{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/wordpress/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-25863"}],"_cs_exploited":false,"_cs_products":["Contact Form 7 WordPress plugin"],"_cs_severities":["medium"],"_cs_tags":["wordpress","resource-exhaustion","denial-of-service","cve-2026-25863"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Contact Form 7 WordPress plugin, specifically versions up to 2.6.7, contains an uncontrolled resource consumption vulnerability (CVE-2026-25863) within the \u003ccode\u003eWpcf7cfMailParser\u003c/code\u003e class. The \u003ccode\u003ehide_hidden_mail_fields_regex_callback()\u003c/code\u003e method is susceptible to unbounded loop execution due to reading an iteration count directly from user-supplied POST parameters via the REST API endpoint without proper validation. This allows unauthenticated attackers to send a large integer value, triggering multiple \u003ccode\u003epreg_replace()\u003c/code\u003e operations, leading to server memory exhaustion and crashing the PHP process. This vulnerability enables a denial-of-service condition, potentially impacting all websites using the vulnerable plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress website using Contact Form 7 plugin version 2.6.7 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the WordPress REST API endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a large integer value for the iteration count parameter, which is passed directly to the \u003ccode\u003ehide_hidden_mail_fields_regex_callback()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehide_hidden_mail_fields_regex_callback()\u003c/code\u003e method, lacking input validation, reads the attacker-controlled integer.\u003c/li\u003e\n\u003cli\u003eThe method initiates an unbounded loop, performing \u003ccode\u003epreg_replace()\u003c/code\u003e operations based on the attacker-supplied iteration count.\u003c/li\u003e\n\u003cli\u003eEach \u003ccode\u003epreg_replace()\u003c/code\u003e operation consumes server memory.\u003c/li\u003e\n\u003cli\u003eThe excessive number of iterations rapidly exhausts available server memory.\u003c/li\u003e\n\u003cli\u003eThe PHP process crashes due to memory exhaustion, resulting in a denial-of-service condition for the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition. Attackers can crash the PHP process on vulnerable WordPress websites by exhausting server memory. This can result in website downtime, impacting user experience and potentially leading to data loss or corruption. While the exact number of affected websites is unknown, the widespread use of Contact Form 7 makes this vulnerability a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Contact Form 7 WordPress plugin to a version greater than 2.6.7 to patch CVE-2026-25863.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Contact Form 7 Uncontrolled Resource Consumption Attempt\u003c/code\u003e to your SIEM to detect malicious POST requests targeting the WordPress REST API.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for abnormally large POST request sizes to the WordPress REST API endpoint, as this may indicate an attempted exploitation of CVE-2026-25863.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T19:16:02Z","date_published":"2026-05-04T19:16:02Z","id":"/briefs/2026-05-contact-form-7-resource-exhaustion/","summary":"The Contact Form 7 WordPress plugin through version 2.6.7 is vulnerable to uncontrolled resource consumption, allowing unauthenticated attackers to exhaust server memory and crash the PHP process by supplying an arbitrarily large integer value to the REST API endpoint, leading to unbounded loop execution.","title":"Contact Form 7 WordPress Plugin Uncontrolled Resource Consumption Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-contact-form-7-resource-exhaustion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-41471"}],"_cs_exploited":false,"_cs_products":["Easy PayPal Events \u0026 Tickets plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","info-disclosure","cve-2026-41471","unauthenticated","enumeration"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Easy PayPal Events \u0026amp; Tickets plugin for WordPress, versions 1.3 and earlier, contains an information disclosure vulnerability (CVE-2026-41471). This vulnerability allows unauthenticated attackers to iterate through WordPress post IDs via the \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint. By sequentially accessing these IDs, attackers can retrieve customer order records stored within the WordPress database. The plugin was officially closed as of March 18, 2026, meaning websites using the plugin prior to this date are vulnerable. This allows for the potential harvesting of sensitive customer data including names, addresses, and purchase histories.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Easy PayPal Events \u0026amp; Tickets plugin (version 1.3 or earlier).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the request to iterate through sequential WordPress post IDs.\u003c/li\u003e\n\u003cli\u003eThe server processes the request without proper authentication or authorization checks.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint queries the WordPress database for order records associated with the provided post ID.\u003c/li\u003e\n\u003cli\u003eIf a valid order record is found, the server returns the information in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the HTTP response to extract customer order information.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 2-7, incrementing the post ID to enumerate all order records.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to retrieve all customer order records stored in the WordPress database. This can lead to the disclosure of sensitive customer information, including names, email addresses, purchase history, and potentially other personal details. The number of affected victims depends on the popularity and usage of the vulnerable plugin. If the database contains financial information the impact could be severe.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule detecting requests to the scan_qr.php endpoint with iterative post IDs to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eIf still using the Easy PayPal Events \u0026amp; Tickets plugin, remove the plugin, as it was closed as of 2026-03-18.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eReview the WordPress access logs for requests originating from unusual IP addresses accessing the \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T18:16:29Z","date_published":"2026-05-04T18:16:29Z","id":"/briefs/2026-05-wordpress-easy-paypal-info-disclosure/","summary":"An information disclosure vulnerability in the Easy PayPal Events \u0026 Tickets WordPress plugin (versions 1.3 and earlier) allows unauthenticated attackers to enumerate and retrieve all customer order records via the scan_qr.php endpoint.","title":"WordPress Easy PayPal Events \u0026 Tickets Plugin Information Disclosure Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-easy-paypal-info-disclosure/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-32834"}],"_cs_exploited":false,"_cs_products":["Easy PayPal Events \u0026 Tickets plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","authentication bypass","vulnerability"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Easy PayPal Events \u0026amp; Tickets plugin for WordPress, version 1.3 and earlier, contains a critical hardcoded authentication bypass vulnerability (CVE-2026-32834) within its QR code scanning functionality. This flaw allows unauthenticated remote attackers to bypass hash verification by supplying the string \u0026rsquo;test\u0026rsquo; as the hash parameter when accessing the \u003ccode\u003eadd_wpeevent_button_qr\u003c/code\u003e action. This bypass enables attackers to retrieve sensitive order details associated with any post ID, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information. The vulnerable plugin was officially closed on March 18, 2026, making it imperative to identify and mitigate any remaining installations to prevent potential data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a WordPress site using the Easy PayPal Events \u0026amp; Tickets plugin (version 1.3 or earlier).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eadd_wpeevent_button_qr\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003ehash\u003c/code\u003e parameter set to the hardcoded value \u003ccode\u003etest\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003epost_id\u003c/code\u003e parameter, either guessed or obtained through other means.\u003c/li\u003e\n\u003cli\u003eThe vulnerable plugin bypasses authentication due to the hardcoded hash.\u003c/li\u003e\n\u003cli\u003eThe plugin processes the request and retrieves sensitive order details associated with the provided \u003ccode\u003epost_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the sensitive data, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants unauthenticated attackers access to sensitive customer and transaction data associated with events and tickets managed through the Easy PayPal Events \u0026amp; Tickets plugin. The leaked information, including customer email addresses and PayPal transaction IDs, can be used for further malicious activities such as phishing campaigns, identity theft, and financial fraud. The number of affected WordPress sites is unknown, but any site using a vulnerable version of the plugin is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WordPress Easy PayPal Events \u0026amp; Tickets Authentication Bypass Attempt\u003c/code\u003e to your SIEM to detect exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eadd_wpeevent_button_qr\u003c/code\u003e and the \u003ccode\u003ehash\u003c/code\u003e parameter set to \u003ccode\u003etest\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious data exfiltration following the identified exploitation attempts to mitigate potential damage.\u003c/li\u003e\n\u003cli\u003eIf the plugin is still installed, remove it immediately.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T18:16:27Z","date_published":"2026-05-04T18:16:27Z","id":"/briefs/2026-05-wordpress-paypal-auth-bypass/","summary":"An unauthenticated remote attacker can exploit a hardcoded authentication bypass vulnerability in the Easy PayPal Events \u0026 Tickets plugin for WordPress (versions 1.3 and earlier) by providing 'test' as the hash parameter, allowing retrieval of sensitive order details.","title":"WordPress Easy PayPal Events \u0026 Tickets Plugin Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-paypal-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5063"}],"_cs_exploited":false,"_cs_products":["NEX-Forms – Ultimate Forms Plugin for WordPress plugin \u003c= 9.1.11"],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","stored-xss","cve-2026-5063"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe NEX-Forms – Ultimate Forms Plugin for WordPress, versions up to and including 9.1.11, is susceptible to a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-5063). This flaw stems from inadequate input sanitization and output escaping within the \u003ccode\u003esubmit_nex_form()\u003c/code\u003e function. Unauthenticated attackers can exploit this vulnerability by injecting malicious JavaScript code through POST parameter key names. Successful exploitation allows the attacker to execute arbitrary scripts in the context of a user\u0026rsquo;s browser when they access a page containing the injected script, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability was reported to Wordfence and a patch has been released.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to a WordPress page that utilizes the vulnerable NEX-Forms plugin.\u003c/li\u003e\n\u003cli\u003eThe POST request includes specially crafted parameter key names designed to inject JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esubmit_nex_form()\u003c/code\u003e function processes the POST request without properly sanitizing or escaping the malicious input.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code is stored in the WordPress database.\u003c/li\u003e\n\u003cli\u003eA legitimate user accesses a page where the form data, including the malicious script, is displayed.\u003c/li\u003e\n\u003cli\u003eThe stored JavaScript code executes within the user\u0026rsquo;s browser in the context of the WordPress page.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as stealing cookies, redirecting the user, or modifying the page content.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability allows an unauthenticated attacker to inject arbitrary JavaScript code into pages using the NEX-Forms plugin. This can lead to various malicious outcomes, including user session hijacking, website defacement, or redirection to phishing sites. As the vulnerability is stored, every user who visits a page containing the malicious script will be affected until the vulnerability is patched and the malicious input is removed. The severity is rated as HIGH with a CVSS base score of 7.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the NEX-Forms – Ultimate Forms Plugin for WordPress to a version beyond 9.1.11 to patch CVE-2026-5063.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious NEX-Forms POST Requests\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests containing potentially malicious JavaScript code in parameter names.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-03T06:15:57Z","date_published":"2026-05-03T06:15:57Z","id":"/briefs/2026-05-wordpress-nex-forms-xss/","summary":"The NEX-Forms WordPress plugin is vulnerable to stored XSS via POST parameter key names, allowing unauthenticated attackers to inject arbitrary web scripts.","title":"NEX-Forms WordPress Plugin Vulnerable to Stored Cross-Site Scripting (CVE-2026-5063)","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-nex-forms-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-2554"}],"_cs_exploited":false,"_cs_products":["WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin \u003c= 6.7.25"],"_cs_severities":["high"],"_cs_tags":["idor","wordpress","woocommerce","account-deletion"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin, a popular WordPress plugin, is affected by an Insecure Direct Object Reference (IDOR) vulnerability. This flaw, present in versions up to and including 6.7.25, stems from a lack of proper validation on the \u003ccode\u003ecustomerid\u003c/code\u003e parameter within the \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function. An attacker with Vendor-level privileges or higher can exploit this vulnerability to delete any user account on the WordPress instance, including those with administrative rights. This can lead to complete compromise of the affected website.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with Vendor-level access or higher.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the \u003ccode\u003ecustomerid\u003c/code\u003e parameter in the request, setting its value to the ID of the target user account they wish to delete.\u003c/li\u003e\n\u003cli\u003eDue to the missing validation on the \u003ccode\u003ecustomerid\u003c/code\u003e parameter, the application directly uses the provided ID to locate the user account.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function proceeds to delete the user account identified by the attacker-supplied \u003ccode\u003ecustomerid\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe targeted user account is successfully deleted from the WordPress instance.\u003c/li\u003e\n\u003cli\u003eIf the deleted user account was an administrator, the attacker can effectively take control of the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this IDOR vulnerability allows an attacker to delete arbitrary user accounts, including those with administrative privileges. This can lead to a complete compromise of the affected WordPress website. An attacker could then deface the website, steal sensitive data, or use it to launch further attacks. Due to the popularity of the plugin, a large number of WooCommerce stores are potentially affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest available patch or upgrade to a version of the WCFM plugin greater than 6.7.25 to remediate CVE-2026-2554.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e with unusual \u003ccode\u003ecustomerid\u003c/code\u003e values, using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the \u003ccode\u003ecustomerid\u003c/code\u003e parameter within the \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function to prevent arbitrary user deletion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T14:16:17Z","date_published":"2026-05-02T14:16:17Z","id":"/briefs/2026-05-wordpress-wcfm-idor/","summary":"The WCFM plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) that allows authenticated attackers with Vendor-level access or higher to delete arbitrary users, including administrators.","title":"WordPress WCFM Plugin Vulnerable to IDOR Leading to Account Deletion","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-wcfm-idor/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-6320"}],"_cs_exploited":false,"_cs_products":["Salon Booking System – Free Version plugin for WordPress \u003c= 10.30.25"],"_cs_severities":["high"],"_cs_tags":["arbitrary-file-read","wordpress","plugin-vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Salon Booking System – Free Version plugin for WordPress, versions up to and including 10.30.25, contains an arbitrary file read vulnerability. This flaw stems from the plugin\u0026rsquo;s public booking flow, where it accepts attacker-controlled file-field values. These values are subsequently used as trusted paths when creating email attachments for booking confirmations. This allows an unauthenticated attacker to supply a path to any file accessible to the web server, triggering its inclusion as an attachment in the booking confirmation email, effectively enabling arbitrary file exfiltration. Exploitation requires no authentication and can be triggered remotely.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker accesses the public booking form of a WordPress site running the vulnerable Salon Booking System plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the booking form, injecting a file path (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e) into a file-field parameter.\u003c/li\u003e\n\u003cli\u003eThe plugin processes the booking request and stores the attacker-supplied file path.\u003c/li\u003e\n\u003cli\u003eThe plugin generates a booking confirmation email.\u003c/li\u003e\n\u003cli\u003eThe plugin uses the stored, attacker-controlled file path to attach the specified file to the confirmation email.\u003c/li\u003e\n\u003cli\u003eThe booking confirmation email, now containing the arbitrary file as an attachment, is sent to the user who initiated the booking (which could be the attacker or an unwitting third party).\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the email (if sent to the attacker) or intercepts it (if sent to a third party) and extracts the attached file.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the contents of the exfiltrated file.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to read arbitrary files from the affected WordPress server. This could lead to the disclosure of sensitive information, such as configuration files, database credentials, or other confidential data. The vulnerability affects versions of the Salon Booking System plugin up to and including 10.30.25. The number of affected WordPress installations is unknown, but could be substantial given the plugin\u0026rsquo;s popularity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Salon Booking System plugin to the latest version to patch CVE-2026-6320.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for suspicious requests containing absolute or relative file paths in file-field parameters, using a detection rule similar to the ones provided below.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for all user-supplied data, especially file paths.\u003c/li\u003e\n\u003cli\u003eReview and restrict file system permissions to limit the files accessible to the web server process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-wordpress-arbitrary-file-read/","summary":"The Salon Booking System WordPress plugin is vulnerable to arbitrary file read, allowing unauthenticated attackers to exfiltrate local files by manipulating file-field values in booking confirmation emails.","title":"Salon Booking System WordPress Plugin Arbitrary File Read Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-arbitrary-file-read/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-4100"}],"_cs_exploited":false,"_cs_products":["Paid Memberships Pro plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","stripe","webhook","vulnerability","plugin"],"_cs_type":"advisory","_cs_vendors":["Stripe","WordPress"],"content_html":"\u003cp\u003eThe Paid Memberships Pro plugin, a popular WordPress plugin for managing paid subscriptions, contains a vulnerability (CVE-2026-4100) that allows authenticated attackers with minimal privileges (Subscriber-level access) to manipulate Stripe webhook configurations. This flaw exists in versions up to and including 3.6.5 due to missing capability checks on specific AJAX handlers. An attacker exploiting this vulnerability can delete, create, or rebuild the site\u0026rsquo;s Stripe webhook, leading to significant disruptions in payment processing, subscription renewal synchronization, cancellation handling, and management of failed payments. This vulnerability puts revenue streams and customer relationships at risk for any organization using the affected plugin versions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains Subscriber-level access to the WordPress site, either through registration or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious AJAX request targeting the \u003ccode\u003ewp_ajax_pmpro_stripe_create_webhook\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a malicious AJAX request to the \u003ccode\u003ewp_ajax_pmpro_stripe_delete_webhook\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eOr, the attacker crafts a malicious AJAX request to the \u003ccode\u003ewp_ajax_pmpro_stripe_rebuild_webhook\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDue to missing capability checks, the server processes the request without proper authorization.\u003c/li\u003e\n\u003cli\u003eThe Stripe webhook configuration is modified, deleted, or rebuilt based on the attacker\u0026rsquo;s request.\u003c/li\u003e\n\u003cli\u003eLegitimate payment processing and subscription management processes fail due to the altered webhook configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker effectively disrupts the site\u0026rsquo;s ability to collect payments and manage subscriptions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to completely disrupt a WordPress site\u0026rsquo;s payment processing and subscription management functionalities. This can result in significant financial losses due to interrupted sales and subscription renewals. Furthermore, the disruption can damage customer trust and lead to churn as users experience issues with their subscriptions. The vulnerability affects all sites using Paid Memberships Pro plugin versions up to 3.6.5.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Paid Memberships Pro plugin to the latest version to patch CVE-2026-4100.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress web server logs for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003epmpro_stripe_create_webhook\u003c/code\u003e, \u003ccode\u003epmpro_stripe_delete_webhook\u003c/code\u003e, or \u003ccode\u003epmpro_stripe_rebuild_webhook\u003c/code\u003e using the \u0026ldquo;Detect Suspicious PMPro Stripe Webhook AJAX Requests\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions to minimize the number of users with Subscriber-level access as a temporary mitigation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-pmpro-stripe-webhook-vuln/","summary":"The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification of Stripe webhook configurations due to missing capability checks, allowing authenticated attackers with Subscriber-level access to disrupt payment processing.","title":"Paid Memberships Pro Plugin Vulnerability Allows Unauthorized Stripe Webhook Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-pmpro-stripe-webhook-vuln/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4062"}],"_cs_exploited":false,"_cs_products":["Geo Mashup plugin \u003c= 1.13.18"],"_cs_severities":["high"],"_cs_tags":["sqli","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Geo Mashup plugin for WordPress, in versions up to and including 1.13.18, contains a Time-Based SQL Injection vulnerability (CVE-2026-4062). The vulnerability exists within the \u0026lsquo;object_ids\u0026rsquo; and \u0026rsquo;exclude_object_ids\u0026rsquo; parameters. Insufficient escaping of user-supplied input, specifically within the \u003ccode\u003eIN(...)\u003c/code\u003e and \u003ccode\u003eNOT IN(...)\u003c/code\u003e SQL context, coupled with inadequate preparation of the existing SQL query, allows for the injection. The \u003ccode\u003eesc_sql()\u003c/code\u003e function is applied but is rendered ineffective due to its inability to protect against parenthesis or SQL keyword injection within the unquoted \u003ccode\u003eIN(...)\u003c/code\u003e / \u003ccode\u003eNOT IN(...)\u003c/code\u003e context. A numeric-only sanitizer exists in \u003ccode\u003esanitize_query_args()\u003c/code\u003e, but this is only applied in the AJAX code path and not in the \u003ccode\u003erender-map.php\u003c/code\u003e or template tag code paths. This flaw enables unauthenticated attackers to append malicious SQL queries, facilitating the extraction of sensitive information from the WordPress database through a time-based blind SQL injection technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies the vulnerable Geo Mashup plugin running on a WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an endpoint that utilizes the \u0026lsquo;object_ids\u0026rsquo; or \u0026rsquo;exclude_object_ids\u0026rsquo; parameters.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a time-based SQL injection payload into the \u0026lsquo;object_ids\u0026rsquo; or \u0026rsquo;exclude_object_ids\u0026rsquo; parameter. This payload leverages SQL functions like \u003ccode\u003eSLEEP()\u003c/code\u003e or \u003ccode\u003eBENCHMARK()\u003c/code\u003e to introduce delays based on conditional SQL logic.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code fails to properly sanitize the injected SQL code due to the ineffective \u003ccode\u003eesc_sql()\u003c/code\u003e function in the \u003ccode\u003eIN\u003c/code\u003e/\u003ccode\u003eNOT IN\u003c/code\u003e context.\u003c/li\u003e\n\u003cli\u003eThe injected SQL payload is appended to the existing SQL query executed by the Geo Mashup plugin.\u003c/li\u003e\n\u003cli\u003eThe database server executes the combined query, including the injected time-based SQL injection.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors the response time of the HTTP request. A delayed response indicates that the injected SQL logic evaluated to true.\u003c/li\u003e\n\u003cli\u003eBy repeatedly sending requests with different SQL injection payloads, the attacker can extract sensitive information from the database one character at a time.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to the complete compromise of the WordPress database. An attacker can extract sensitive information such as user credentials, API keys, configuration details, and other confidential data. This can result in data breaches, unauthorized access to the WordPress site, and potential further attacks on connected systems. The CVSS v3.1 base score for this vulnerability is 7.5, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Geo Mashup plugin to a version greater than 1.13.18 to remediate CVE-2026-4062.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Geo Mashup Time-Based SQL Injection Attempts\u003c/code\u003e to identify potential exploitation attempts targeting the vulnerable parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL injection payloads in the \u0026lsquo;object_ids\u0026rsquo; or \u0026rsquo;exclude_object_ids\u0026rsquo; parameters to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-geo-mashup-sqli/","summary":"The Geo Mashup WordPress plugin is vulnerable to Time-Based SQL Injection due to insufficient input sanitization, allowing unauthenticated attackers to extract sensitive database information.","title":"Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4062)","url":"https://feed.craftedsignal.io/briefs/2026-05-geo-mashup-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4061"}],"_cs_exploited":false,"_cs_products":["Geo Mashup plugin"],"_cs_severities":["high"],"_cs_tags":["sql-injection","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Geo Mashup plugin for WordPress is vulnerable to time-based SQL injection, as detailed in CVE-2026-4061. This vulnerability affects all versions of the plugin up to and including 1.13.18. The root cause lies in the \u003ccode\u003eSearchResults\u003c/code\u003e hook, where the \u003ccode\u003emap_post_type\u003c/code\u003e parameter is mishandled. Specifically, the code first calls \u003ccode\u003estripslashes_deep($_POST)\u003c/code\u003e, effectively removing WordPress\u0026rsquo;s magic quotes protection. Subsequently, the unsanitized \u003ccode\u003emap_post_type\u003c/code\u003e value is directly concatenated into an \u003ccode\u003eIN(...)\u003c/code\u003e clause without proper escaping using \u003ccode\u003eesc_sql()\u003c/code\u003e or \u003ccode\u003e$wpdb-\u0026gt;prepare()\u003c/code\u003e. While the \u0026lsquo;any\u0026rsquo; branch of the code correctly applies \u003ccode\u003earray_map('esc_sql', ...)\u003c/code\u003e, the alternative branch lacks this crucial sanitization step. Successful exploitation requires the Geo Search feature to be enabled in the plugin\u0026rsquo;s settings. This vulnerability allows unauthenticated attackers to inject malicious SQL queries, potentially leading to the extraction of sensitive database information through time-based blind techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a WordPress site using a vulnerable version of the Geo Mashup plugin (\u0026lt;= 1.13.18) with the Geo Search feature enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003eSearchResults\u003c/code\u003e hook with a specially crafted \u003ccode\u003emap_post_type\u003c/code\u003e parameter containing SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code within the Geo Mashup plugin processes the POST request, removing magic quotes using \u003ccode\u003estripslashes_deep($_POST)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe unsanitized \u003ccode\u003emap_post_type\u003c/code\u003e value is then concatenated directly into an SQL query within an \u003ccode\u003eIN(...)\u003c/code\u003e clause without proper escaping.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code executes within the database query, allowing the attacker to manipulate the query\u0026rsquo;s behavior.\u003c/li\u003e\n\u003cli\u003eThe attacker uses time-based SQL injection techniques (e.g., \u003ccode\u003eIF(condition, SLEEP(5), 0)\u003c/code\u003e) within the injected payload to infer information based on the response time.\u003c/li\u003e\n\u003cli\u003eBy repeatedly sending modified requests and observing the response times, the attacker can extract sensitive data, character by character, from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information such as usernames, passwords, API keys, or other confidential data stored in the WordPress database.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to extract sensitive information from the WordPress database. The severity of the impact depends on the sensitivity of the data stored in the database, but could include exposure of user credentials, confidential business data, or other sensitive information. Because it affects any installation with the Geo Search feature enabled, a large number of websites using the Geo Mashup plugin may be vulnerable. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Geo Mashup plugin to the latest version (later than 1.13.18) to patch CVE-2026-4061.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential exploitation attempts targeting the vulnerable \u003ccode\u003eSearchResults\u003c/code\u003e hook using a malicious \u003ccode\u003emap_post_type\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eReview web server logs for suspicious POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e (common AJAX endpoint in WordPress) containing potentially malicious SQL injection payloads in the \u003ccode\u003emap_post_type\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-geo-mashup-sql-injection/","summary":"A time-based SQL injection vulnerability (CVE-2026-4061) exists in the Geo Mashup WordPress plugin (\u003c= 1.13.18) due to insufficient sanitization of the 'map_post_type' parameter, enabling unauthenticated attackers to extract sensitive information via time-based blind SQL injection if the Geo Search feature is enabled.","title":"Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4061)","url":"https://feed.craftedsignal.io/briefs/2026-05-geo-mashup-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-2052"}],"_cs_exploited":false,"_cs_products":["The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks \u0026 Classic Widgets plugin \u003c= 4.2.2"],"_cs_severities":["critical"],"_cs_tags":["wordpress","rce","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Widget Options – Advanced Conditional Visibility for Gutenberg Blocks \u0026amp; Classic Widgets plugin, versions 4.2.2 and earlier, contains a Remote Code Execution (RCE) vulnerability (CVE-2026-2052). This flaw stems from the plugin\u0026rsquo;s Display Logic feature, which utilizes the \u003ccode\u003eeval()\u003c/code\u003e function to process user-supplied expressions. The plugin\u0026rsquo;s implemented blocklist/allowlist is insufficient, making it bypassable through techniques involving \u003ccode\u003earray_map\u003c/code\u003e with string concatenation. Furthermore, the plugin lacks proper authorization enforcement on the \u003ccode\u003eextended_widget_opts_block\u003c/code\u003e attribute. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject and execute arbitrary code on the underlying server. The vendor partially addressed this vulnerability in version 4.2.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress application as a Contributor or higher-level user.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Widget Options settings within the WordPress admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Display Logic expression designed to execute arbitrary PHP code. This involves bypassing the blocklist/allowlist using techniques such as \u003ccode\u003earray_map\u003c/code\u003e and string concatenation.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious Display Logic expression into the \u003ccode\u003eextended_widget_opts_block\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eThe WordPress application processes the widget options, including the malicious Display Logic expression. Due to the lack of proper sanitization and authorization, the \u003ccode\u003eeval()\u003c/code\u003e function executes the attacker-supplied PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with the permissions of the web server user, potentially allowing the attacker to read or write files, execute system commands, or compromise the entire server.\u003c/li\u003e\n\u003cli\u003eThe attacker may establish persistence by writing a backdoor to a file on the server or by creating a new administrator account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-2052 allows an attacker to execute arbitrary code on the WordPress server. This can lead to complete compromise of the website, including data theft, defacement, and the installation of malware. Since the vulnerability requires Contributor access or higher, the impact is significant if such accounts are compromised through other means (e.g., phishing, credential stuffing). The lack of proper input sanitization and authorization makes this a critical vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u0026ldquo;The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks \u0026amp; Classic Widgets\u0026rdquo; plugin to the latest version to patch CVE-2026-2052.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WordPress Widget Options RCE Attempt\u0026rdquo; to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions to minimize the number of users with Contributor or higher-level access.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity, particularly requests to \u003ccode\u003e/wp-admin/options.php\u003c/code\u003e related to widget options.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T08:16:27Z","date_published":"2026-05-02T08:16:27Z","id":"/briefs/2026-05-wordpress-widget-rce/","summary":"The Widget Options plugin for WordPress is vulnerable to Remote Code Execution (CVE-2026-2052) due to insufficient input sanitization in the Display Logic feature, allowing authenticated attackers with Contributor-level access and above to execute arbitrary code on the server.","title":"WordPress Widget Options Plugin Remote Code Execution Vulnerability (CVE-2026-2052)","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-widget-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-7049"}],"_cs_exploited":false,"_cs_products":["PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress \u003c= 12.5.0.1"],"_cs_severities":["high"],"_cs_tags":["ssrf","wordpress","plugin"],"_cs_type":"threat","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eCVE-2026-7049 is a server-side request forgery (SSRF) vulnerability found in the PixelYourSite Pro WordPress plugin. Specifically, all versions up to and including 12.5.0.1 are affected. This vulnerability allows unauthenticated attackers to send requests to arbitrary internal or external resources, as viewed from the web server. Although the fetched response bodies are not directly returned to the attacker (making it a blind SSRF), the application parses these responses internally, creating opportunities for reconnaissance and potentially for exploiting vulnerable internal services. Successful exploitation could expose sensitive information or allow unauthorized modification of internal systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies the \u003ccode\u003escan_video\u003c/code\u003e parameter as an SSRF entry point.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the WordPress server with the vulnerable PixelYourSite Pro plugin. The request includes the \u003ccode\u003escan_video\u003c/code\u003e parameter set to a URL pointing to an internal resource (e.g., internal IP address or hostname).\u003c/li\u003e\n\u003cli\u003eThe WordPress server receives the malicious request.\u003c/li\u003e\n\u003cli\u003eThe PixelYourSite Pro plugin processes the request and initiates an HTTP request to the URL specified in the \u003ccode\u003escan_video\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe WordPress server makes a request to the internal resource.\u003c/li\u003e\n\u003cli\u003eThe response from the internal resource is received by the WordPress server.\u003c/li\u003e\n\u003cli\u003eThe PixelYourSite Pro plugin parses the response body, potentially revealing information about the internal service.\u003c/li\u003e\n\u003cli\u003eDepending on the targeted internal service and the attacker\u0026rsquo;s crafted request, the attacker might be able to modify information or execute commands on the internal service, even though the response is not directly returned to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7049 allows an unauthenticated attacker to perform reconnaissance of internal network resources. The blind nature of the SSRF limits the attacker\u0026rsquo;s immediate visibility into the response, but internal parsing of the response allows for potential information disclosure and exploitation of vulnerable internal services. The scope of the impact depends heavily on the configuration of the internal network and the services exposed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the PixelYourSite Pro plugin to a version greater than 12.5.0.1 to patch CVE-2026-7049.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious PixelYourSite Pro SSRF Attempts\u003c/code\u003e to monitor for exploitation attempts targeting the \u003ccode\u003escan_video\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eReview and restrict internal network access to sensitive services to mitigate the potential impact of SSRF vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T06:16:04Z","date_published":"2026-05-02T06:16:04Z","id":"/briefs/2026-05-pys-ssrf/","summary":"The PixelYourSite Pro WordPress plugin is vulnerable to server-side request forgery (SSRF), allowing unauthenticated attackers to make arbitrary web requests from the server, potentially querying or modifying internal services.","title":"PixelYourSite Pro WordPress Plugin SSRF Vulnerability (CVE-2026-7049)","url":"https://feed.craftedsignal.io/briefs/2026-05-pys-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5113"}],"_cs_exploited":false,"_cs_products":["Gravity Forms plugin \u003c= 2.10.0"],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","gravityforms","cve-2026-5113","stored-xss"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Gravity Forms plugin for WordPress, a popular form builder, contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2026-5113. This flaw affects versions up to and including 2.10.0. The vulnerability stems from a flawed state validation mechanism combined with insufficient output escaping within the Consent field\u0026rsquo;s hidden inputs. An unauthenticated attacker can exploit this by injecting malicious JavaScript code into form entries. This malicious code is then executed when an authenticated administrator accesses the Entries List page within the WordPress administration panel, potentially leading to account compromise or other malicious actions performed within the administrator\u0026rsquo;s session. Successful exploitation allows attackers to execute arbitrary web scripts in the context of an administrator\u0026rsquo;s browser.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious payload containing XSS code within a Gravity Forms Consent field. The payload leverages HTML tags like \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e that \u003ccode\u003ewp_kses()\u003c/code\u003e will strip.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted form entry to the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe Gravity Forms plugin\u0026rsquo;s state validation mechanism calculates two hashes: one for the raw input and another after sanitization via \u003ccode\u003ewp_kses()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the nature of the XSS payload, the \u003ccode\u003ewp_kses()\u003c/code\u003e function strips the \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e tag, resulting in a matching hash for the sanitized input.\u003c/li\u003e\n\u003cli\u003eThe flawed validation logic fails to detect the malicious intent because at least one hash matches the original state, allowing the malicious raw value (containing the XSS payload) to be stored in the database.\u003c/li\u003e\n\u003cli\u003eAn authenticated administrator logs into the WordPress administration panel.\u003c/li\u003e\n\u003cli\u003eThe administrator navigates to the Entries List page for the affected Gravity Form.\u003c/li\u003e\n\u003cli\u003eThe stored malicious consent label is retrieved from the database and output without proper escaping, causing the XSS payload to execute within the administrator\u0026rsquo;s browser session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5113 allows unauthenticated attackers to execute arbitrary web scripts within the context of an authenticated administrator\u0026rsquo;s browser session. This can lead to a variety of malicious outcomes, including account compromise, data theft, modification of website content, or further propagation of the attack to other administrative users. The severity of the impact depends on the privileges held by the compromised administrator account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gravity Forms plugin to the latest version, which includes a fix for CVE-2026-5113.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to filter out requests containing potentially malicious XSS payloads targeting the Gravity Forms Consent field.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to form submissions containing encoded or obfuscated JavaScript code. Analyze HTTP request parameters for unusual characters or patterns indicative of XSS attempts.\u003c/li\u003e\n\u003cli\u003eEnable output escaping on form entries to prevent stored XSS attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T06:16:04Z","date_published":"2026-05-02T06:16:04Z","id":"/briefs/2026-05-gravityforms-xss/","summary":"The Gravity Forms plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via Consent field hidden inputs, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the entries list page.","title":"Gravity Forms Plugin Stored XSS Vulnerability (CVE-2026-5113)","url":"https://feed.craftedsignal.io/briefs/2026-05-gravityforms-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6963"}],"_cs_exploited":false,"_cs_products":["WP Mail Gateway plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","privilege-escalation","plugin-vulnerability"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WP Mail Gateway plugin, a WordPress extension, contains a vulnerability (CVE-2026-6963) that allows authenticated users with minimal privileges (Subscriber level or higher) to gain administrative access. The flaw resides in the \u003ccode\u003ewmg_save_provider_config\u003c/code\u003e AJAX action, which lacks proper authorization checks. This omission enables attackers to manipulate SMTP settings, redirect outgoing emails, and ultimately trigger password reset emails intended for administrators. The vulnerability affects all versions of the WP Mail Gateway plugin up to and including version 1.8. Successful exploitation grants attackers complete control over the WordPress site, making it a critical security concern for any organization using the vulnerable plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker logs into a WordPress site with a Subscriber-level account or higher.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious AJAX request targeting the \u003ccode\u003ewmg_save_provider_config\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eThis request modifies the SMTP settings, redirecting outgoing emails to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a password reset request for an administrator account.\u003c/li\u003e\n\u003cli\u003eThe password reset email is intercepted by the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the password reset link to gain access to the administrator\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the WordPress dashboard with administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform any administrative action, including installing malicious plugins, modifying site content, or creating new administrator accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6963 allows an attacker to completely compromise a WordPress website.  Even low-privileged users can elevate their access to administrator, giving them full control over the site.  This can lead to data breaches, website defacement, malware deployment, and other malicious activities. The vulnerability affects all installations of the WP Mail Gateway plugin up to version 1.8, potentially impacting thousands of WordPress sites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WP Mail Gateway plugin to a version beyond 1.8 to patch CVE-2026-6963.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress logs for suspicious AJAX requests targeting the \u003ccode\u003ewmg_save_provider_config\u003c/code\u003e action using the Sigma rule provided below. Enable webserver logging to capture HTTP POST requests.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect modifications to WordPress options related to SMTP configuration. Enable relevant logging for registry modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T05:16:01Z","date_published":"2026-05-02T05:16:01Z","id":"/briefs/2026-05-wp-mail-gateway-privesc/","summary":"The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check, allowing authenticated attackers to modify SMTP settings and escalate privileges.","title":"WP Mail Gateway Plugin Vulnerability Leads to Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-wp-mail-gateway-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7641"}],"_cs_exploited":false,"_cs_products":["Import and export users and customers plugin"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","wordpress","cloud"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Import and export users and customers plugin for WordPress, a plugin used to manage user data, is vulnerable to privilege escalation. This vulnerability, identified as CVE-2026-7641, affects all versions of the plugin up to and including 2.0.8. The vulnerability stems from an incomplete blocklist in the \u003ccode\u003esave_extra_user_profile_fields()\u003c/code\u003e function. This function fails to adequately filter meta keys for subsites within a WordPress Multisite network, allowing attackers to manipulate user roles. Successful exploitation allows authenticated attackers with Subscriber-level access or higher to escalate their privileges to Administrator on any subsite within the Multisite network. Exploitation requires the targeted WordPress instance to be part of a Multisite network and have specific settings enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn administrator imports a CSV file containing multisite-prefixed capability column headers (e.g., \u003ccode\u003ewp_2_capabilities\u003c/code\u003e) using the affected plugin.\u003c/li\u003e\n\u003cli\u003eThe administrator enables the \u0026ldquo;Show fields in profile?\u0026rdquo; option within the plugin settings. This action stores the imported column headers (including the multisite capabilities) in the \u003ccode\u003eacui_columns\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eA low-privileged user (e.g., Subscriber) authenticates to the WordPress subsite.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to their user profile page (\u003ccode\u003e/wp-admin/profile.php\u003c/code\u003e). The plugin displays the previously imported multisite capability fields as editable options on the profile page.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a profile update request, setting the value of the \u003ccode\u003ewp_{subsite_id}_capabilities\u003c/code\u003e meta key to \u003ccode\u003ea:1:{s:13:\u0026quot;administrator\u0026quot;;b:1;}\u003c/code\u003e which grants administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted profile update to \u003ccode\u003e/wp-admin/profile.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esave_extra_user_profile_fields()\u003c/code\u003e function processes the update. Due to the incomplete blocklist, the function fails to prevent the modification of the \u003ccode\u003ewp_{subsite_id}_capabilities\u003c/code\u003e meta key.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eupdate_user_meta()\u003c/code\u003e function writes the attacker-controlled value directly to the user\u0026rsquo;s metadata, granting them Administrator privileges on the specified subsite.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7641 allows an attacker to gain complete control over a WordPress subsite within a Multisite network. This can lead to unauthorized access to sensitive data, modification of website content, installation of malicious plugins or themes, and potential compromise of the entire Multisite network. Given the widespread use of WordPress and the Import and export users and customers plugin, a successful attack can have significant repercussions for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Import and export users and customers plugin to the latest version to patch CVE-2026-7641.\u003c/li\u003e\n\u003cli\u003eApply the Sigma rule \u003ccode\u003eWordPress Multisite Privilege Escalation via Profile Update\u003c/code\u003e to detect exploitation attempts against \u003ccode\u003e/wp-admin/profile.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eacui_columns\u003c/code\u003e option in the WordPress database to identify any instances where multisite-prefixed capability column headers have been imported, and remove those fields.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress user profile updates for unusual modifications to user capabilities using the \u003ccode\u003eWordPress User Role Change Detection\u003c/code\u003e rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T05:16:01Z","date_published":"2026-05-02T05:16:01Z","id":"/briefs/2026-05-wordpress-privesc/","summary":"A privilege escalation vulnerability exists in the Import and export users and customers plugin for WordPress (versions \u003c= 2.0.8) due to an incomplete blocklist allowing authenticated users to gain administrator privileges on subsites within a Multisite network.","title":"WordPress Import and Export Users Plugin Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-4882"}],"_cs_exploited":false,"_cs_products":["User Registration Advanced Fields plugin \u003c= 1.6.20"],"_cs_severities":["critical"],"_cs_tags":["wordpress","file-upload","rce"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe User Registration Advanced Fields plugin for WordPress, specifically versions up to and including 1.6.20, contains an arbitrary file upload vulnerability (CVE-2026-4882) due to insufficient file type validation in the \u003ccode\u003eURAF_AJAX::method_upload\u003c/code\u003e function. This flaw enables unauthenticated attackers to upload any file type to the affected server, which can lead to remote code execution if the uploaded file is strategically placed and executed. The vulnerability is exploitable only if a \u0026ldquo;Profile Picture\u0026rdquo; field is active within the registration form. This poses a significant threat to websites using the plugin, as attackers can potentially gain full control of the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable User Registration Advanced Fields plugin (\u0026lt;= 1.6.20) with the \u0026ldquo;Profile Picture\u0026rdquo; field enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the \u003ccode\u003eURAF_AJAX::method_upload\u003c/code\u003e function, bypassing any client-side file type checks.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a web shell (e.g., a PHP file) disguised as a legitimate file type or without any extension to evade basic detection mechanisms.\u003c/li\u003e\n\u003cli\u003eThe vulnerable plugin saves the file to the WordPress uploads directory without proper validation.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the exact file path of the uploaded web shell on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends another HTTP request directly to the uploaded web shell.\u003c/li\u003e\n\u003cli\u003eThe web shell executes on the server, providing the attacker with remote code execution capabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker can then leverage the web shell to perform various malicious activities, such as installing malware, defacing the website, or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-4882) allows unauthenticated attackers to upload arbitrary files to a vulnerable WordPress website, potentially leading to remote code execution. This can result in complete compromise of the affected website, including data theft, website defacement, and malware infections. The CVSS v3.1 base score for this vulnerability is 9.8, indicating a critical severity level. The impact includes potential damage to reputation, financial losses, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the User Registration Advanced Fields plugin to the latest version (greater than 1.6.20) to patch CVE-2026-4882.\u003c/li\u003e\n\u003cli\u003eImplement file type validation on the server-side, restricting allowed file extensions for profile picture uploads.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file upload activity targeting the \u003ccode\u003eURAF_AJAX::method_upload\u003c/code\u003e function to detect potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect Suspicious WordPress File Uploads\u003c/code\u003e to your SIEM.\u003c/li\u003e\n\u003cli\u003eImplement strict file permission policies to prevent uploaded files from being executed as scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T05:16:00Z","date_published":"2026-05-02T05:16:00Z","id":"/briefs/2026-05-wordpress-upload/","summary":"The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, allowing unauthenticated attackers to upload arbitrary files leading to potential remote code execution.","title":"WordPress User Registration Advanced Fields Plugin Arbitrary File Upload Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-3772"}],"_cs_exploited":false,"_cs_products":["WP Editor plugin \u003c= 1.2.9.2"],"_cs_severities":["high"],"_cs_tags":["csrf","wordpress","plugin","vulnerability"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WP Editor plugin, a WordPress plugin, contains a Cross-Site Request Forgery (CSRF) vulnerability affecting versions up to and including 1.2.9.2. This vulnerability stems from a lack of nonce verification in the \u0026lsquo;add_plugins_page\u0026rsquo; and \u0026lsquo;add_themes_page\u0026rsquo; functions. An unauthenticated attacker can exploit this vulnerability by crafting a malicious request designed to overwrite arbitrary plugin and theme PHP files with attacker-controlled code. The success of this attack hinges on the attacker\u0026rsquo;s ability to deceive a site administrator into triggering the forged request, typically by clicking a specially crafted link. This flaw allows for potential arbitrary code execution on the targeted WordPress site.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable WordPress site running a WP Editor plugin version \u0026lt;= 1.2.9.2.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u0026lsquo;add_plugins_page\u0026rsquo; or \u0026lsquo;add_themes_page\u0026rsquo; functions. This request includes parameters designed to overwrite a specific plugin or theme PHP file with attacker-supplied code.\u003c/li\u003e\n\u003cli\u003eThe attacker social engineers a WordPress administrator into clicking a malicious link or visiting a compromised website containing the forged request. This could be achieved via phishing emails or other deceptive techniques.\u003c/li\u003e\n\u003cli\u003eIf the administrator is logged into the WordPress dashboard, their browser automatically sends the forged request to the vulnerable WordPress site.\u003c/li\u003e\n\u003cli\u003eDue to the missing nonce verification, the WordPress site processes the request without validating its origin.\u003c/li\u003e\n\u003cli\u003eThe target plugin or theme PHP file is overwritten with the attacker\u0026rsquo;s malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code is executed when the plugin or theme is loaded or accessed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the WordPress server, potentially leading to complete site compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this CSRF vulnerability allows an unauthenticated attacker to inject arbitrary PHP code into a WordPress website. This can lead to a full compromise of the website, including data theft, defacement, or the installation of backdoors for persistent access. Given the widespread use of WordPress and the WP Editor plugin, a large number of websites are potentially at risk. Successful attacks can result in significant reputational damage and financial losses for affected website owners.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WP Editor plugin to the latest available version, which includes a fix for CVE-2026-3772.\u003c/li\u003e\n\u003cli\u003eImplement strong CSRF protection measures on all WordPress forms and administrative functions.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect attempts to exploit this vulnerability through suspicious requests to the \u003ccode\u003eadd_plugins_page\u003c/code\u003e or \u003ccode\u003eadd_themes_page\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T12:16:16Z","date_published":"2026-05-01T12:16:16Z","id":"/briefs/2024-01-wp-editor-csrf/","summary":"The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.2.9.2, allowing unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with malicious code by tricking a site administrator into clicking a link.","title":"WP Editor Plugin CSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-wp-editor-csrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-7567"}],"_cs_exploited":false,"_cs_products":["Temporary Login plugin"],"_cs_severities":["critical"],"_cs_tags":["authentication bypass","wordpress","plugin vulnerability","cve-2026-7567","cloud"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eCVE-2026-7567 is an authentication bypass vulnerability that affects the Temporary Login plugin for WordPress, specifically versions up to and including 1.0.0. The vulnerability stems from a failure to properly validate the \u0026rsquo;temp-login-token\u0026rsquo; GET parameter within the \u003ccode\u003emaybe_login_temporary_user()\u003c/code\u003e function. By supplying an array as the value for this parameter, attackers can circumvent the intended \u003ccode\u003eempty()\u003c/code\u003e check. This leads to the \u003ccode\u003esanitize_key()\u003c/code\u003e function returning an empty string, which is then used in a database query to fetch users. WordPress ignores empty \u003ccode\u003emeta_value\u003c/code\u003e parameters, causing the query to return all users with the \u003ccode\u003e_temporary_login_token\u003c/code\u003e meta key. Consequently, an unauthenticated attacker can effectively authenticate as any user with an active temporary login session by sending a single, maliciously crafted GET request. This poses a severe risk to website security, as it allows unauthorized access to user accounts and potentially sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Temporary Login plugin (version \u0026lt;= 1.0.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious GET request targeting the WordPress site\u0026rsquo;s login endpoint, including the \u0026rsquo;temp-login-token\u0026rsquo; parameter as an array (e.g., \u003ccode\u003etemp-login-token[]=\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web server receives the GET request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emaybe_login_temporary_user()\u003c/code\u003e function processes the request.\u003c/li\u003e\n\u003cli\u003eDue to improper input validation, the \u003ccode\u003eempty()\u003c/code\u003e check is bypassed when the \u0026rsquo;temp-login-token\u0026rsquo; parameter is an array.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esanitize_key()\u003c/code\u003e processes the array and returns an empty string as the meta_value.\u003c/li\u003e\n\u003cli\u003eWordPress executes a database query using the empty meta_value, effectively retrieving all users with active temporary login tokens.\u003c/li\u003e\n\u003cli\u003eThe attacker is granted unauthorized access to the account of a targeted temporary user, bypassing normal authentication procedures.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7567 allows unauthenticated attackers to bypass login restrictions and gain unauthorized access to WordPress user accounts utilizing the vulnerable Temporary Login plugin. The severity is high, as it allows complete compromise of user accounts without requiring any valid credentials. The impact includes potential data theft, account takeover, website defacement, and other malicious activities, depending on the privileges of the compromised user account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the available patch or upgrade the Temporary Login plugin to a version greater than 1.0.0 to remediate CVE-2026-7567.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WordPress Temporary Login Authentication Bypass Attempt\u003c/code\u003e to detect exploitation attempts by monitoring HTTP requests with array-based \u003ccode\u003etemp-login-token\u003c/code\u003e parameters in the query string.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the web server to reject requests containing array-based parameters where scalar strings are expected.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T10:15:58Z","date_published":"2026-05-01T10:15:58Z","id":"/briefs/2024-01-wordpress-temp-login-auth-bypass/","summary":"The Temporary Login plugin for WordPress versions up to 1.0.0 is vulnerable to authentication bypass due to improper input validation, allowing unauthenticated attackers to log in as arbitrary temporary users by sending a specially crafted GET request.","title":"WordPress Temporary Login Plugin Authentication Bypass (CVE-2026-7567)","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-temp-login-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-2892"}],"_cs_exploited":false,"_cs_products":["Otter Blocks plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","purchase-bypass","CVE-2026-2892","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Stripe","WordPress"],"content_html":"\u003cp\u003eThe Otter Blocks plugin, a popular WordPress extension, is susceptible to a purchase verification bypass vulnerability identified as CVE-2026-2892. This flaw affects all versions up to and including 3.1.4. The vulnerability stems from the plugin\u0026rsquo;s reliance on an unsigned cookie, \u0026lsquo;o_stripe_data\u0026rsquo;, to determine Stripe product ownership for unauthenticated users. The \u0026lsquo;get_customer_data\u0026rsquo; method uses this cookie, and the subsequent \u0026lsquo;check_purchase\u0026rsquo; method trusts its contents without proper server-side validation against the Stripe API. This lack of verification enables attackers to gain unauthorized access to purchase-gated content. The target product ID is often exposed in the checkout block\u0026rsquo;s HTML source, further simplifying the exploit. Successful exploitation allows attackers to bypass payment requirements, potentially impacting content creators and businesses relying on the plugin for revenue generation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Otter Blocks plugin (version \u0026lt;= 3.1.4).\u003c/li\u003e\n\u003cli\u003eThe attacker examines the HTML source code of a checkout block on the target site to identify the target product ID.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u0026lsquo;o_stripe_data\u0026rsquo; cookie containing the target product ID.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the forged \u0026lsquo;o_stripe_data\u0026rsquo; cookie in their browser.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the purchase-gated content on the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;get_customer_data\u0026rsquo; method reads the forged \u0026lsquo;o_stripe_data\u0026rsquo; cookie.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;check_purchase\u0026rsquo; method incorrectly validates the forged purchase data without server-side verification against the Stripe API.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the purchase-gated content, bypassing the intended payment requirement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-2892 allows unauthenticated attackers to bypass purchase verification mechanisms implemented by the Otter Blocks plugin. This can lead to unauthorized access to premium content, resulting in revenue loss for content creators and businesses using the plugin. The number of potentially affected websites is significant, given the popularity of WordPress and the Otter Blocks plugin. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Otter Blocks plugin to a version greater than 3.1.4 to patch CVE-2026-2892.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect potential exploitation attempts targeting the vulnerable plugin.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for suspicious cookie manipulation activity, specifically targeting the \u0026lsquo;o_stripe_data\u0026rsquo; cookie.\u003c/li\u003e\n\u003cli\u003eImplement server-side validation of purchase data against the Stripe API to prevent cookie forgery attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-06-24T12:00:00Z","date_published":"2024-06-24T12:00:00Z","id":"/briefs/2026-06-otter-blocks-bypass/","summary":"CVE-2026-2892 is a purchase verification bypass vulnerability in the Otter Blocks plugin for WordPress, affecting versions up to 3.1.4, that allows unauthenticated attackers to access restricted content by forging a cookie used for purchase validation.","title":"Otter Blocks Plugin Purchase Verification Bypass Vulnerability (CVE-2026-2892)","url":"https://feed.craftedsignal.io/briefs/2026-06-otter-blocks-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-6229"}],"_cs_exploited":false,"_cs_products":["Royal Elementor Addons \u003c= 1.7.1057"],"_cs_severities":["high"],"_cs_tags":["wordpress","ssrf","cve-2026-6229","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Royal Elementor Addons plugin, a popular WordPress extension, contains a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-6229) in versions up to and including 1.7.1057. This flaw stems from inadequate validation of user-provided URLs within the \u003ccode\u003erender_csv_data()\u003c/code\u003e function. Attackers can bypass the validation by including \u0026lsquo;docs.google.com/spreadsheets\u0026rsquo; in a query parameter. The vulnerability is triggered because the plugin uses these URLs in \u003ccode\u003efopen()\u003c/code\u003e calls without implementing adequate safeguards to prevent access to internal or private network addresses. This vulnerability enables authenticated attackers with Contributor-level access or higher to craft malicious requests, potentially exposing sensitive internal data. Successful exploitation allows attackers to probe internal network resources, access configuration files, and potentially escalate attacks further.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with Contributor-level access or higher.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the vulnerable \u003ccode\u003erender_csv_data()\u003c/code\u003e function within the Royal Elementor Addons plugin.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a user-supplied URL containing \u0026lsquo;docs.google.com/spreadsheets\u0026rsquo; within a query parameter to bypass initial validation checks.\u003c/li\u003e\n\u003cli\u003eThe plugin\u0026rsquo;s \u003ccode\u003erender_csv_data()\u003c/code\u003e function receives the crafted URL without proper sanitization or validation against internal or private network addresses.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efopen()\u003c/code\u003e function is called with the attacker-controlled URL, initiating an outbound request from the WordPress server.\u003c/li\u003e\n\u003cli\u003eIf the URL points to an internal resource, the WordPress server retrieves the resource content.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the content of the internal resource in the response from the WordPress server.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the retrieved content for sensitive information, such as configuration files, API keys, or internal service details.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-6229) can lead to the exposure of sensitive internal information, potentially impacting all organizations using the Royal Elementor Addons plugin for WordPress version 1.7.1057 and below. This may include internal configuration files, API keys, database credentials, or other sensitive data accessible through internal services. The severity is high due to the potential for attackers to pivot from this vulnerability and further compromise the WordPress server or the internal network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Royal Elementor Addons plugin to a version higher than 1.7.1057 to patch CVE-2026-6229.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Royal Elementor Addons SSRF Attempt via URL Parameter\u0026rdquo; to identify malicious requests targeting the \u003ccode\u003erender_csv_data()\u003c/code\u003e function in your web server logs.\u003c/li\u003e\n\u003cli\u003eImplement strict network segmentation and firewall rules to limit access from the WordPress server to internal resources, mitigating the impact of potential SSRF vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T12:00:00Z","date_published":"2024-01-08T12:00:00Z","id":"/briefs/2024-01-royal-elementor-ssrf/","summary":"The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) allowing authenticated attackers with Contributor-level access or higher to make arbitrary requests and retrieve sensitive information from internal services.","title":"Royal Elementor Addons Plugin SSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-royal-elementor-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-5364"}],"_cs_exploited":false,"_cs_products":["Drag and Drop File Upload for Contact Form 7 plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","file-upload","rce","plugin","CVE-2026-5364"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Drag and Drop File Upload for Contact Form 7 plugin for WordPress, in versions up to and including 1.1.3, contains an arbitrary file upload vulnerability tracked as CVE-2026-5364. The flaw stems from insufficient sanitization of file extensions during the upload process. Specifically, the plugin extracts the file extension before sanitization and allows the file type parameter to be controlled by the attacker. Furthermore, validation occurs on the unsanitized extension, while the file is saved with a sanitized extension, stripping special characters like \u0026lsquo;$\u0026rsquo; during the save. While an .htaccess file and name randomization are present, these restrictions may be bypassable in certain configurations or by exploiting other vulnerabilities. This vulnerability could allow unauthenticated attackers to upload arbitrary PHP files to the web server, potentially leading to remote code execution (RCE).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress website using a vulnerable version (\u0026lt;= 1.1.3) of the \u0026ldquo;Drag and Drop File Upload for Contact Form 7\u0026rdquo; plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the plugin\u0026rsquo;s upload endpoint, typically \u003ccode\u003e/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a file with a manipulated extension, such as \u003ccode\u003eevil.php$.jpg\u003c/code\u003e, where \u003ccode\u003eevil.php\u003c/code\u003e is the malicious PHP payload and \u003ccode\u003e$.jpg\u003c/code\u003e is designed to be sanitized to \u003ccode\u003e.jpg\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003efile type\u003c/code\u003e parameter in the request to reflect the original manipulated file extension (\u003ccode\u003eevil.php$.jpg\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe plugin validates the extension against administrator-configured types but, due to the unsanitized extension and attacker control over the file type parameter, the malicious file passes validation.\u003c/li\u003e\n\u003cli\u003eThe plugin sanitizes the extension, removing the \u003ccode\u003e$\u003c/code\u003e character, resulting in a file saved with the extension \u003ccode\u003e.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access the uploaded PHP file via a direct HTTP request to \u003ccode\u003e/wp-content/uploads/\u0026lt;random_name\u0026gt;.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003e.htaccess\u003c/code\u003e restrictions are bypassed (e.g., due to misconfiguration or another vulnerability), the web server executes the malicious PHP code, granting the attacker remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5364 allows unauthenticated attackers to upload and execute arbitrary PHP code on the target WordPress server. This can lead to complete compromise of the website, including defacement, data theft, and installation of backdoors. While the presence of \u003ccode\u003e.htaccess\u003c/code\u003e and name randomization mitigates the risk, these protections may be bypassed, especially when combined with other vulnerabilities or misconfigurations. Given the widespread use of WordPress and its plugins, this vulnerability poses a significant risk to a large number of websites. The CVSS v3.1 base score is 8.1, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u0026ldquo;Drag and Drop File Upload for Contact Form 7\u0026rdquo; plugin to the latest version (greater than 1.1.3) to patch CVE-2026-5364.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to inspect and block requests containing suspicious file extensions in the POST parameters targeting the plugin\u0026rsquo;s upload endpoint (\u003ccode\u003e/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious File Upload via Drag and Drop CF7\u003c/code\u003e to identify exploitation attempts in web server logs (cs-uri-query).\u003c/li\u003e\n\u003cli\u003eReview and harden \u003ccode\u003e.htaccess\u003c/code\u003e configurations to ensure that PHP execution is restricted in the \u003ccode\u003e/wp-content/uploads/\u003c/code\u003e directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-wordpress-plugin-upload/","summary":"The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to 1.1.3, allowing unauthenticated attackers to upload arbitrary PHP files by manipulating the file type parameter and exploiting extension sanitization vulnerabilities.","title":"WordPress Drag and Drop File Upload Plugin Vulnerable to Arbitrary File Upload (CVE-2026-5364)","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-plugin-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-7647"}],"_cs_exploited":false,"_cs_products":["Profile Builder Pro plugin"],"_cs_severities":["critical"],"_cs_tags":["php-object-injection","wordpress","plugin","rce"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Profile Builder Pro plugin for WordPress is susceptible to a critical PHP Object Injection vulnerability (CVE-2026-7647) affecting all versions up to and including 3.14.5. This flaw stems from the plugin\u0026rsquo;s use of the \u003ccode\u003emaybe_unserialize()\u003c/code\u003e function on the attacker-controlled \u003ccode\u003eargs\u003c/code\u003e POST parameter passed to the \u003ccode\u003ewppb_request_users_pins_action_callback()\u003c/code\u003e AJAX handler. Critically, this handler lacks nonce verification, input validation, and type checking, making it accessible to unauthenticated users via both \u003ccode\u003ewp_ajax_\u003c/code\u003e and \u003ccode\u003ewp_ajax_nopriv_\u003c/code\u003e hooks. Successful exploitation allows remote, unauthenticated attackers to inject arbitrary PHP objects into the application\u0026rsquo;s memory space, potentially leading to remote code execution depending on available classes and application configuration. The vulnerability was published on 2026-05-02.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site running a vulnerable version (\u0026lt;= 3.14.5) of the Profile Builder Pro plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the WordPress AJAX endpoint (\u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003ewppb_request_users_pins_action_callback\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eargs\u003c/code\u003e parameter containing a serialized PHP object designed to trigger arbitrary code execution upon deserialization.\u003c/li\u003e\n\u003cli\u003eThe WordPress server receives the request and invokes the \u003ccode\u003ewppb_request_users_pins_action_callback()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable function calls \u003ccode\u003emaybe_unserialize()\u003c/code\u003e on the attacker-controlled \u003ccode\u003eargs\u003c/code\u003e parameter without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP object is deserialized and injected into the application\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eThe injected object\u0026rsquo;s methods and properties are triggered, leading to arbitrary code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary PHP code on the target WordPress server. This can lead to complete system compromise, including data theft, website defacement, and the installation of backdoors for persistent access. Given the widespread use of WordPress and the Profile Builder Pro plugin, a large number of websites are potentially at risk until the plugin is updated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Profile Builder Pro plugin to the latest available version to patch CVE-2026-7647.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Profile Builder Pro PHP Object Injection Attempt\u003c/code\u003e to detect exploitation attempts targeting the vulnerable AJAX endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003ewppb_request_users_pins_action_callback\u003c/code\u003e and suspicious serialized data in the \u003ccode\u003eargs\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-wordpress-profile-builder-rce/","summary":"An unauthenticated PHP Object Injection vulnerability exists in the Profile Builder Pro WordPress plugin (versions up to 3.14.5) due to the insecure use of `maybe_unserialize()` on the 'args' POST parameter in the `wppb_request_users_pins_action_callback()` AJAX handler, potentially leading to arbitrary code execution.","title":"WordPress Profile Builder Pro Plugin PHP Object Injection Vulnerability (CVE-2026-7647)","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-profile-builder-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5110"}],"_cs_exploited":false,"_cs_products":["Gravity Forms plugin \u003c= 2.10.0"],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","gravityforms"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Gravity Forms plugin, a widely used WordPress plugin, is susceptible to an unauthenticated stored cross-site scripting (XSS) vulnerability. This flaw, identified as CVE-2026-5110, affects versions up to and including 2.10.0. The vulnerability stems from inadequate input validation and output escaping specifically within the SingleProduct field when it is nested inside a Repeater field. This bypasses normal state validation, allowing attackers to inject malicious HTML and JavaScript into the product name field. The injected payload is then stored unsanitized in the database. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator accesses an entry containing the malicious payload through the WordPress admin interface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious request to a WordPress endpoint utilizing the Gravity Forms plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker injects arbitrary HTML and JavaScript into the \u0026lsquo;product name\u0026rsquo; field (input .1) of a SingleProduct field nested within a Repeater field.\u003c/li\u003e\n\u003cli\u003eDue to insufficient validation within the \u003ccode\u003evalidate_subfield()\u003c/code\u003e method, the malicious input bypasses the state validation mechanism \u003ccode\u003e(failed_state_validation())\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esanitize_entry_value()\u003c/code\u003e method returns the raw, unsanitized value because HTML is not expected for the affected field type.\u003c/li\u003e\n\u003cli\u003eThe malicious input is stored in the WordPress database without proper sanitization or escaping.\u003c/li\u003e\n\u003cli\u003eAn administrator accesses the Gravity Forms entries page in the WordPress admin interface (wp-admin/admin.php?page=gf_entries).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eget_value_entry_detail()\u003c/code\u003e method retrieves the malicious product name from the database and outputs it without proper escaping.\u003c/li\u003e\n\u003cli\u003eThe stored XSS payload executes in the administrator\u0026rsquo;s browser, potentially allowing the attacker to perform actions with the administrator\u0026rsquo;s privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of an administrator\u0026rsquo;s browser session. This can lead to account compromise, data theft, or further malicious activities within the WordPress administration panel. The vulnerability affects all users of the Gravity Forms plugin on WordPress installations with versions up to and including 2.10.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gravity Forms plugin to the latest version (greater than 2.10.0) to patch CVE-2026-5110.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Gravity Forms XSS Attempt\u003c/code\u003e to identify potential exploitation attempts by monitoring for specific patterns in HTTP requests.\u003c/li\u003e\n\u003cli\u003eEnable web server logging to capture detailed information about HTTP requests and responses, enabling the Sigma rule\u0026rsquo;s effectiveness.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-gravity-forms-xss/","summary":"The Gravity Forms plugin for WordPress is vulnerable to unauthenticated stored cross-site scripting (XSS) in versions up to 2.10.0, allowing attackers to inject arbitrary JavaScript code into the product name field within repeater fields, which executes when an administrator views the affected entry.","title":"Gravity Forms Plugin Unauthenticated Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-gravity-forms-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-7649"}],"_cs_exploited":false,"_cs_products":["ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile \u0026 User signup plugin \u003c= 4.0.60"],"_cs_severities":["high"],"_cs_tags":["sql-injection","wordpress","armember","cve-2026-7649"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile \u0026amp; User signup plugin for WordPress is susceptible to time-based blind SQL injection. This vulnerability, identified as CVE-2026-7649, affects all versions up to and including 4.0.60. The root cause lies in the inadequate escaping of the user-supplied \u0026lsquo;orderby\u0026rsquo; parameter and the lack of sufficient preparation in the existing SQL query. An unauthenticated attacker can exploit this weakness by injecting malicious SQL queries, potentially leading to the extraction of sensitive information directly from the WordPress database. This presents a significant risk, as it could expose user credentials, personal data, and other confidential information stored within the database, impacting the confidentiality and integrity of the WordPress installation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable ARMember plugin (version \u0026lt;= 4.0.60).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a page that uses the vulnerable \u0026lsquo;orderby\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u0026lsquo;orderby\u0026rsquo; parameter of the HTTP GET or POST request. This code is designed to exploit the time-based blind SQL injection vulnerability.\u003c/li\u003e\n\u003cli\u003eThe ARMember plugin processes the request without properly sanitizing the \u0026lsquo;orderby\u0026rsquo; parameter, allowing the injected SQL code to be executed within the database query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code uses time-delay functions (e.g., \u003ccode\u003eSLEEP()\u003c/code\u003e) to determine the truthiness of conditions. Based on the response time, the attacker infers whether the injected SQL code is evaluating to true or false.\u003c/li\u003e\n\u003cli\u003eThe attacker iteratively refines the injected SQL code to extract sensitive data, such as table names, column names, and data values, character by character, through observing the time delays.\u003c/li\u003e\n\u003cli\u003eThe attacker dumps sensitive information from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to gain administrative access to the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to extract sensitive information from the WordPress database. This includes user credentials (usernames, email addresses, and password hashes), personal data, and potentially other confidential information stored within the database. The impact could range from unauthorized access to user accounts to complete compromise of the WordPress site and its underlying data. The number of affected sites depends on the prevalence of the ARMember plugin, but given its popularity, the potential impact is widespread.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security patches provided by the ARMember plugin developers immediately to remediate CVE-2026-7649 on all WordPress installations using the plugin.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect ARMember SQL Injection Attempt via Orderby Parameter\u0026rdquo; to your SIEM to detect exploitation attempts against this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL syntax in the \u0026lsquo;orderby\u0026rsquo; parameter to identify potential exploitation attempts (log source: webserver).\u003c/li\u003e\n\u003cli\u003eImplement and enforce strict input validation and sanitization for all user-supplied parameters, especially those used in database queries, to prevent SQL injection vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-armember-sqli/","summary":"A time-based blind SQL Injection vulnerability exists in the ARMember WordPress plugin (\u003c= 4.0.60) due to insufficient input sanitization of the 'orderby' parameter, allowing unauthenticated attackers to extract sensitive database information.","title":"ARMember WordPress Plugin Vulnerable to Time-Based Blind SQL Injection (CVE-2026-7649)","url":"https://feed.craftedsignal.io/briefs/2024-01-armember-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5112"}],"_cs_exploited":false,"_cs_products":["Gravity Forms plugin"],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","gravityforms"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Gravity Forms plugin for WordPress, a widely used form management tool, contains a vulnerability that can be exploited by unauthenticated attackers. Specifically, versions up to and including 2.10.0 are susceptible to Stored Cross-Site Scripting (XSS) due to insufficient input validation and output escaping of Calculation Product field names within Repeater fields. This flaw resides in how the plugin processes and renders form submissions containing malicious HTML within the product name field. The vulnerability allows an attacker to inject arbitrary web scripts that execute in the context of an authenticated administrator\u0026rsquo;s session when they access the entry detail page within the WordPress admin panel. Successful exploitation enables attackers to perform actions with the privileges of the compromised administrator.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious form submission.\u003c/li\u003e\n\u003cli\u003eThe malicious payload is placed in the Calculation Product field\u0026rsquo;s product name (.1) within a Repeater field.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evalidate()\u003c/code\u003e method in the \u003ccode\u003eGF_Field_Calculation\u003c/code\u003e class inadequately validates the product name field, failing to sanitize malicious HTML.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esanitize_entry_value()\u003c/code\u003e method returns the raw, unsanitized value for the product name field, as HTML sanitization is not expected for this field.\u003c/li\u003e\n\u003cli\u003eThe malicious form submission is saved as an entry in WordPress.\u003c/li\u003e\n\u003cli\u003eAn authenticated administrator with the \u003ccode\u003egravityforms_view_entries\u003c/code\u003e capability accesses the entry detail page in \u003ccode\u003ewp-admin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eget_value_entry_detail()\u003c/code\u003e method concatenates the unsanitized product name directly into the output string.\u003c/li\u003e\n\u003cli\u003eThe repeater\u0026rsquo;s \u003ccode\u003eget_value_entry_detail()\u003c/code\u003e method renders the unsanitized output, leading to the execution of the injected XSS payload within the administrator\u0026rsquo;s browser.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript code within the context of an authenticated WordPress administrator\u0026rsquo;s session. This can lead to account takeover, data theft, or further malicious actions performed on the WordPress site. While the number of potentially affected sites is large due to the plugin\u0026rsquo;s popularity, the impact is limited to administrators who access the specific entry containing the malicious payload.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gravity Forms plugin to a version greater than 2.10.0 to patch CVE-2026-5112.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Gravity Forms XSS via Product Name\u003c/code\u003e to detect attempts to inject malicious scripts into product names.\u003c/li\u003e\n\u003cli\u003eReview and audit existing Gravity Forms entries for suspicious content in Calculation Product fields to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-gravityforms-xss/","summary":"The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 2.10.0, allowing unauthenticated attackers to inject arbitrary web scripts via form submissions that execute when an administrator views the entry detail page.","title":"Gravity Forms Plugin Unauthenticated Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-gravityforms-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5464"}],"_cs_exploited":false,"_cs_products":["ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","rce","cve-2026-5464","exactmetrics"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-5464, exists in the ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin, affecting all versions up to and including 9.1.2. The vulnerability allows authenticated attackers with Editor-level access or higher, who also possess the \u0026rsquo;exactmetrics_view_dashboard\u0026rsquo; capability, to install and activate arbitrary WordPress plugins from attacker-controlled URLs. This is possible due to the exposure of the \u0026lsquo;onboarding_key\u0026rsquo; transient and the lack of proper authorization checks on the \u0026rsquo;exactmetrics_connect_process\u0026rsquo; AJAX endpoint. Successful exploitation can lead to Remote Code Execution (RCE) on the target WordPress site. This poses a significant risk to websites using the vulnerable plugin, as attackers can inject malicious code and gain full control of the affected system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to a WordPress site as an Editor or Administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains the \u0026lsquo;onboarding_key\u0026rsquo; by accessing the reports page, which exposes the transient value to users with the \u0026rsquo;exactmetrics_view_dashboard\u0026rsquo; capability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u0026lsquo;onboarding_key\u0026rsquo; to access the \u0026lsquo;/wp-json/exactmetrics/v1/onboarding/connect-url\u0026rsquo; REST endpoint, receiving a one-time hash (OTH) token.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious plugin ZIP file hosted on an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the \u0026rsquo;exactmetrics_connect_process\u0026rsquo; AJAX endpoint, providing the OTH token and the URL of the malicious plugin ZIP file via the \u0026lsquo;file\u0026rsquo; parameter. This endpoint lacks capability checks and nonce verification.\u003c/li\u003e\n\u003cli\u003eThe ExactMetrics plugin downloads the malicious plugin ZIP file from the attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eThe ExactMetrics plugin installs and activates the malicious plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker gains Remote Code Execution on the WordPress server through the installed malicious plugin.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5464 allows attackers to install arbitrary plugins on vulnerable WordPress sites, leading to Remote Code Execution. This grants the attacker complete control over the compromised website, enabling them to inject malicious code, deface the site, steal sensitive data, or use the site for further malicious activities. The number of affected websites depends on the widespread use of the ExactMetrics plugin. Organizations using this plugin are at risk of significant data breaches and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin to the latest version, which patches CVE-2026-5464.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u0026lsquo;/wp-json/exactmetrics/v1/onboarding/connect-url\u0026rsquo; REST endpoint and the \u0026rsquo;exactmetrics_connect_process\u0026rsquo; AJAX endpoint. Implement the Sigma rule provided below to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication to prevent unauthorized access to WordPress accounts.\u003c/li\u003e\n\u003cli\u003eRestrict the \u0026rsquo;exactmetrics_view_dashboard\u0026rsquo; capability to only the necessary users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-exactmetrics-rce/","summary":"The ExactMetrics plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation via a REST API endpoint, potentially leading to remote code execution by authenticated attackers.","title":"ExactMetrics WordPress Plugin Vulnerability Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-02-exactmetrics-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5324"}],"_cs_exploited":false,"_cs_products":["Brizy – Page Builder plugin \u003c= 2.8.11"],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","unauthenticated"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Brizy – Page Builder plugin for WordPress, a popular tool for designing website pages, contains a critical vulnerability that allows unauthenticated users to inject malicious JavaScript code. Specifically, versions up to and including 2.8.11 are affected. This vulnerability arises from a combination of factors, including the lack of nonce verification for form submissions from non-logged-in users, inadequate handling of FileUpload fields when no file is actually uploaded, and the unintended reversal of security encoding through \u003ccode\u003ehtml_entity_decode()\u003c/code\u003e before outputting data. This allows attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator viewing the form\u0026rsquo;s \u0026ldquo;Leads\u0026rdquo; page, potentially leading to account takeover, data theft, or further compromise of the WordPress site.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious payload containing JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker submits this payload through a Brizy form on the WordPress site, exploiting the missing nonce verification in the \u003ccode\u003esubmit_form()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehandleFileTypeFields()\u003c/code\u003e function fails to properly sanitize or overwrite the attacker-supplied values when no file is attached to the form submission.\u003c/li\u003e\n\u003cli\u003eThe injected payload, now stored in the WordPress database, bypasses initial \u003ccode\u003ehtmlentities()\u003c/code\u003e encoding due to later \u003ccode\u003ehtml_entity_decode()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAn administrator logs into the WordPress dashboard and navigates to the \u0026ldquo;Leads\u0026rdquo; page to view form submissions.\u003c/li\u003e\n\u003cli\u003eThe form-data.php template retrieves the stored malicious payload from the database.\u003c/li\u003e\n\u003cli\u003eThe payload is outputted directly within the \u003ccode\u003ehref\u003c/code\u003e attribute of an HTML element without proper escaping using \u003ccode\u003eesc_url()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code executes within the administrator\u0026rsquo;s browser, potentially performing actions such as stealing cookies or redirecting the administrator to a malicious site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a logged-in administrator\u0026rsquo;s browser. This could lead to a full compromise of the WordPress site, including the ability to create new administrative accounts, modify existing content, inject malware into the site\u0026rsquo;s pages, or steal sensitive data. The impact is significant, as it requires no user interaction beyond an administrator viewing the form submissions within the Brizy plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Brizy – Page Builder plugin to the latest version to patch CVE-2026-5324.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Brizy WordPress Plugin XSS Attempt via HTTP Request\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eform-data.php\u003c/code\u003e template and implement proper output escaping using \u003ccode\u003eesc_url()\u003c/code\u003e for all user-supplied data to prevent XSS, as mentioned in the vulnerability description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-brizy-xss/","summary":"The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 2.8.11, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page due to missing nonce verification and improper handling of file upload fields.","title":"Brizy WordPress Plugin Unauthenticated Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-brizy-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — WordPress","version":"https://jsonfeed.org/version/1.1"}