ZCyberNews
中文

#plugin-vulnerability

6 articles

Web hosting and e-commerce sites have been the primary targets in a series of plugin vulnerabilities documented in six articles from April to June 2026. The most critical flaws include CVE-2019-25763 and CVE-2026-6433, both carrying a CVSS score of 9.8, alongside CVE-2026-4782. Other notable CVEs are CVE-2021-47957 and CVE-2022-50945, each rated medium at 6.4. The coverage spans three critical, one high, and two medium-severity issues, affecting digital media and publishing sectors.

WordPress admin dashboard login screen illustrating session hijacking riskCRITICAL
Vulnerabilities

CVE-2019-25763: WordPress Beaver Builder Plugin Authentication Bypass

CVE-2019-25763 (CVSS 9.8) allows unauthenticated attackers to hijack admin sessions in WordPress Ultimate Addons for Beaver Builder 1.2.4.1 via a crafted POST request to...

CVE-2019-25763
3 min read
Cookie Law Bar 1.2.1 Stored XSS Enables Cookie TheftMEDIUM
Vulnerabilities

Cookie Law Bar 1.2.1 Stored XSS Enables Cookie Theft

CVE-2021-47957 (CVSS 6.4) in Cookie Law Bar 1.2.1 lets authenticated attackers inject persistent scripts via the Bar Message field, affecting all WordPress site visitors.

CVE-2021-47957
3 min read
Avada Builder WordPress Plugin Flaws Expose Site CredentialsHIGH
Vulnerabilities

Avada Builder WordPress Plugin Flaws Expose Site Credentials

CVE-2026-4782 and CVE-2026-4798 in Avada Builder (1M+ installs) let attackers read wp-config.php and extract database hashes. Patch to version 3.15.3.

CVE-2026-4782CVE-2026-4798
3 min read
Custom css-js-php WordPress Plugin SQLi Leads to RCE (CVE-2026-6433)CRITICAL
Vulnerabilities

Custom css-js-php WordPress Plugin SQLi Leads to RCE (CVE-2026-6433)

CVE-2026-6433: Unauthenticated SQL injection in Custom css-js-php plugin ≤2.0.7 lets attackers execute arbitrary PHP via eval(). No patch available.

CVE-2026-6433
3 min read
WordPress 3dady Stats Plugin Stored XSS Lets Attackers Hijack SessionsMEDIUM
Vulnerabilities

WordPress 3dady Stats Plugin Stored XSS Lets Attackers Hijack Sessions

CVE-2022-50945 (CVSS 6.4): Stored XSS in WordPress 3dady real-time web stats plugin 1.0 lets authenticated attackers inject JavaScript via unsanitized input fields, enabling...

CVE-2022-50945
3 min read
WordPress Supply Chain Attack Infects 30+ Plugins Planted Malicous Backdoor CRITICAL
Threat Intel

WordPress Supply Chain Attack Infects 30+ Plugins Planted Malicous Backdoor

A malicious buyer used the Flippa marketplace to acquire a plugin developer, injecting a backdoor into over 30 WordPress plugins with hundreds of thousands of installations to deploy hidden SEO spam.

6 min read

Stay Updated

Get the latest cybersecurity news delivered to your inbox.