WordPress — CraftedSignal Threat Feed

Contact Form 7 WordPress Plugin Uncontrolled Resource Consumption Vulnerability

hello@craftedsignal.io — Mon, 04 May 2026 19:16:02 +0000

The Contact Form 7 WordPress plugin, specifically versions up to 2.6.7, contains an uncontrolled resource consumption vulnerability (CVE-2026-25863) within the Wpcf7cfMailParser class. The hide_hidden_mail_fields_regex_callback() method is susceptible to unbounded loop execution due to reading an iteration count directly from user-supplied POST parameters via the REST API endpoint without proper validation. This allows unauthenticated attackers to send a large integer value, triggering multiple preg_replace() operations, leading to server memory exhaustion and crashing the PHP process. This vulnerability enables a denial-of-service condition, potentially impacting all websites using the vulnerable plugin.

Attack Chain

An unauthenticated attacker identifies a WordPress website using Contact Form 7 plugin version 2.6.7 or earlier.
The attacker crafts a malicious HTTP POST request targeting the WordPress REST API endpoint.
The POST request includes a large integer value for the iteration count parameter, which is passed directly to the hide_hidden_mail_fields_regex_callback() method.
The hide_hidden_mail_fields_regex_callback() method, lacking input validation, reads the attacker-controlled integer.
The method initiates an unbounded loop, performing preg_replace() operations based on the attacker-supplied iteration count.
Each preg_replace() operation consumes server memory.
The excessive number of iterations rapidly exhausts available server memory.
The PHP process crashes due to memory exhaustion, resulting in a denial-of-service condition for the website.

Impact

Successful exploitation of this vulnerability leads to a denial-of-service condition. Attackers can crash the PHP process on vulnerable WordPress websites by exhausting server memory. This can result in website downtime, impacting user experience and potentially leading to data loss or corruption. While the exact number of affected websites is unknown, the widespread use of Contact Form 7 makes this vulnerability a significant threat.

Recommendation

Upgrade the Contact Form 7 WordPress plugin to a version greater than 2.6.7 to patch CVE-2026-25863.
Deploy the Sigma rule Detect Contact Form 7 Uncontrolled Resource Consumption Attempt to your SIEM to detect malicious POST requests targeting the WordPress REST API.
Monitor web server logs for abnormally large POST request sizes to the WordPress REST API endpoint, as this may indicate an attempted exploitation of CVE-2026-25863.

WordPress Easy PayPal Events & Tickets Plugin Information Disclosure Vulnerability

hello@craftedsignal.io — Mon, 04 May 2026 18:16:29 +0000

The Easy PayPal Events & Tickets plugin for WordPress, versions 1.3 and earlier, contains an information disclosure vulnerability (CVE-2026-41471). This vulnerability allows unauthenticated attackers to iterate through WordPress post IDs via the scan_qr.php endpoint. By sequentially accessing these IDs, attackers can retrieve customer order records stored within the WordPress database. The plugin was officially closed as of March 18, 2026, meaning websites using the plugin prior to this date are vulnerable. This allows for the potential harvesting of sensitive customer data including names, addresses, and purchase histories.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable Easy PayPal Events & Tickets plugin (version 1.3 or earlier).
The attacker crafts a malicious HTTP request targeting the scan_qr.php endpoint.
The attacker modifies the request to iterate through sequential WordPress post IDs.
The server processes the request without proper authentication or authorization checks.
The scan_qr.php endpoint queries the WordPress database for order records associated with the provided post ID.
If a valid order record is found, the server returns the information in the HTTP response.
The attacker parses the HTTP response to extract customer order information.
The attacker repeats steps 2-7, incrementing the post ID to enumerate all order records.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to retrieve all customer order records stored in the WordPress database. This can lead to the disclosure of sensitive customer information, including names, email addresses, purchase history, and potentially other personal details. The number of affected victims depends on the popularity and usage of the vulnerable plugin. If the database contains financial information the impact could be severe.

Recommendation

Deploy the Sigma rule detecting requests to the scan_qr.php endpoint with iterative post IDs to identify potential exploitation attempts.
If still using the Easy PayPal Events & Tickets plugin, remove the plugin, as it was closed as of 2026-03-18.
Monitor web server logs for suspicious activity targeting the scan_qr.php endpoint.
Review the WordPress access logs for requests originating from unusual IP addresses accessing the scan_qr.php endpoint.

WordPress Easy PayPal Events & Tickets Plugin Authentication Bypass Vulnerability

hello@craftedsignal.io — Mon, 04 May 2026 18:16:27 +0000

The Easy PayPal Events & Tickets plugin for WordPress, version 1.3 and earlier, contains a critical hardcoded authentication bypass vulnerability (CVE-2026-32834) within its QR code scanning functionality. This flaw allows unauthenticated remote attackers to bypass hash verification by supplying the string ’test’ as the hash parameter when accessing the add_wpeevent_button_qr action. This bypass enables attackers to retrieve sensitive order details associated with any post ID, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information. The vulnerable plugin was officially closed on March 18, 2026, making it imperative to identify and mitigate any remaining installations to prevent potential data breaches.

Attack Chain

Attacker identifies a WordPress site using the Easy PayPal Events & Tickets plugin (version 1.3 or earlier).
Attacker crafts a malicious HTTP GET request targeting the /wp-admin/admin-ajax.php endpoint.
The request includes the action parameter set to add_wpeevent_button_qr.
The request includes a hash parameter set to the hardcoded value test.
The request includes a post_id parameter, either guessed or obtained through other means.
The vulnerable plugin bypasses authentication due to the hardcoded hash.
The plugin processes the request and retrieves sensitive order details associated with the provided post_id.
The attacker receives the sensitive data, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information.

Impact

Successful exploitation of this vulnerability grants unauthenticated attackers access to sensitive customer and transaction data associated with events and tickets managed through the Easy PayPal Events & Tickets plugin. The leaked information, including customer email addresses and PayPal transaction IDs, can be used for further malicious activities such as phishing campaigns, identity theft, and financial fraud. The number of affected WordPress sites is unknown, but any site using a vulnerable version of the plugin is at risk.

Recommendation

Deploy the Sigma rule Detect WordPress Easy PayPal Events & Tickets Authentication Bypass Attempt to your SIEM to detect exploitation attempts targeting the vulnerable endpoint.
Inspect web server logs for requests to /wp-admin/admin-ajax.php with the action parameter set to add_wpeevent_button_qr and the hash parameter set to test to identify potential exploitation attempts.
Monitor network traffic for suspicious data exfiltration following the identified exploitation attempts to mitigate potential damage.
If the plugin is still installed, remove it immediately.

NEX-Forms WordPress Plugin Vulnerable to Stored Cross-Site Scripting (CVE-2026-5063)

hello@craftedsignal.io — Sun, 03 May 2026 06:15:57 +0000

The NEX-Forms – Ultimate Forms Plugin for WordPress, versions up to and including 9.1.11, is susceptible to a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-5063). This flaw stems from inadequate input sanitization and output escaping within the submit_nex_form() function. Unauthenticated attackers can exploit this vulnerability by injecting malicious JavaScript code through POST parameter key names. Successful exploitation allows the attacker to execute arbitrary scripts in the context of a user’s browser when they access a page containing the injected script, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability was reported to Wordfence and a patch has been released.

Attack Chain

The attacker crafts a malicious HTTP POST request to a WordPress page that utilizes the vulnerable NEX-Forms plugin.
The POST request includes specially crafted parameter key names designed to inject JavaScript code.
The submit_nex_form() function processes the POST request without properly sanitizing or escaping the malicious input.
The injected JavaScript code is stored in the WordPress database.
A legitimate user accesses a page where the form data, including the malicious script, is displayed.
The stored JavaScript code executes within the user’s browser in the context of the WordPress page.
The attacker can then perform actions such as stealing cookies, redirecting the user, or modifying the page content.

Impact

Successful exploitation of this stored XSS vulnerability allows an unauthenticated attacker to inject arbitrary JavaScript code into pages using the NEX-Forms plugin. This can lead to various malicious outcomes, including user session hijacking, website defacement, or redirection to phishing sites. As the vulnerability is stored, every user who visits a page containing the malicious script will be affected until the vulnerability is patched and the malicious input is removed. The severity is rated as HIGH with a CVSS base score of 7.2.

Recommendation

Upgrade the NEX-Forms – Ultimate Forms Plugin for WordPress to a version beyond 9.1.11 to patch CVE-2026-5063.
Deploy the Sigma rule Detect Suspicious NEX-Forms POST Requests to identify potential exploitation attempts.
Monitor web server logs for suspicious POST requests containing potentially malicious JavaScript code in parameter names.

WordPress WCFM Plugin Vulnerable to IDOR Leading to Account Deletion

hello@craftedsignal.io — Sat, 02 May 2026 14:16:17 +0000

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin, a popular WordPress plugin, is affected by an Insecure Direct Object Reference (IDOR) vulnerability. This flaw, present in versions up to and including 6.7.25, stems from a lack of proper validation on the customerid parameter within the wcfm_delete_wcfm_customer function. An attacker with Vendor-level privileges or higher can exploit this vulnerability to delete any user account on the WordPress instance, including those with administrative rights. This can lead to complete compromise of the affected website.

Attack Chain

An attacker authenticates to the WordPress site with Vendor-level access or higher.
The attacker crafts a malicious HTTP request targeting the wcfm_delete_wcfm_customer function.
The attacker includes the customerid parameter in the request, setting its value to the ID of the target user account they wish to delete.
Due to the missing validation on the customerid parameter, the application directly uses the provided ID to locate the user account.
The wcfm_delete_wcfm_customer function proceeds to delete the user account identified by the attacker-supplied customerid.
The targeted user account is successfully deleted from the WordPress instance.
If the deleted user account was an administrator, the attacker can effectively take control of the website.

Impact

Successful exploitation of this IDOR vulnerability allows an attacker to delete arbitrary user accounts, including those with administrative privileges. This can lead to a complete compromise of the affected WordPress website. An attacker could then deface the website, steal sensitive data, or use it to launch further attacks. Due to the popularity of the plugin, a large number of WooCommerce stores are potentially affected.

Recommendation

Apply the latest available patch or upgrade to a version of the WCFM plugin greater than 6.7.25 to remediate CVE-2026-2554.
Monitor web server logs for suspicious requests to wcfm_delete_wcfm_customer with unusual customerid values, using the Sigma rule provided below.
Implement input validation on the customerid parameter within the wcfm_delete_wcfm_customer function to prevent arbitrary user deletion.

Salon Booking System WordPress Plugin Arbitrary File Read Vulnerability

hello@craftedsignal.io — Sat, 02 May 2026 12:16:16 +0000

The Salon Booking System – Free Version plugin for WordPress, versions up to and including 10.30.25, contains an arbitrary file read vulnerability. This flaw stems from the plugin’s public booking flow, where it accepts attacker-controlled file-field values. These values are subsequently used as trusted paths when creating email attachments for booking confirmations. This allows an unauthenticated attacker to supply a path to any file accessible to the web server, triggering its inclusion as an attachment in the booking confirmation email, effectively enabling arbitrary file exfiltration. Exploitation requires no authentication and can be triggered remotely.

Attack Chain

An unauthenticated attacker accesses the public booking form of a WordPress site running the vulnerable Salon Booking System plugin.
The attacker crafts a malicious request to the booking form, injecting a file path (e.g., /etc/passwd) into a file-field parameter.
The plugin processes the booking request and stores the attacker-supplied file path.
The plugin generates a booking confirmation email.
The plugin uses the stored, attacker-controlled file path to attach the specified file to the confirmation email.
The booking confirmation email, now containing the arbitrary file as an attachment, is sent to the user who initiated the booking (which could be the attacker or an unwitting third party).
The attacker retrieves the email (if sent to the attacker) or intercepts it (if sent to a third party) and extracts the attached file.
The attacker gains unauthorized access to the contents of the exfiltrated file.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to read arbitrary files from the affected WordPress server. This could lead to the disclosure of sensitive information, such as configuration files, database credentials, or other confidential data. The vulnerability affects versions of the Salon Booking System plugin up to and including 10.30.25. The number of affected WordPress installations is unknown, but could be substantial given the plugin’s popularity.

Recommendation

Upgrade the Salon Booking System plugin to the latest version to patch CVE-2026-6320.
Monitor web server logs (category webserver, product linux) for suspicious requests containing absolute or relative file paths in file-field parameters, using a detection rule similar to the ones provided below.
Implement strict input validation and sanitization for all user-supplied data, especially file paths.
Review and restrict file system permissions to limit the files accessible to the web server process.

Paid Memberships Pro Plugin Vulnerability Allows Unauthorized Stripe Webhook Modification

hello@craftedsignal.io — Sat, 02 May 2026 12:16:16 +0000

The Paid Memberships Pro plugin, a popular WordPress plugin for managing paid subscriptions, contains a vulnerability (CVE-2026-4100) that allows authenticated attackers with minimal privileges (Subscriber-level access) to manipulate Stripe webhook configurations. This flaw exists in versions up to and including 3.6.5 due to missing capability checks on specific AJAX handlers. An attacker exploiting this vulnerability can delete, create, or rebuild the site’s Stripe webhook, leading to significant disruptions in payment processing, subscription renewal synchronization, cancellation handling, and management of failed payments. This vulnerability puts revenue streams and customer relationships at risk for any organization using the affected plugin versions.

Attack Chain

An attacker gains Subscriber-level access to the WordPress site, either through registration or compromised credentials.
The attacker crafts a malicious AJAX request targeting the wp_ajax_pmpro_stripe_create_webhook endpoint.
Alternatively, the attacker crafts a malicious AJAX request to the wp_ajax_pmpro_stripe_delete_webhook endpoint.
Or, the attacker crafts a malicious AJAX request to the wp_ajax_pmpro_stripe_rebuild_webhook endpoint.
Due to missing capability checks, the server processes the request without proper authorization.
The Stripe webhook configuration is modified, deleted, or rebuilt based on the attacker’s request.
Legitimate payment processing and subscription management processes fail due to the altered webhook configuration.
The attacker effectively disrupts the site’s ability to collect payments and manage subscriptions.

Impact

Successful exploitation of this vulnerability allows an attacker to completely disrupt a WordPress site’s payment processing and subscription management functionalities. This can result in significant financial losses due to interrupted sales and subscription renewals. Furthermore, the disruption can damage customer trust and lead to churn as users experience issues with their subscriptions. The vulnerability affects all sites using Paid Memberships Pro plugin versions up to 3.6.5.

Recommendation

Immediately update the Paid Memberships Pro plugin to the latest version to patch CVE-2026-4100.
Monitor WordPress web server logs for POST requests to /wp-admin/admin-ajax.php with the action parameter set to pmpro_stripe_create_webhook, pmpro_stripe_delete_webhook, or pmpro_stripe_rebuild_webhook using the “Detect Suspicious PMPro Stripe Webhook AJAX Requests” Sigma rule.
Review user roles and permissions to minimize the number of users with Subscriber-level access as a temporary mitigation.

Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4062)

hello@craftedsignal.io — Sat, 02 May 2026 12:16:16 +0000

The Geo Mashup plugin for WordPress, in versions up to and including 1.13.18, contains a Time-Based SQL Injection vulnerability (CVE-2026-4062). The vulnerability exists within the ‘object_ids’ and ’exclude_object_ids’ parameters. Insufficient escaping of user-supplied input, specifically within the IN(...) and NOT IN(...) SQL context, coupled with inadequate preparation of the existing SQL query, allows for the injection. The esc_sql() function is applied but is rendered ineffective due to its inability to protect against parenthesis or SQL keyword injection within the unquoted IN(...) / NOT IN(...) context. A numeric-only sanitizer exists in sanitize_query_args(), but this is only applied in the AJAX code path and not in the render-map.php or template tag code paths. This flaw enables unauthenticated attackers to append malicious SQL queries, facilitating the extraction of sensitive information from the WordPress database through a time-based blind SQL injection technique.

Attack Chain

An unauthenticated attacker identifies the vulnerable Geo Mashup plugin running on a WordPress site.
The attacker crafts a malicious HTTP request targeting an endpoint that utilizes the ‘object_ids’ or ’exclude_object_ids’ parameters.
The attacker injects a time-based SQL injection payload into the ‘object_ids’ or ’exclude_object_ids’ parameter. This payload leverages SQL functions like SLEEP() or BENCHMARK() to introduce delays based on conditional SQL logic.
The vulnerable code fails to properly sanitize the injected SQL code due to the ineffective esc_sql() function in the IN/NOT IN context.
The injected SQL payload is appended to the existing SQL query executed by the Geo Mashup plugin.
The database server executes the combined query, including the injected time-based SQL injection.
The attacker monitors the response time of the HTTP request. A delayed response indicates that the injected SQL logic evaluated to true.
By repeatedly sending requests with different SQL injection payloads, the attacker can extract sensitive information from the database one character at a time.

Impact

Successful exploitation of this vulnerability can lead to the complete compromise of the WordPress database. An attacker can extract sensitive information such as user credentials, API keys, configuration details, and other confidential data. This can result in data breaches, unauthorized access to the WordPress site, and potential further attacks on connected systems. The CVSS v3.1 base score for this vulnerability is 7.5, indicating a high severity.

Recommendation

Upgrade the Geo Mashup plugin to a version greater than 1.13.18 to remediate CVE-2026-4062.
Deploy the Sigma rule Detect Geo Mashup Time-Based SQL Injection Attempts to identify potential exploitation attempts targeting the vulnerable parameters.
Monitor web server logs for suspicious requests containing SQL injection payloads in the ‘object_ids’ or ’exclude_object_ids’ parameters to detect exploitation attempts.

Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4061)

hello@craftedsignal.io — Sat, 02 May 2026 12:16:16 +0000

The Geo Mashup plugin for WordPress is vulnerable to time-based SQL injection, as detailed in CVE-2026-4061. This vulnerability affects all versions of the plugin up to and including 1.13.18. The root cause lies in the SearchResults hook, where the map_post_type parameter is mishandled. Specifically, the code first calls stripslashes_deep($_POST), effectively removing WordPress’s magic quotes protection. Subsequently, the unsanitized map_post_type value is directly concatenated into an IN(...) clause without proper escaping using esc_sql() or $wpdb->prepare(). While the ‘any’ branch of the code correctly applies array_map('esc_sql', ...), the alternative branch lacks this crucial sanitization step. Successful exploitation requires the Geo Search feature to be enabled in the plugin’s settings. This vulnerability allows unauthenticated attackers to inject malicious SQL queries, potentially leading to the extraction of sensitive database information through time-based blind techniques.

Attack Chain

The attacker identifies a WordPress site using a vulnerable version of the Geo Mashup plugin (<= 1.13.18) with the Geo Search feature enabled.
The attacker crafts a malicious HTTP POST request targeting the SearchResults hook with a specially crafted map_post_type parameter containing SQL injection payload.
The vulnerable code within the Geo Mashup plugin processes the POST request, removing magic quotes using stripslashes_deep($_POST).
The unsanitized map_post_type value is then concatenated directly into an SQL query within an IN(...) clause without proper escaping.
The injected SQL code executes within the database query, allowing the attacker to manipulate the query’s behavior.
The attacker uses time-based SQL injection techniques (e.g., IF(condition, SLEEP(5), 0)) within the injected payload to infer information based on the response time.
By repeatedly sending modified requests and observing the response times, the attacker can extract sensitive data, character by character, from the database.
The attacker extracts sensitive information such as usernames, passwords, API keys, or other confidential data stored in the WordPress database.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to extract sensitive information from the WordPress database. The severity of the impact depends on the sensitivity of the data stored in the database, but could include exposure of user credentials, confidential business data, or other sensitive information. Because it affects any installation with the Geo Search feature enabled, a large number of websites using the Geo Mashup plugin may be vulnerable. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.

Recommendation

Upgrade the Geo Mashup plugin to the latest version (later than 1.13.18) to patch CVE-2026-4061.
Deploy the provided Sigma rule to detect potential exploitation attempts targeting the vulnerable SearchResults hook using a malicious map_post_type parameter.
Review web server logs for suspicious POST requests to /wp-admin/admin-ajax.php (common AJAX endpoint in WordPress) containing potentially malicious SQL injection payloads in the map_post_type parameter.

WordPress Widget Options Plugin Remote Code Execution Vulnerability (CVE-2026-2052)

hello@craftedsignal.io — Sat, 02 May 2026 08:16:27 +0000

The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin, versions 4.2.2 and earlier, contains a Remote Code Execution (RCE) vulnerability (CVE-2026-2052). This flaw stems from the plugin’s Display Logic feature, which utilizes the eval() function to process user-supplied expressions. The plugin’s implemented blocklist/allowlist is insufficient, making it bypassable through techniques involving array_map with string concatenation. Furthermore, the plugin lacks proper authorization enforcement on the extended_widget_opts_block attribute. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject and execute arbitrary code on the underlying server. The vendor partially addressed this vulnerability in version 4.2.0.

Attack Chain

An attacker authenticates to the WordPress application as a Contributor or higher-level user.
The attacker navigates to the Widget Options settings within the WordPress admin panel.
The attacker crafts a malicious Display Logic expression designed to execute arbitrary PHP code. This involves bypassing the blocklist/allowlist using techniques such as array_map and string concatenation.
The attacker injects the malicious Display Logic expression into the extended_widget_opts_block attribute.
The WordPress application processes the widget options, including the malicious Display Logic expression. Due to the lack of proper sanitization and authorization, the eval() function executes the attacker-supplied PHP code.
The attacker’s code executes with the permissions of the web server user, potentially allowing the attacker to read or write files, execute system commands, or compromise the entire server.
The attacker may establish persistence by writing a backdoor to a file on the server or by creating a new administrator account.

Impact

Successful exploitation of CVE-2026-2052 allows an attacker to execute arbitrary code on the WordPress server. This can lead to complete compromise of the website, including data theft, defacement, and the installation of malware. Since the vulnerability requires Contributor access or higher, the impact is significant if such accounts are compromised through other means (e.g., phishing, credential stuffing). The lack of proper input sanitization and authorization makes this a critical vulnerability.

Recommendation

Upgrade the “The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets” plugin to the latest version to patch CVE-2026-2052.
Deploy the Sigma rule “Detect WordPress Widget Options RCE Attempt” to your SIEM to detect exploitation attempts.
Review user roles and permissions to minimize the number of users with Contributor or higher-level access.
Monitor web server logs for unusual activity, particularly requests to /wp-admin/options.php related to widget options.

PixelYourSite Pro WordPress Plugin SSRF Vulnerability (CVE-2026-7049)

hello@craftedsignal.io — Sat, 02 May 2026 06:16:04 +0000

CVE-2026-7049 is a server-side request forgery (SSRF) vulnerability found in the PixelYourSite Pro WordPress plugin. Specifically, all versions up to and including 12.5.0.1 are affected. This vulnerability allows unauthenticated attackers to send requests to arbitrary internal or external resources, as viewed from the web server. Although the fetched response bodies are not directly returned to the attacker (making it a blind SSRF), the application parses these responses internally, creating opportunities for reconnaissance and potentially for exploiting vulnerable internal services. Successful exploitation could expose sensitive information or allow unauthorized modification of internal systems.

Attack Chain

An unauthenticated attacker identifies the scan_video parameter as an SSRF entry point.
The attacker crafts a malicious HTTP request targeting the WordPress server with the vulnerable PixelYourSite Pro plugin. The request includes the scan_video parameter set to a URL pointing to an internal resource (e.g., internal IP address or hostname).
The WordPress server receives the malicious request.
The PixelYourSite Pro plugin processes the request and initiates an HTTP request to the URL specified in the scan_video parameter.
The WordPress server makes a request to the internal resource.
The response from the internal resource is received by the WordPress server.
The PixelYourSite Pro plugin parses the response body, potentially revealing information about the internal service.
Depending on the targeted internal service and the attacker’s crafted request, the attacker might be able to modify information or execute commands on the internal service, even though the response is not directly returned to the attacker.

Impact

Successful exploitation of CVE-2026-7049 allows an unauthenticated attacker to perform reconnaissance of internal network resources. The blind nature of the SSRF limits the attacker’s immediate visibility into the response, but internal parsing of the response allows for potential information disclosure and exploitation of vulnerable internal services. The scope of the impact depends heavily on the configuration of the internal network and the services exposed.

Recommendation

Upgrade the PixelYourSite Pro plugin to a version greater than 12.5.0.1 to patch CVE-2026-7049.
Deploy the Sigma rule Detect Suspicious PixelYourSite Pro SSRF Attempts to monitor for exploitation attempts targeting the scan_video parameter.
Review and restrict internal network access to sensitive services to mitigate the potential impact of SSRF vulnerabilities.

Gravity Forms Plugin Stored XSS Vulnerability (CVE-2026-5113)

hello@craftedsignal.io — Sat, 02 May 2026 06:16:04 +0000

The Gravity Forms plugin for WordPress, a popular form builder, contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2026-5113. This flaw affects versions up to and including 2.10.0. The vulnerability stems from a flawed state validation mechanism combined with insufficient output escaping within the Consent field’s hidden inputs. An unauthenticated attacker can exploit this by injecting malicious JavaScript code into form entries. This malicious code is then executed when an authenticated administrator accesses the Entries List page within the WordPress administration panel, potentially leading to account compromise or other malicious actions performed within the administrator’s session. Successful exploitation allows attackers to execute arbitrary web scripts in the context of an administrator’s browser.

Attack Chain

An unauthenticated attacker crafts a malicious payload containing XSS code within a Gravity Forms Consent field. The payload leverages HTML tags like that wp_kses() will strip.
The attacker submits the crafted form entry to the WordPress site.
The Gravity Forms plugin’s state validation mechanism calculates two hashes: one for the raw input and another after sanitization via wp_kses().
Due to the nature of the XSS payload, the wp_kses() function strips the tag, resulting in a matching hash for the sanitized input.
The flawed validation logic fails to detect the malicious intent because at least one hash matches the original state, allowing the malicious raw value (containing the XSS payload) to be stored in the database.
An authenticated administrator logs into the WordPress administration panel.
The administrator navigates to the Entries List page for the affected Gravity Form.
The stored malicious consent label is retrieved from the database and output without proper escaping, causing the XSS payload to execute within the administrator’s browser session.

Impact

Successful exploitation of CVE-2026-5113 allows unauthenticated attackers to execute arbitrary web scripts within the context of an authenticated administrator’s browser session. This can lead to a variety of malicious outcomes, including account compromise, data theft, modification of website content, or further propagation of the attack to other administrative users. The severity of the impact depends on the privileges held by the compromised administrator account.

Recommendation

Upgrade the Gravity Forms plugin to the latest version, which includes a fix for CVE-2026-5113.
Implement a Web Application Firewall (WAF) rule to filter out requests containing potentially malicious XSS payloads targeting the Gravity Forms Consent field.
Monitor web server logs for suspicious activity related to form submissions containing encoded or obfuscated JavaScript code. Analyze HTTP request parameters for unusual characters or patterns indicative of XSS attempts.
Enable output escaping on form entries to prevent stored XSS attacks.

WP Mail Gateway Plugin Vulnerability Leads to Privilege Escalation

hello@craftedsignal.io — Sat, 02 May 2026 05:16:01 +0000

The WP Mail Gateway plugin, a WordPress extension, contains a vulnerability (CVE-2026-6963) that allows authenticated users with minimal privileges (Subscriber level or higher) to gain administrative access. The flaw resides in the wmg_save_provider_config AJAX action, which lacks proper authorization checks. This omission enables attackers to manipulate SMTP settings, redirect outgoing emails, and ultimately trigger password reset emails intended for administrators. The vulnerability affects all versions of the WP Mail Gateway plugin up to and including version 1.8. Successful exploitation grants attackers complete control over the WordPress site, making it a critical security concern for any organization using the vulnerable plugin.

Attack Chain

An attacker logs into a WordPress site with a Subscriber-level account or higher.
The attacker crafts a malicious AJAX request targeting the wmg_save_provider_config action.
This request modifies the SMTP settings, redirecting outgoing emails to an attacker-controlled server.
The attacker initiates a password reset request for an administrator account.
The password reset email is intercepted by the attacker’s server.
The attacker uses the password reset link to gain access to the administrator’s account.
The attacker logs into the WordPress dashboard with administrator privileges.
The attacker can now perform any administrative action, including installing malicious plugins, modifying site content, or creating new administrator accounts.

Impact

Successful exploitation of CVE-2026-6963 allows an attacker to completely compromise a WordPress website. Even low-privileged users can elevate their access to administrator, giving them full control over the site. This can lead to data breaches, website defacement, malware deployment, and other malicious activities. The vulnerability affects all installations of the WP Mail Gateway plugin up to version 1.8, potentially impacting thousands of WordPress sites.

Recommendation

Upgrade the WP Mail Gateway plugin to a version beyond 1.8 to patch CVE-2026-6963.
Monitor WordPress logs for suspicious AJAX requests targeting the wmg_save_provider_config action using the Sigma rule provided below. Enable webserver logging to capture HTTP POST requests.
Implement the provided Sigma rule to detect modifications to WordPress options related to SMTP configuration. Enable relevant logging for registry modifications.

WordPress Import and Export Users Plugin Privilege Escalation Vulnerability

hello@craftedsignal.io — Sat, 02 May 2026 05:16:01 +0000

The Import and export users and customers plugin for WordPress, a plugin used to manage user data, is vulnerable to privilege escalation. This vulnerability, identified as CVE-2026-7641, affects all versions of the plugin up to and including 2.0.8. The vulnerability stems from an incomplete blocklist in the save_extra_user_profile_fields() function. This function fails to adequately filter meta keys for subsites within a WordPress Multisite network, allowing attackers to manipulate user roles. Successful exploitation allows authenticated attackers with Subscriber-level access or higher to escalate their privileges to Administrator on any subsite within the Multisite network. Exploitation requires the targeted WordPress instance to be part of a Multisite network and have specific settings enabled.

Attack Chain

An administrator imports a CSV file containing multisite-prefixed capability column headers (e.g., wp_2_capabilities) using the affected plugin.
The administrator enables the “Show fields in profile?” option within the plugin settings. This action stores the imported column headers (including the multisite capabilities) in the acui_columns option.
A low-privileged user (e.g., Subscriber) authenticates to the WordPress subsite.
The attacker navigates to their user profile page (/wp-admin/profile.php). The plugin displays the previously imported multisite capability fields as editable options on the profile page.
The attacker crafts a profile update request, setting the value of the wp_{subsite_id}_capabilities meta key to a:1:{s:13:"administrator";b:1;} which grants administrator privileges.
The attacker submits the crafted profile update to /wp-admin/profile.php.
The save_extra_user_profile_fields() function processes the update. Due to the incomplete blocklist, the function fails to prevent the modification of the wp_{subsite_id}_capabilities meta key.
The update_user_meta() function writes the attacker-controlled value directly to the user’s metadata, granting them Administrator privileges on the specified subsite.

Impact

Successful exploitation of CVE-2026-7641 allows an attacker to gain complete control over a WordPress subsite within a Multisite network. This can lead to unauthorized access to sensitive data, modification of website content, installation of malicious plugins or themes, and potential compromise of the entire Multisite network. Given the widespread use of WordPress and the Import and export users and customers plugin, a successful attack can have significant repercussions for affected organizations.

Recommendation

Upgrade the Import and export users and customers plugin to the latest version to patch CVE-2026-7641.
Apply the Sigma rule WordPress Multisite Privilege Escalation via Profile Update to detect exploitation attempts against /wp-admin/profile.php.
Review the acui_columns option in the WordPress database to identify any instances where multisite-prefixed capability column headers have been imported, and remove those fields.
Monitor WordPress user profile updates for unusual modifications to user capabilities using the WordPress User Role Change Detection rule.

WordPress User Registration Advanced Fields Plugin Arbitrary File Upload Vulnerability

hello@craftedsignal.io — Sat, 02 May 2026 05:16:00 +0000

The User Registration Advanced Fields plugin for WordPress, specifically versions up to and including 1.6.20, contains an arbitrary file upload vulnerability (CVE-2026-4882) due to insufficient file type validation in the URAF_AJAX::method_upload function. This flaw enables unauthenticated attackers to upload any file type to the affected server, which can lead to remote code execution if the uploaded file is strategically placed and executed. The vulnerability is exploitable only if a “Profile Picture” field is active within the registration form. This poses a significant threat to websites using the plugin, as attackers can potentially gain full control of the server.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable User Registration Advanced Fields plugin (<= 1.6.20) with the “Profile Picture” field enabled.
The attacker crafts a malicious HTTP request to the URAF_AJAX::method_upload function, bypassing any client-side file type checks.
The attacker uploads a web shell (e.g., a PHP file) disguised as a legitimate file type or without any extension to evade basic detection mechanisms.
The vulnerable plugin saves the file to the WordPress uploads directory without proper validation.
The attacker identifies the exact file path of the uploaded web shell on the server.
The attacker sends another HTTP request directly to the uploaded web shell.
The web shell executes on the server, providing the attacker with remote code execution capabilities.
The attacker can then leverage the web shell to perform various malicious activities, such as installing malware, defacing the website, or exfiltrating sensitive data.

Impact

Successful exploitation of this vulnerability (CVE-2026-4882) allows unauthenticated attackers to upload arbitrary files to a vulnerable WordPress website, potentially leading to remote code execution. This can result in complete compromise of the affected website, including data theft, website defacement, and malware infections. The CVSS v3.1 base score for this vulnerability is 9.8, indicating a critical severity level. The impact includes potential damage to reputation, financial losses, and legal liabilities.

Recommendation

Upgrade the User Registration Advanced Fields plugin to the latest version (greater than 1.6.20) to patch CVE-2026-4882.
Implement file type validation on the server-side, restricting allowed file extensions for profile picture uploads.
Monitor web server logs for suspicious file upload activity targeting the URAF_AJAX::method_upload function to detect potential exploitation attempts. Deploy the Sigma rule Detect Suspicious WordPress File Uploads to your SIEM.
Implement strict file permission policies to prevent uploaded files from being executed as scripts.

WP Editor Plugin CSRF Vulnerability

hello@craftedsignal.io — Fri, 01 May 2026 12:16:16 +0000

The WP Editor plugin, a WordPress plugin, contains a Cross-Site Request Forgery (CSRF) vulnerability affecting versions up to and including 1.2.9.2. This vulnerability stems from a lack of nonce verification in the ‘add_plugins_page’ and ‘add_themes_page’ functions. An unauthenticated attacker can exploit this vulnerability by crafting a malicious request designed to overwrite arbitrary plugin and theme PHP files with attacker-controlled code. The success of this attack hinges on the attacker’s ability to deceive a site administrator into triggering the forged request, typically by clicking a specially crafted link. This flaw allows for potential arbitrary code execution on the targeted WordPress site.

Attack Chain

The attacker identifies a vulnerable WordPress site running a WP Editor plugin version <= 1.2.9.2.
The attacker crafts a malicious HTTP request targeting the ‘add_plugins_page’ or ‘add_themes_page’ functions. This request includes parameters designed to overwrite a specific plugin or theme PHP file with attacker-supplied code.
The attacker social engineers a WordPress administrator into clicking a malicious link or visiting a compromised website containing the forged request. This could be achieved via phishing emails or other deceptive techniques.
If the administrator is logged into the WordPress dashboard, their browser automatically sends the forged request to the vulnerable WordPress site.
Due to the missing nonce verification, the WordPress site processes the request without validating its origin.
The target plugin or theme PHP file is overwritten with the attacker’s malicious code.
The attacker’s code is executed when the plugin or theme is loaded or accessed.
The attacker achieves arbitrary code execution on the WordPress server, potentially leading to complete site compromise.

Impact

Successful exploitation of this CSRF vulnerability allows an unauthenticated attacker to inject arbitrary PHP code into a WordPress website. This can lead to a full compromise of the website, including data theft, defacement, or the installation of backdoors for persistent access. Given the widespread use of WordPress and the WP Editor plugin, a large number of websites are potentially at risk. Successful attacks can result in significant reputational damage and financial losses for affected website owners.

Recommendation

Upgrade the WP Editor plugin to the latest available version, which includes a fix for CVE-2026-3772.
Implement strong CSRF protection measures on all WordPress forms and administrative functions.
Deploy the provided Sigma rule to detect attempts to exploit this vulnerability through suspicious requests to the add_plugins_page or add_themes_page endpoints.

WordPress Temporary Login Plugin Authentication Bypass (CVE-2026-7567)

hello@craftedsignal.io — Fri, 01 May 2026 10:15:58 +0000

CVE-2026-7567 is an authentication bypass vulnerability that affects the Temporary Login plugin for WordPress, specifically versions up to and including 1.0.0. The vulnerability stems from a failure to properly validate the ’temp-login-token’ GET parameter within the maybe_login_temporary_user() function. By supplying an array as the value for this parameter, attackers can circumvent the intended empty() check. This leads to the sanitize_key() function returning an empty string, which is then used in a database query to fetch users. WordPress ignores empty meta_value parameters, causing the query to return all users with the _temporary_login_token meta key. Consequently, an unauthenticated attacker can effectively authenticate as any user with an active temporary login session by sending a single, maliciously crafted GET request. This poses a severe risk to website security, as it allows unauthorized access to user accounts and potentially sensitive data.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable Temporary Login plugin (version <= 1.0.0).
The attacker crafts a malicious GET request targeting the WordPress site’s login endpoint, including the ’temp-login-token’ parameter as an array (e.g., temp-login-token[]=).
The web server receives the GET request.
The maybe_login_temporary_user() function processes the request.
Due to improper input validation, the empty() check is bypassed when the ’temp-login-token’ parameter is an array.
sanitize_key() processes the array and returns an empty string as the meta_value.
WordPress executes a database query using the empty meta_value, effectively retrieving all users with active temporary login tokens.
The attacker is granted unauthorized access to the account of a targeted temporary user, bypassing normal authentication procedures.

Impact

Successful exploitation of CVE-2026-7567 allows unauthenticated attackers to bypass login restrictions and gain unauthorized access to WordPress user accounts utilizing the vulnerable Temporary Login plugin. The severity is high, as it allows complete compromise of user accounts without requiring any valid credentials. The impact includes potential data theft, account takeover, website defacement, and other malicious activities, depending on the privileges of the compromised user account.

Recommendation

Apply the available patch or upgrade the Temporary Login plugin to a version greater than 1.0.0 to remediate CVE-2026-7567.
Deploy the Sigma rule Detect WordPress Temporary Login Authentication Bypass Attempt to detect exploitation attempts by monitoring HTTP requests with array-based temp-login-token parameters in the query string.
Implement input validation on the web server to reject requests containing array-based parameters where scalar strings are expected.

Otter Blocks Plugin Purchase Verification Bypass Vulnerability (CVE-2026-2892)

hello@craftedsignal.io — Mon, 24 Jun 2024 12:00:00 +0000

The Otter Blocks plugin, a popular WordPress extension, is susceptible to a purchase verification bypass vulnerability identified as CVE-2026-2892. This flaw affects all versions up to and including 3.1.4. The vulnerability stems from the plugin’s reliance on an unsigned cookie, ‘o_stripe_data’, to determine Stripe product ownership for unauthenticated users. The ‘get_customer_data’ method uses this cookie, and the subsequent ‘check_purchase’ method trusts its contents without proper server-side validation against the Stripe API. This lack of verification enables attackers to gain unauthorized access to purchase-gated content. The target product ID is often exposed in the checkout block’s HTML source, further simplifying the exploit. Successful exploitation allows attackers to bypass payment requirements, potentially impacting content creators and businesses relying on the plugin for revenue generation.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable Otter Blocks plugin (version <= 3.1.4).
The attacker examines the HTML source code of a checkout block on the target site to identify the target product ID.
The attacker crafts a malicious ‘o_stripe_data’ cookie containing the target product ID.
The attacker sets the forged ‘o_stripe_data’ cookie in their browser.
The attacker navigates to the purchase-gated content on the WordPress site.
The ‘get_customer_data’ method reads the forged ‘o_stripe_data’ cookie.
The ‘check_purchase’ method incorrectly validates the forged purchase data without server-side verification against the Stripe API.
The attacker gains unauthorized access to the purchase-gated content, bypassing the intended payment requirement.

Impact

Successful exploitation of CVE-2026-2892 allows unauthenticated attackers to bypass purchase verification mechanisms implemented by the Otter Blocks plugin. This can lead to unauthorized access to premium content, resulting in revenue loss for content creators and businesses using the plugin. The number of potentially affected websites is significant, given the popularity of WordPress and the Otter Blocks plugin. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.

Recommendation

Upgrade the Otter Blocks plugin to a version greater than 3.1.4 to patch CVE-2026-2892.
Deploy the provided Sigma rules to detect potential exploitation attempts targeting the vulnerable plugin.
Monitor web server logs (category webserver, product linux) for suspicious cookie manipulation activity, specifically targeting the ‘o_stripe_data’ cookie.
Implement server-side validation of purchase data against the Stripe API to prevent cookie forgery attacks.

Royal Elementor Addons Plugin SSRF Vulnerability

hello@craftedsignal.io — Mon, 08 Jan 2024 12:00:00 +0000

The Royal Elementor Addons plugin, a popular WordPress extension, contains a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-6229) in versions up to and including 1.7.1057. This flaw stems from inadequate validation of user-provided URLs within the render_csv_data() function. Attackers can bypass the validation by including ‘docs.google.com/spreadsheets’ in a query parameter. The vulnerability is triggered because the plugin uses these URLs in fopen() calls without implementing adequate safeguards to prevent access to internal or private network addresses. This vulnerability enables authenticated attackers with Contributor-level access or higher to craft malicious requests, potentially exposing sensitive internal data. Successful exploitation allows attackers to probe internal network resources, access configuration files, and potentially escalate attacks further.

Attack Chain

An attacker authenticates to the WordPress site with Contributor-level access or higher.
The attacker crafts a malicious HTTP request targeting the vulnerable render_csv_data() function within the Royal Elementor Addons plugin.
The malicious request includes a user-supplied URL containing ‘docs.google.com/spreadsheets’ within a query parameter to bypass initial validation checks.
The plugin’s render_csv_data() function receives the crafted URL without proper sanitization or validation against internal or private network addresses.
The fopen() function is called with the attacker-controlled URL, initiating an outbound request from the WordPress server.
If the URL points to an internal resource, the WordPress server retrieves the resource content.
The attacker receives the content of the internal resource in the response from the WordPress server.
The attacker analyzes the retrieved content for sensitive information, such as configuration files, API keys, or internal service details.

Impact

Successful exploitation of this SSRF vulnerability (CVE-2026-6229) can lead to the exposure of sensitive internal information, potentially impacting all organizations using the Royal Elementor Addons plugin for WordPress version 1.7.1057 and below. This may include internal configuration files, API keys, database credentials, or other sensitive data accessible through internal services. The severity is high due to the potential for attackers to pivot from this vulnerability and further compromise the WordPress server or the internal network.

Recommendation

Upgrade the Royal Elementor Addons plugin to a version higher than 1.7.1057 to patch CVE-2026-6229.
Deploy the Sigma rule “Detect Royal Elementor Addons SSRF Attempt via URL Parameter” to identify malicious requests targeting the render_csv_data() function in your web server logs.
Implement strict network segmentation and firewall rules to limit access from the WordPress server to internal resources, mitigating the impact of potential SSRF vulnerabilities.

WordPress Drag and Drop File Upload Plugin Vulnerable to Arbitrary File Upload (CVE-2026-5364)

hello@craftedsignal.io — Wed, 03 Jan 2024 18:23:00 +0000

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress, in versions up to and including 1.1.3, contains an arbitrary file upload vulnerability tracked as CVE-2026-5364. The flaw stems from insufficient sanitization of file extensions during the upload process. Specifically, the plugin extracts the file extension before sanitization and allows the file type parameter to be controlled by the attacker. Furthermore, validation occurs on the unsanitized extension, while the file is saved with a sanitized extension, stripping special characters like ‘$’ during the save. While an .htaccess file and name randomization are present, these restrictions may be bypassable in certain configurations or by exploiting other vulnerabilities. This vulnerability could allow unauthenticated attackers to upload arbitrary PHP files to the web server, potentially leading to remote code execution (RCE).

Attack Chain

An unauthenticated attacker identifies a WordPress website using a vulnerable version (<= 1.1.3) of the “Drag and Drop File Upload for Contact Form 7” plugin.
The attacker crafts a malicious HTTP POST request targeting the plugin’s upload endpoint, typically /wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php.
The POST request includes a file with a manipulated extension, such as evil.php$.jpg, where evil.php is the malicious PHP payload and $.jpg is designed to be sanitized to .jpg.
The attacker modifies the file type parameter in the request to reflect the original manipulated file extension (evil.php$.jpg).
The plugin validates the extension against administrator-configured types but, due to the unsanitized extension and attacker control over the file type parameter, the malicious file passes validation.
The plugin sanitizes the extension, removing the $ character, resulting in a file saved with the extension .php.
The attacker attempts to access the uploaded PHP file via a direct HTTP request to /wp-content/uploads/.php.
If the .htaccess restrictions are bypassed (e.g., due to misconfiguration or another vulnerability), the web server executes the malicious PHP code, granting the attacker remote code execution.

Impact

Successful exploitation of CVE-2026-5364 allows unauthenticated attackers to upload and execute arbitrary PHP code on the target WordPress server. This can lead to complete compromise of the website, including defacement, data theft, and installation of backdoors. While the presence of .htaccess and name randomization mitigates the risk, these protections may be bypassed, especially when combined with other vulnerabilities or misconfigurations. Given the widespread use of WordPress and its plugins, this vulnerability poses a significant risk to a large number of websites. The CVSS v3.1 base score is 8.1, indicating a high severity vulnerability.

Recommendation

Upgrade the “Drag and Drop File Upload for Contact Form 7” plugin to the latest version (greater than 1.1.3) to patch CVE-2026-5364.
Implement a Web Application Firewall (WAF) rule to inspect and block requests containing suspicious file extensions in the POST parameters targeting the plugin’s upload endpoint (/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php).
Deploy the Sigma rule Detect Suspicious File Upload via Drag and Drop CF7 to identify exploitation attempts in web server logs (cs-uri-query).
Review and harden .htaccess configurations to ensure that PHP execution is restricted in the /wp-content/uploads/ directory.

WordPress Profile Builder Pro Plugin PHP Object Injection Vulnerability (CVE-2026-7647)

hello@craftedsignal.io — Wed, 03 Jan 2024 14:30:00 +0000

The Profile Builder Pro plugin for WordPress is susceptible to a critical PHP Object Injection vulnerability (CVE-2026-7647) affecting all versions up to and including 3.14.5. This flaw stems from the plugin’s use of the maybe_unserialize() function on the attacker-controlled args POST parameter passed to the wppb_request_users_pins_action_callback() AJAX handler. Critically, this handler lacks nonce verification, input validation, and type checking, making it accessible to unauthenticated users via both wp_ajax_ and wp_ajax_nopriv_ hooks. Successful exploitation allows remote, unauthenticated attackers to inject arbitrary PHP objects into the application’s memory space, potentially leading to remote code execution depending on available classes and application configuration. The vulnerability was published on 2026-05-02.

Attack Chain

An unauthenticated attacker identifies a WordPress site running a vulnerable version (<= 3.14.5) of the Profile Builder Pro plugin.
The attacker crafts a malicious HTTP POST request targeting the WordPress AJAX endpoint (/wp-admin/admin-ajax.php).
The POST request includes the action parameter set to wppb_request_users_pins_action_callback.
The POST request includes the args parameter containing a serialized PHP object designed to trigger arbitrary code execution upon deserialization.
The WordPress server receives the request and invokes the wppb_request_users_pins_action_callback() function.
The vulnerable function calls maybe_unserialize() on the attacker-controlled args parameter without proper sanitization or validation.
The malicious PHP object is deserialized and injected into the application’s memory space.
The injected object’s methods and properties are triggered, leading to arbitrary code execution on the server.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary PHP code on the target WordPress server. This can lead to complete system compromise, including data theft, website defacement, and the installation of backdoors for persistent access. Given the widespread use of WordPress and the Profile Builder Pro plugin, a large number of websites are potentially at risk until the plugin is updated.

Recommendation

Upgrade the Profile Builder Pro plugin to the latest available version to patch CVE-2026-7647.
Deploy the provided Sigma rule Detect Profile Builder Pro PHP Object Injection Attempt to detect exploitation attempts targeting the vulnerable AJAX endpoint.
Monitor web server logs for POST requests to /wp-admin/admin-ajax.php with the action parameter set to wppb_request_users_pins_action_callback and suspicious serialized data in the args parameter.

Gravity Forms Plugin Unauthenticated Stored XSS Vulnerability

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

The Gravity Forms plugin, a widely used WordPress plugin, is susceptible to an unauthenticated stored cross-site scripting (XSS) vulnerability. This flaw, identified as CVE-2026-5110, affects versions up to and including 2.10.0. The vulnerability stems from inadequate input validation and output escaping specifically within the SingleProduct field when it is nested inside a Repeater field. This bypasses normal state validation, allowing attackers to inject malicious HTML and JavaScript into the product name field. The injected payload is then stored unsanitized in the database. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator accesses an entry containing the malicious payload through the WordPress admin interface.

Attack Chain

An unauthenticated attacker crafts a malicious request to a WordPress endpoint utilizing the Gravity Forms plugin.
The attacker injects arbitrary HTML and JavaScript into the ‘product name’ field (input .1) of a SingleProduct field nested within a Repeater field.
Due to insufficient validation within the validate_subfield() method, the malicious input bypasses the state validation mechanism (failed_state_validation()).
The sanitize_entry_value() method returns the raw, unsanitized value because HTML is not expected for the affected field type.
The malicious input is stored in the WordPress database without proper sanitization or escaping.
An administrator accesses the Gravity Forms entries page in the WordPress admin interface (wp-admin/admin.php?page=gf_entries).
The get_value_entry_detail() method retrieves the malicious product name from the database and outputs it without proper escaping.
The stored XSS payload executes in the administrator’s browser, potentially allowing the attacker to perform actions with the administrator’s privileges.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of an administrator’s browser session. This can lead to account compromise, data theft, or further malicious activities within the WordPress administration panel. The vulnerability affects all users of the Gravity Forms plugin on WordPress installations with versions up to and including 2.10.0.

Recommendation

Upgrade the Gravity Forms plugin to the latest version (greater than 2.10.0) to patch CVE-2026-5110.
Deploy the provided Sigma rule Detect Gravity Forms XSS Attempt to identify potential exploitation attempts by monitoring for specific patterns in HTTP requests.
Enable web server logging to capture detailed information about HTTP requests and responses, enabling the Sigma rule’s effectiveness.

ARMember WordPress Plugin Vulnerable to Time-Based Blind SQL Injection (CVE-2026-7649)

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is susceptible to time-based blind SQL injection. This vulnerability, identified as CVE-2026-7649, affects all versions up to and including 4.0.60. The root cause lies in the inadequate escaping of the user-supplied ‘orderby’ parameter and the lack of sufficient preparation in the existing SQL query. An unauthenticated attacker can exploit this weakness by injecting malicious SQL queries, potentially leading to the extraction of sensitive information directly from the WordPress database. This presents a significant risk, as it could expose user credentials, personal data, and other confidential information stored within the database, impacting the confidentiality and integrity of the WordPress installation.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable ARMember plugin (version <= 4.0.60).
The attacker crafts a malicious HTTP request targeting a page that uses the vulnerable ‘orderby’ parameter.
The attacker injects SQL code into the ‘orderby’ parameter of the HTTP GET or POST request. This code is designed to exploit the time-based blind SQL injection vulnerability.
The ARMember plugin processes the request without properly sanitizing the ‘orderby’ parameter, allowing the injected SQL code to be executed within the database query.
The injected SQL code uses time-delay functions (e.g., SLEEP()) to determine the truthiness of conditions. Based on the response time, the attacker infers whether the injected SQL code is evaluating to true or false.
The attacker iteratively refines the injected SQL code to extract sensitive data, such as table names, column names, and data values, character by character, through observing the time delays.
The attacker dumps sensitive information from the database.
The attacker uses the extracted credentials to gain administrative access to the WordPress site.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to extract sensitive information from the WordPress database. This includes user credentials (usernames, email addresses, and password hashes), personal data, and potentially other confidential information stored within the database. The impact could range from unauthorized access to user accounts to complete compromise of the WordPress site and its underlying data. The number of affected sites depends on the prevalence of the ARMember plugin, but given its popularity, the potential impact is widespread.

Recommendation

Apply the latest security patches provided by the ARMember plugin developers immediately to remediate CVE-2026-7649 on all WordPress installations using the plugin.
Deploy the Sigma rule “Detect ARMember SQL Injection Attempt via Orderby Parameter” to your SIEM to detect exploitation attempts against this vulnerability.
Monitor web server logs for suspicious requests containing SQL syntax in the ‘orderby’ parameter to identify potential exploitation attempts (log source: webserver).
Implement and enforce strict input validation and sanitization for all user-supplied parameters, especially those used in database queries, to prevent SQL injection vulnerabilities.

Gravity Forms Plugin Unauthenticated Stored XSS Vulnerability

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

The Gravity Forms plugin for WordPress, a widely used form management tool, contains a vulnerability that can be exploited by unauthenticated attackers. Specifically, versions up to and including 2.10.0 are susceptible to Stored Cross-Site Scripting (XSS) due to insufficient input validation and output escaping of Calculation Product field names within Repeater fields. This flaw resides in how the plugin processes and renders form submissions containing malicious HTML within the product name field. The vulnerability allows an attacker to inject arbitrary web scripts that execute in the context of an authenticated administrator’s session when they access the entry detail page within the WordPress admin panel. Successful exploitation enables attackers to perform actions with the privileges of the compromised administrator.

Attack Chain

An unauthenticated attacker crafts a malicious form submission.
The malicious payload is placed in the Calculation Product field’s product name (.1) within a Repeater field.
The validate() method in the GF_Field_Calculation class inadequately validates the product name field, failing to sanitize malicious HTML.
The sanitize_entry_value() method returns the raw, unsanitized value for the product name field, as HTML sanitization is not expected for this field.
The malicious form submission is saved as an entry in WordPress.
An authenticated administrator with the gravityforms_view_entries capability accesses the entry detail page in wp-admin.
The get_value_entry_detail() method concatenates the unsanitized product name directly into the output string.
The repeater’s get_value_entry_detail() method renders the unsanitized output, leading to the execution of the injected XSS payload within the administrator’s browser.

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript code within the context of an authenticated WordPress administrator’s session. This can lead to account takeover, data theft, or further malicious actions performed on the WordPress site. While the number of potentially affected sites is large due to the plugin’s popularity, the impact is limited to administrators who access the specific entry containing the malicious payload.

Recommendation

Upgrade the Gravity Forms plugin to a version greater than 2.10.0 to patch CVE-2026-5112.
Implement the Sigma rule Detect Gravity Forms XSS via Product Name to detect attempts to inject malicious scripts into product names.
Review and audit existing Gravity Forms entries for suspicious content in Calculation Product fields to identify potential exploitation attempts.

ExactMetrics WordPress Plugin Vulnerability Leads to Remote Code Execution

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

A critical vulnerability, CVE-2026-5464, exists in the ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin, affecting all versions up to and including 9.1.2. The vulnerability allows authenticated attackers with Editor-level access or higher, who also possess the ’exactmetrics_view_dashboard’ capability, to install and activate arbitrary WordPress plugins from attacker-controlled URLs. This is possible due to the exposure of the ‘onboarding_key’ transient and the lack of proper authorization checks on the ’exactmetrics_connect_process’ AJAX endpoint. Successful exploitation can lead to Remote Code Execution (RCE) on the target WordPress site. This poses a significant risk to websites using the vulnerable plugin, as attackers can inject malicious code and gain full control of the affected system.

Attack Chain

An attacker gains authenticated access to a WordPress site as an Editor or Administrator.
The attacker obtains the ‘onboarding_key’ by accessing the reports page, which exposes the transient value to users with the ’exactmetrics_view_dashboard’ capability.
The attacker uses the ‘onboarding_key’ to access the ‘/wp-json/exactmetrics/v1/onboarding/connect-url’ REST endpoint, receiving a one-time hash (OTH) token.
The attacker crafts a malicious plugin ZIP file hosted on an attacker-controlled server.
The attacker sends a request to the ’exactmetrics_connect_process’ AJAX endpoint, providing the OTH token and the URL of the malicious plugin ZIP file via the ‘file’ parameter. This endpoint lacks capability checks and nonce verification.
The ExactMetrics plugin downloads the malicious plugin ZIP file from the attacker-controlled URL.
The ExactMetrics plugin installs and activates the malicious plugin.
The attacker gains Remote Code Execution on the WordPress server through the installed malicious plugin.

Impact

Successful exploitation of CVE-2026-5464 allows attackers to install arbitrary plugins on vulnerable WordPress sites, leading to Remote Code Execution. This grants the attacker complete control over the compromised website, enabling them to inject malicious code, deface the site, steal sensitive data, or use the site for further malicious activities. The number of affected websites depends on the widespread use of the ExactMetrics plugin. Organizations using this plugin are at risk of significant data breaches and reputational damage.

Recommendation

Upgrade the ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin to the latest version, which patches CVE-2026-5464.
Monitor web server logs for suspicious requests to the ‘/wp-json/exactmetrics/v1/onboarding/connect-url’ REST endpoint and the ’exactmetrics_connect_process’ AJAX endpoint. Implement the Sigma rule provided below to detect exploitation attempts.
Implement strong password policies and multi-factor authentication to prevent unauthorized access to WordPress accounts.
Restrict the ’exactmetrics_view_dashboard’ capability to only the necessary users.

Brizy WordPress Plugin Unauthenticated Stored XSS Vulnerability

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

The Brizy – Page Builder plugin for WordPress, a popular tool for designing website pages, contains a critical vulnerability that allows unauthenticated users to inject malicious JavaScript code. Specifically, versions up to and including 2.8.11 are affected. This vulnerability arises from a combination of factors, including the lack of nonce verification for form submissions from non-logged-in users, inadequate handling of FileUpload fields when no file is actually uploaded, and the unintended reversal of security encoding through html_entity_decode() before outputting data. This allows attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator viewing the form’s “Leads” page, potentially leading to account takeover, data theft, or further compromise of the WordPress site.

Attack Chain

An unauthenticated attacker crafts a malicious payload containing JavaScript code.
The attacker submits this payload through a Brizy form on the WordPress site, exploiting the missing nonce verification in the submit_form() function.
The handleFileTypeFields() function fails to properly sanitize or overwrite the attacker-supplied values when no file is attached to the form submission.
The injected payload, now stored in the WordPress database, bypasses initial htmlentities() encoding due to later html_entity_decode().
An administrator logs into the WordPress dashboard and navigates to the “Leads” page to view form submissions.
The form-data.php template retrieves the stored malicious payload from the database.
The payload is outputted directly within the href attribute of an HTML element without proper escaping using esc_url().
The injected JavaScript code executes within the administrator’s browser, potentially performing actions such as stealing cookies or redirecting the administrator to a malicious site.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a logged-in administrator’s browser. This could lead to a full compromise of the WordPress site, including the ability to create new administrative accounts, modify existing content, inject malware into the site’s pages, or steal sensitive data. The impact is significant, as it requires no user interaction beyond an administrator viewing the form submissions within the Brizy plugin.

Recommendation

Upgrade the Brizy – Page Builder plugin to the latest version to patch CVE-2026-5324.
Deploy the Sigma rule “Detect Brizy WordPress Plugin XSS Attempt via HTTP Request” to identify potential exploitation attempts in web server logs.
Review the form-data.php template and implement proper output escaping using esc_url() for all user-supplied data to prevent XSS, as mentioned in the vulnerability description.