Decryption Failure, Full Takeover: Inside the WPvivid Backup RCE (CVE-2026-1357)
A missing return-value check in WPvivid Backup and Migration turned a failed RSA decryption into an unauthenticated remote…
Category
Security
What Are CAA Records and Why Your WordPress Site Should Have Them
CAA records tell the world which Certificate Authorities are allowed to issue SSL certificates for your domain. Here…
LatePoint Agents, Admin Passwords, and One Missing Check: Inside CVE-2026-1566
A privilege escalation flaw in LatePoint lets users with the Agent role rebind customer records to the site…
CVE-2026-3585: Path Traversal in The Events Calendar Exposes Site Credentials
A path traversal vulnerability in The Events Calendar (CVE-2026-3585) shows how a skipped update and a lingering author…
CVE-2025-13486: The Unauthenticated RCE That Slipped Into 100,000 WordPress Sites
A CVSS 9.8 Remote Code Execution flaw in Advanced Custom Fields: Extended left 100,000 WordPress sites open to…
The Admin Account Nobody Created
A routine WordPress maintenance check turns up two unfamiliar admin accounts - and a 9.8 CVSS vulnerability hiding…
CVE-2024-30502: Unauthenticated SQL Injection in WP Travel Engine
CVE-2024-30502 is a CVSS 9.3 unauthenticated SQL injection in WP Travel Engine affecting versions up to 5.7.9. No…
How to Get Instant WordPress Security Alerts (Before the Damage Is Done)
Most WordPress breaches go undetected for days. Here's how to set up security alerts in Trusti Security so…
CVE-2025-69045: SQL Injection in FooEvents Requires Only a Subscriber Account
CVE-2025-69045 lets any subscriber-level user - anyone who registers a free account - run SQL commands against a…
7 WordPress Security Mistakes That Leave Your Site Wide Open
Most WordPress sites get hacked not because of sophisticated attacks, but because of simple mistakes that are easy…