versions up to and including 3.1.4. The vulnerability stems from the plugin’s reliance on an unsigned cookie, ‘o_stripe_data’, to determine Stripe product ownership for unauthenticated users. The ‘get_customer_data’ method uses this cookie, and the subsequent ‘check_purchase’ method trusts its contents without proper server-side validation against the Stripe API. This lack of verification enables attackers to gain unauthorized access to purchase-gated content. The target product ID is often exposed in the checkout block’s HTML source, further simplifying the exploit. Successful exploitation allows attackers to bypass payment requirements, potentially impacting content creators and businesses relying on the plugin for revenue generation.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable Otter Blocks plugin (version <= 3.1.4).
The attacker examines the HTML source code of a checkout block on the target site to identify the target product ID.
The attacker crafts a malicious ‘o_stripe_data’ cookie containing the target product ID.
The attacker sets the forged ‘o_stripe_data’ cookie in their browser.
The attacker navigates to the purchase-gated content on the WordPress site.
The ‘get_customer_data’ method reads the forged ‘o_stripe_data’ cookie.
The ‘check_purchase’ method incorrectly validates the forged purchase data without server-side verification against the Stripe API.
The attacker gains unauthorized access to the purchase-gated content, bypassing the intended payment requirement.

Impact

Successful exploitation of CVE-2026-2892 allows unauthenticated attackers to bypass purchase verification mechanisms implemented by the Otter Blocks plugin. This can lead to unauthorized access to premium content, resulting in revenue loss for content creators and businesses using the plugin. The number of potentially affected websites is significant, given the popularity of WordPress and the Otter Blocks plugin. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.

Recommendation

Upgrade the Otter Blocks plugin to a version greater than 3.1.4 to patch CVE-2026-2892.
Deploy the provided Sigma rules to detect potential exploitation attempts targeting the vulnerable plugin.
Monitor web server logs (category webserver, product linux) for suspicious cookie manipulation activity, specifically targeting the ‘o_stripe_data’ cookie.
Implement server-side validation of purchase data against the Stripe API to prevent cookie forgery attacks.

Breeze Cache Plugin Arbitrary File Upload Vulnerability (CVE-2026-3844)

hello@craftedsignal.io — Thu, 29 Feb 2024 10:00:00 +0000

The Breeze Cache plugin for WordPress, in versions up to and including 2.4.4, contains an arbitrary file upload vulnerability (CVE-2026-3844). This flaw stems from the lack of file type validation within the ‘fetch_gravatar_from_remote’ function. An unauthenticated attacker can exploit this vulnerability to upload arbitrary files to the affected WordPress site’s server. Successful exploitation could lead to remote code execution on the server. It is important to note that the vulnerability can only be exploited if the “Host Files Locally - Gravatars” setting is enabled within the Breeze Cache plugin. This setting is disabled by default, reducing the attack surface. Defenders should prioritize identifying potentially compromised systems running vulnerable versions of Breeze Cache with the “Host Files Locally - Gravatars” option enabled.

Attack Chain

An unauthenticated attacker identifies a WordPress site running a vulnerable version (<= 2.4.4) of the Breeze Cache plugin.
The attacker confirms the “Host Files Locally - Gravatars” option is enabled on the target WordPress site.
The attacker crafts a malicious HTTP request targeting the ‘fetch_gravatar_from_remote’ function. This request contains a payload designed to upload an arbitrary file to the server.
Due to the missing file type validation, the server accepts the malicious file upload without proper sanitization. The uploaded file can be a PHP file, a web shell, or another executable type.
The attacker determines the location where the file has been saved by the plugin.
The attacker sends an HTTP request to the uploaded file’s location, triggering its execution on the server.
The malicious file executes, granting the attacker remote code execution capabilities on the web server.
The attacker can then perform actions such as installing malware, stealing sensitive data, or further compromising the server and network.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to upload arbitrary files to a vulnerable WordPress server. This can lead to complete compromise of the server, allowing for remote code execution. The attacker can then pivot to other systems, steal sensitive information, or cause significant disruption. While the “Host Files Locally - Gravatars” option is disabled by default, any instance where this option is enabled is at critical risk.

Recommendation

Upgrade the Breeze Cache plugin to the latest version to patch CVE-2026-3844.
Disable the “Host Files Locally - Gravatars” setting in the Breeze Cache plugin if it is enabled.
Deploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts.
Monitor web server logs for suspicious file uploads and requests to unusual file extensions using the provided Sigma rules.
Implement strict file upload policies and validation mechanisms on all web applications to prevent arbitrary file uploads.

Royal Elementor Addons Plugin SSRF Vulnerability

hello@craftedsignal.io — Mon, 08 Jan 2024 12:00:00 +0000

The Royal Elementor Addons plugin, a popular WordPress extension, contains a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-6229) in versions up to and including 1.7.1057. This flaw stems from inadequate validation of user-provided URLs within the render_csv_data() function. Attackers can bypass the validation by including ‘docs.google.com/spreadsheets’ in a query parameter. The vulnerability is triggered because the plugin uses these URLs in fopen() calls without implementing adequate safeguards to prevent access to internal or private network addresses. This vulnerability enables authenticated attackers with Contributor-level access or higher to craft malicious requests, potentially exposing sensitive internal data. Successful exploitation allows attackers to probe internal network resources, access configuration files, and potentially escalate attacks further.

Attack Chain

An attacker authenticates to the WordPress site with Contributor-level access or higher.
The attacker crafts a malicious HTTP request targeting the vulnerable render_csv_data() function within the Royal Elementor Addons plugin.
The malicious request includes a user-supplied URL containing ‘docs.google.com/spreadsheets’ within a query parameter to bypass initial validation checks.
The plugin’s render_csv_data() function receives the crafted URL without proper sanitization or validation against internal or private network addresses.
The fopen() function is called with the attacker-controlled URL, initiating an outbound request from the WordPress server.
If the URL points to an internal resource, the WordPress server retrieves the resource content.
The attacker receives the content of the internal resource in the response from the WordPress server.
The attacker analyzes the retrieved content for sensitive information, such as configuration files, API keys, or internal service details.

Impact

Successful exploitation of this SSRF vulnerability (CVE-2026-6229) can lead to the exposure of sensitive internal information, potentially impacting all organizations using the Royal Elementor Addons plugin for WordPress version 1.7.1057 and below. This may include internal configuration files, API keys, database credentials, or other sensitive data accessible through internal services. The severity is high due to the potential for attackers to pivot from this vulnerability and further compromise the WordPress server or the internal network.

Recommendation

Upgrade the Royal Elementor Addons plugin to a version higher than 1.7.1057 to patch CVE-2026-6229.
Deploy the Sigma rule “Detect Royal Elementor Addons SSRF Attempt via URL Parameter” to identify malicious requests targeting the render_csv_data() function in your web server logs.
Implement strict network segmentation and firewall rules to limit access from the WordPress server to internal resources, mitigating the impact of potential SSRF vulnerabilities.

WordPress Drag and Drop File Upload Plugin Vulnerable to Arbitrary File Upload (CVE-2026-5364)

hello@craftedsignal.io — Wed, 03 Jan 2024 18:23:00 +0000

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress, in versions up to and including 1.1.3, contains an arbitrary file upload vulnerability tracked as CVE-2026-5364. The flaw stems from insufficient sanitization of file extensions during the upload process. Specifically, the plugin extracts the file extension before sanitization and allows the file type parameter to be controlled by the attacker. Furthermore, validation occurs on the unsanitized extension, while the file is saved with a sanitized extension, stripping special characters like ‘$’ during the save. While an .htaccess file and name randomization are present, these restrictions may be bypassable in certain configurations or by exploiting other vulnerabilities. This vulnerability could allow unauthenticated attackers to upload arbitrary PHP files to the web server, potentially leading to remote code execution (RCE).

Attack Chain

An unauthenticated attacker identifies a WordPress website using a vulnerable version (<= 1.1.3) of the “Drag and Drop File Upload for Contact Form 7” plugin.
The attacker crafts a malicious HTTP POST request targeting the plugin’s upload endpoint, typically /wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php.
The POST request includes a file with a manipulated extension, such as evil.php$.jpg, where evil.php is the malicious PHP payload and $.jpg is designed to be sanitized to .jpg.
The attacker modifies the file type parameter in the request to reflect the original manipulated file extension (evil.php$.jpg).
The plugin validates the extension against administrator-configured types but, due to the unsanitized extension and attacker control over the file type parameter, the malicious file passes validation.
The plugin sanitizes the extension, removing the $ character, resulting in a file saved with the extension .php.
The attacker attempts to access the uploaded PHP file via a direct HTTP request to /wp-content/uploads/.php.
If the .htaccess restrictions are bypassed (e.g., due to misconfiguration or another vulnerability), the web server executes the malicious PHP code, granting the attacker remote code execution.

Impact

Successful exploitation of CVE-2026-5364 allows unauthenticated attackers to upload and execute arbitrary PHP code on the target WordPress server. This can lead to complete compromise of the website, including defacement, data theft, and installation of backdoors. While the presence of .htaccess and name randomization mitigates the risk, these protections may be bypassed, especially when combined with other vulnerabilities or misconfigurations. Given the widespread use of WordPress and its plugins, this vulnerability poses a significant risk to a large number of websites. The CVSS v3.1 base score is 8.1, indicating a high severity vulnerability.

Recommendation

Upgrade the “Drag and Drop File Upload for Contact Form 7” plugin to the latest version (greater than 1.1.3) to patch CVE-2026-5364.
Implement a Web Application Firewall (WAF) rule to inspect and block requests containing suspicious file extensions in the POST parameters targeting the plugin’s upload endpoint (/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php).
Deploy the Sigma rule Detect Suspicious File Upload via Drag and Drop CF7 to identify exploitation attempts in web server logs (cs-uri-query).
Review and harden .htaccess configurations to ensure that PHP execution is restricted in the /wp-content/uploads/ directory.

WordPress Profile Builder Pro Plugin PHP Object Injection Vulnerability (CVE-2026-7647)

hello@craftedsignal.io — Wed, 03 Jan 2024 14:30:00 +0000

The Profile Builder Pro plugin for WordPress is susceptible to a critical PHP Object Injection vulnerability (CVE-2026-7647) affecting all versions up to and including 3.14.5. This flaw stems from the plugin’s use of the maybe_unserialize() function on the attacker-controlled args POST parameter passed to the wppb_request_users_pins_action_callback() AJAX handler. Critically, this handler lacks nonce verification, input validation, and type checking, making it accessible to unauthenticated users via both wp_ajax_ and wp_ajax_nopriv_ hooks. Successful exploitation allows remote, unauthenticated attackers to inject arbitrary PHP objects into the application’s memory space, potentially leading to remote code execution depending on available classes and application configuration. The vulnerability was published on 2026-05-02.

Attack Chain

An unauthenticated attacker identifies a WordPress site running a vulnerable version (<= 3.14.5) of the Profile Builder Pro plugin.
The attacker crafts a malicious HTTP POST request targeting the WordPress AJAX endpoint (/wp-admin/admin-ajax.php).
The POST request includes the action parameter set to wppb_request_users_pins_action_callback.
The POST request includes the args parameter containing a serialized PHP object designed to trigger arbitrary code execution upon deserialization.
The WordPress server receives the request and invokes the wppb_request_users_pins_action_callback() function.
The vulnerable function calls maybe_unserialize() on the attacker-controlled args parameter without proper sanitization or validation.
The malicious PHP object is deserialized and injected into the application’s memory space.
The injected object’s methods and properties are triggered, leading to arbitrary code execution on the server.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary PHP code on the target WordPress server. This can lead to complete system compromise, including data theft, website defacement, and the installation of backdoors for persistent access. Given the widespread use of WordPress and the Profile Builder Pro plugin, a large number of websites are potentially at risk until the plugin is updated.

Recommendation

Upgrade the Profile Builder Pro plugin to the latest available version to patch CVE-2026-7647.
Deploy the provided Sigma rule Detect Profile Builder Pro PHP Object Injection Attempt to detect exploitation attempts targeting the vulnerable AJAX endpoint.
Monitor web server logs for POST requests to /wp-admin/admin-ajax.php with the action parameter set to wppb_request_users_pins_action_callback and suspicious serialized data in the args parameter.

WordPress Custom Role Manager Plugin Privilege Escalation via CVE-2026-7106

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

The Highland Software Custom Role Manager plugin, versions up to and including 1.0.0, is vulnerable to privilege escalation. The vulnerability, identified as CVE-2026-7106, stems from a lack of sufficient authorization checks within the hscrm_save_user_roles() function. This function is accessible to any authenticated user via the personal_options_update action. This allows an attacker with minimal privileges (subscriber level or higher) to potentially elevate their own privileges or those of other users by manipulating user roles through the profile update form. Successful exploitation grants attackers the ability to perform actions reserved for higher-level administrators, potentially leading to complete site compromise.

Attack Chain

An attacker obtains valid credentials for a WordPress user account with at least subscriber-level privileges.
The attacker authenticates to the WordPress site using their credentials.
The attacker accesses their user profile page, typically located at /wp-admin/profile.php.
The attacker crafts a malicious HTTP request targeting the personal_options_update action, modifying the wp_capabilities user meta field. The request is designed to bypass the insufficient authorization checks in the hscrm_save_user_roles() function.
The crafted request is submitted through the profile update form. This likely involves intercepting and modifying the POST request sent when the user clicks the “Update Profile” button.
The hscrm_save_user_roles() function is triggered, and due to the missing authorization checks, the attacker’s modified user roles are saved to the database.
The attacker’s account now possesses elevated privileges, such as administrator or editor roles, depending on the attacker’s goal and the payload in the malicious request.

Impact

Successful exploitation of CVE-2026-7106 allows attackers with minimal privileges to gain administrative control over the WordPress site. This can lead to a variety of malicious activities, including defacement, malware injection, data theft, and denial of service. Given the widespread use of WordPress, this vulnerability poses a significant risk to websites using the affected plugin. A successful attack can result in complete compromise of the affected website.

Recommendation

Upgrade the Highland Software Custom Role Manager plugin to a patched version that addresses CVE-2026-7106.
Monitor WordPress access logs for suspicious POST requests to /wp-admin/profile.php targeting the personal_options_update action to detect exploitation attempts.
Deploy the Sigma rule Detect Suspicious WordPress Role Updates to identify attempts to modify user roles from subscriber-level accounts.
Review user roles and permissions regularly to identify and remediate any unauthorized privilege escalations.

WebPros cPanel & WHM and WP2 Authentication Bypass Vulnerability (CVE-2026-41940)

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) are affected by an authentication bypass vulnerability, identified as CVE-2026-41940. This flaw exists within the login flow, potentially granting unauthenticated remote attackers unauthorized access to the control panel. Successful exploitation allows attackers to bypass normal authentication mechanisms and directly access sensitive administrative functions within cPanel & WHM and WP2. Defenders should apply vendor-provided mitigations or discontinue use of the product if mitigations are not available. The vulnerability was disclosed in April 2026, and mitigations should be applied by May 3, 2026.

Attack Chain

The attacker identifies a vulnerable cPanel & WHM or WP2 instance.
The attacker crafts a malicious HTTP request exploiting the authentication bypass vulnerability in the login flow.
The request is sent to the target server, bypassing authentication checks.
The server incorrectly processes the request, granting the attacker an authenticated session.
The attacker leverages the authenticated session to access administrative interfaces and settings.
The attacker modifies server configurations, potentially creating new administrative accounts.
The attacker installs malicious plugins or software through the control panel.
The attacker achieves full control over the web server and hosted websites.

Impact

Successful exploitation of CVE-2026-41940 can lead to complete compromise of the affected cPanel & WHM or WP2 server. This can result in data breaches, website defacement, malware distribution, and denial-of-service attacks. The impact is significant due to the widespread use of cPanel & WHM in web hosting environments. Compromised servers could be leveraged for further attacks against other systems and networks.

Recommendation

Apply mitigations provided by WebPros as detailed in their security update advisory to address CVE-2026-41940.
Deploy the Sigma rule “Detect cPanel/WHM Authentication Bypass Attempt” to identify potential exploitation attempts in web server logs.
If mitigations cannot be immediately applied, follow BOD 22-01 guidance for cloud services, potentially isolating the affected system until patched.
Consider discontinuing use of the affected product if patches or mitigations are unavailable, as advised in the original CISA KEV entry.

Gravity Forms Plugin Unauthenticated Stored XSS Vulnerability

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

The Gravity Forms plugin, a widely used WordPress plugin, is susceptible to an unauthenticated stored cross-site scripting (XSS) vulnerability. This flaw, identified as CVE-2026-5110, affects versions up to and including 2.10.0. The vulnerability stems from inadequate input validation and output escaping specifically within the SingleProduct field when it is nested inside a Repeater field. This bypasses normal state validation, allowing attackers to inject malicious HTML and JavaScript into the product name field. The injected payload is then stored unsanitized in the database. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator accesses an entry containing the malicious payload through the WordPress admin interface.

Attack Chain

An unauthenticated attacker crafts a malicious request to a WordPress endpoint utilizing the Gravity Forms plugin.
The attacker injects arbitrary HTML and JavaScript into the ‘product name’ field (input .1) of a SingleProduct field nested within a Repeater field.
Due to insufficient validation within the validate_subfield() method, the malicious input bypasses the state validation mechanism (failed_state_validation()).
The sanitize_entry_value() method returns the raw, unsanitized value because HTML is not expected for the affected field type.
The malicious input is stored in the WordPress database without proper sanitization or escaping.
An administrator accesses the Gravity Forms entries page in the WordPress admin interface (wp-admin/admin.php?page=gf_entries).
The get_value_entry_detail() method retrieves the malicious product name from the database and outputs it without proper escaping.
The stored XSS payload executes in the administrator’s browser, potentially allowing the attacker to perform actions with the administrator’s privileges.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of an administrator’s browser session. This can lead to account compromise, data theft, or further malicious activities within the WordPress administration panel. The vulnerability affects all users of the Gravity Forms plugin on WordPress installations with versions up to and including 2.10.0.

Recommendation

Upgrade the Gravity Forms plugin to the latest version (greater than 2.10.0) to patch CVE-2026-5110.
Deploy the provided Sigma rule Detect Gravity Forms XSS Attempt to identify potential exploitation attempts by monitoring for specific patterns in HTTP requests.
Enable web server logging to capture detailed information about HTTP requests and responses, enabling the Sigma rule’s effectiveness.

ARMember WordPress Plugin Vulnerable to Time-Based Blind SQL Injection (CVE-2026-7649)

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is susceptible to time-based blind SQL injection. This vulnerability, identified as CVE-2026-7649, affects all versions up to and including 4.0.60. The root cause lies in the inadequate escaping of the user-supplied ‘orderby’ parameter and the lack of sufficient preparation in the existing SQL query. An unauthenticated attacker can exploit this weakness by injecting malicious SQL queries, potentially leading to the extraction of sensitive information directly from the WordPress database. This presents a significant risk, as it could expose user credentials, personal data, and other confidential information stored within the database, impacting the confidentiality and integrity of the WordPress installation.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable ARMember plugin (version <= 4.0.60).
The attacker crafts a malicious HTTP request targeting a page that uses the vulnerable ‘orderby’ parameter.
The attacker injects SQL code into the ‘orderby’ parameter of the HTTP GET or POST request. This code is designed to exploit the time-based blind SQL injection vulnerability.
The ARMember plugin processes the request without properly sanitizing the ‘orderby’ parameter, allowing the injected SQL code to be executed within the database query.
The injected SQL code uses time-delay functions (e.g., SLEEP()) to determine the truthiness of conditions. Based on the response time, the attacker infers whether the injected SQL code is evaluating to true or false.
The attacker iteratively refines the injected SQL code to extract sensitive data, such as table names, column names, and data values, character by character, through observing the time delays.
The attacker dumps sensitive information from the database.
The attacker uses the extracted credentials to gain administrative access to the WordPress site.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to extract sensitive information from the WordPress database. This includes user credentials (usernames, email addresses, and password hashes), personal data, and potentially other confidential information stored within the database. The impact could range from unauthorized access to user accounts to complete compromise of the WordPress site and its underlying data. The number of affected sites depends on the prevalence of the ARMember plugin, but given its popularity, the potential impact is widespread.

Recommendation

Apply the latest security patches provided by the ARMember plugin developers immediately to remediate CVE-2026-7649 on all WordPress installations using the plugin.
Deploy the Sigma rule “Detect ARMember SQL Injection Attempt via Orderby Parameter” to your SIEM to detect exploitation attempts against this vulnerability.
Monitor web server logs for suspicious requests containing SQL syntax in the ‘orderby’ parameter to identify potential exploitation attempts (log source: webserver).
Implement and enforce strict input validation and sanitization for all user-supplied parameters, especially those used in database queries, to prevent SQL injection vulnerabilities.

Gravity Forms Plugin Unauthenticated Stored XSS Vulnerability

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

The Gravity Forms plugin for WordPress, a widely used form management tool, contains a vulnerability that can be exploited by unauthenticated attackers. Specifically, versions up to and including 2.10.0 are susceptible to Stored Cross-Site Scripting (XSS) due to insufficient input validation and output escaping of Calculation Product field names within Repeater fields. This flaw resides in how the plugin processes and renders form submissions containing malicious HTML within the product name field. The vulnerability allows an attacker to inject arbitrary web scripts that execute in the context of an authenticated administrator’s session when they access the entry detail page within the WordPress admin panel. Successful exploitation enables attackers to perform actions with the privileges of the compromised administrator.

Attack Chain

An unauthenticated attacker crafts a malicious form submission.
The malicious payload is placed in the Calculation Product field’s product name (.1) within a Repeater field.
The validate() method in the GF_Field_Calculation class inadequately validates the product name field, failing to sanitize malicious HTML.
The sanitize_entry_value() method returns the raw, unsanitized value for the product name field, as HTML sanitization is not expected for this field.
The malicious form submission is saved as an entry in WordPress.
An authenticated administrator with the gravityforms_view_entries capability accesses the entry detail page in wp-admin.
The get_value_entry_detail() method concatenates the unsanitized product name directly into the output string.
The repeater’s get_value_entry_detail() method renders the unsanitized output, leading to the execution of the injected XSS payload within the administrator’s browser.

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript code within the context of an authenticated WordPress administrator’s session. This can lead to account takeover, data theft, or further malicious actions performed on the WordPress site. While the number of potentially affected sites is large due to the plugin’s popularity, the impact is limited to administrators who access the specific entry containing the malicious payload.

Recommendation

Upgrade the Gravity Forms plugin to a version greater than 2.10.0 to patch CVE-2026-5112.
Implement the Sigma rule Detect Gravity Forms XSS via Product Name to detect attempts to inject malicious scripts into product names.
Review and audit existing Gravity Forms entries for suspicious content in Calculation Product fields to identify potential exploitation attempts.

ExactMetrics WordPress Plugin Vulnerability Leads to Remote Code Execution

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

A critical vulnerability, CVE-2026-5464, exists in the ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin, affecting all versions up to and including 9.1.2. The vulnerability allows authenticated attackers with Editor-level access or higher, who also possess the ’exactmetrics_view_dashboard’ capability, to install and activate arbitrary WordPress plugins from attacker-controlled URLs. This is possible due to the exposure of the ‘onboarding_key’ transient and the lack of proper authorization checks on the ’exactmetrics_connect_process’ AJAX endpoint. Successful exploitation can lead to Remote Code Execution (RCE) on the target WordPress site. This poses a significant risk to websites using the vulnerable plugin, as attackers can inject malicious code and gain full control of the affected system.

Attack Chain

An attacker gains authenticated access to a WordPress site as an Editor or Administrator.
The attacker obtains the ‘onboarding_key’ by accessing the reports page, which exposes the transient value to users with the ’exactmetrics_view_dashboard’ capability.
The attacker uses the ‘onboarding_key’ to access the ‘/wp-json/exactmetrics/v1/onboarding/connect-url’ REST endpoint, receiving a one-time hash (OTH) token.
The attacker crafts a malicious plugin ZIP file hosted on an attacker-controlled server.
The attacker sends a request to the ’exactmetrics_connect_process’ AJAX endpoint, providing the OTH token and the URL of the malicious plugin ZIP file via the ‘file’ parameter. This endpoint lacks capability checks and nonce verification.
The ExactMetrics plugin downloads the malicious plugin ZIP file from the attacker-controlled URL.
The ExactMetrics plugin installs and activates the malicious plugin.
The attacker gains Remote Code Execution on the WordPress server through the installed malicious plugin.

Impact

Successful exploitation of CVE-2026-5464 allows attackers to install arbitrary plugins on vulnerable WordPress sites, leading to Remote Code Execution. This grants the attacker complete control over the compromised website, enabling them to inject malicious code, deface the site, steal sensitive data, or use the site for further malicious activities. The number of affected websites depends on the widespread use of the ExactMetrics plugin. Organizations using this plugin are at risk of significant data breaches and reputational damage.

Recommendation

Upgrade the ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin to the latest version, which patches CVE-2026-5464.
Monitor web server logs for suspicious requests to the ‘/wp-json/exactmetrics/v1/onboarding/connect-url’ REST endpoint and the ’exactmetrics_connect_process’ AJAX endpoint. Implement the Sigma rule provided below to detect exploitation attempts.
Implement strong password policies and multi-factor authentication to prevent unauthorized access to WordPress accounts.
Restrict the ’exactmetrics_view_dashboard’ capability to only the necessary users.

Brizy WordPress Plugin Unauthenticated Stored XSS Vulnerability

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

The Brizy – Page Builder plugin for WordPress, a popular tool for designing website pages, contains a critical vulnerability that allows unauthenticated users to inject malicious JavaScript code. Specifically, versions up to and including 2.8.11 are affected. This vulnerability arises from a combination of factors, including the lack of nonce verification for form submissions from non-logged-in users, inadequate handling of FileUpload fields when no file is actually uploaded, and the unintended reversal of security encoding through html_entity_decode() before outputting data. This allows attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator viewing the form’s “Leads” page, potentially leading to account takeover, data theft, or further compromise of the WordPress site.

Attack Chain

An unauthenticated attacker crafts a malicious payload containing JavaScript code.
The attacker submits this payload through a Brizy form on the WordPress site, exploiting the missing nonce verification in the submit_form() function.
The handleFileTypeFields() function fails to properly sanitize or overwrite the attacker-supplied values when no file is attached to the form submission.
The injected payload, now stored in the WordPress database, bypasses initial htmlentities() encoding due to later html_entity_decode().
An administrator logs into the WordPress dashboard and navigates to the “Leads” page to view form submissions.
The form-data.php template retrieves the stored malicious payload from the database.
The payload is outputted directly within the href attribute of an HTML element without proper escaping using esc_url().
The injected JavaScript code executes within the administrator’s browser, potentially performing actions such as stealing cookies or redirecting the administrator to a malicious site.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a logged-in administrator’s browser. This could lead to a full compromise of the WordPress site, including the ability to create new administrative accounts, modify existing content, inject malware into the site’s pages, or steal sensitive data. The impact is significant, as it requires no user interaction beyond an administrator viewing the form submissions within the Brizy plugin.

Recommendation

Upgrade the Brizy – Page Builder plugin to the latest version to patch CVE-2026-5324.
Deploy the Sigma rule “Detect Brizy WordPress Plugin XSS Attempt via HTTP Request” to identify potential exploitation attempts in web server logs.
Review the form-data.php template and implement proper output escaping using esc_url() for all user-supplied data to prevent XSS, as mentioned in the vulnerability description.