Vendor
Authenticated attackers with Custom-level access or higher can exploit CVE-2026-14489, a missing file type validation vulnerability (CWE-434) in the `connect()` function of the WHMCS Bridge plugin for WordPress versions up to and including 6.9, to upload arbitrary files, potentially leading to remote code execution.