CVE-2026-1555 – Unauthenticated File Upload in WebStack Theme Gives Attackers Full Server Access
If you run a WordPress site using the WebStack theme, there is no patch available for a critical…
Category
CVE
Security vulnerability reports and CVE analysis for WordPress plugins, themes, and core.
CVE-2026-4119: Authorization Bypass in Create DB Tables Plugin Exposes WordPress Databases
CVE-2026-4119 Create DB Tables. A critical authorization bypass vulnerability affects the Create DB Tables WordPress plugin. The disclosure…
CVE-2025-4665: Pre-Authentication SQL Injection in CFDB7 Puts 600,000+ WordPress Sites at Risk
A critical SQL injection flaw (CVSS 9.6) in the Contact Form CFDB7 Database Addon plugin allows unauthenticated attackers…
CVE-2026-0740: Inside the Ninja Forms File Upload Flaw Under Mass Exploitation
On April 6, 2026, Wordfence publicly disclosed a critical unauthenticated arbitrary file upload vulnerability in the Ninja Forms…
Decryption Failure, Full Takeover: Inside the WPvivid Backup RCE (CVE-2026-1357)
A missing return-value check in WPvivid Backup and Migration turned a failed RSA decryption into an unauthenticated remote…
LatePoint Agents, Admin Passwords, and One Missing Check: Inside CVE-2026-1566
A privilege escalation flaw in LatePoint lets users with the Agent role rebind customer records to the site…
CVE-2026-3585: Path Traversal in The Events Calendar Exposes Site Credentials
A path traversal vulnerability in The Events Calendar (CVE-2026-3585) shows how a skipped update and a lingering author…
CVE-2025-13486: The Unauthenticated RCE That Slipped Into 100,000 WordPress Sites
A CVSS 9.8 Remote Code Execution flaw in Advanced Custom Fields: Extended left 100,000 WordPress sites open to…
CVE-2024-30502: Unauthenticated SQL Injection in WP Travel Engine
CVE-2024-30502 is a CVSS 9.3 unauthenticated SQL injection in WP Travel Engine affecting versions up to 5.7.9. No…