#plugin-vulnerability
6 articles
Web hosting and e-commerce sites have been the primary targets in a series of plugin vulnerabilities documented in six articles from April to June 2026. The most critical flaws include CVE-2019-25763 and CVE-2026-6433, both carrying a CVSS score of 9.8, alongside CVE-2026-4782. Other notable CVEs are CVE-2021-47957 and CVE-2022-50945, each rated medium at 6.4. The coverage spans three critical, one high, and two medium-severity issues, affecting digital media and publishing sectors.
CRITICALCVE-2019-25763: WordPress Beaver Builder Plugin Authentication Bypass
CVE-2019-25763 (CVSS 9.8) allows unauthenticated attackers to hijack admin sessions in WordPress Ultimate Addons for Beaver Builder 1.2.4.1 via a crafted POST request to...
MEDIUMCookie Law Bar 1.2.1 Stored XSS Enables Cookie Theft
CVE-2021-47957 (CVSS 6.4) in Cookie Law Bar 1.2.1 lets authenticated attackers inject persistent scripts via the Bar Message field, affecting all WordPress site visitors.
HIGHAvada Builder WordPress Plugin Flaws Expose Site Credentials
CVE-2026-4782 and CVE-2026-4798 in Avada Builder (1M+ installs) let attackers read wp-config.php and extract database hashes. Patch to version 3.15.3.
CRITICALCustom css-js-php WordPress Plugin SQLi Leads to RCE (CVE-2026-6433)
CVE-2026-6433: Unauthenticated SQL injection in Custom css-js-php plugin ≤2.0.7 lets attackers execute arbitrary PHP via eval(). No patch available.
MEDIUMWordPress 3dady Stats Plugin Stored XSS Lets Attackers Hijack Sessions
CVE-2022-50945 (CVSS 6.4): Stored XSS in WordPress 3dady real-time web stats plugin 1.0 lets authenticated attackers inject JavaScript via unsanitized input fields, enabling...
CRITICALWordPress Supply Chain Attack Infects 30+ Plugins Planted Malicous Backdoor
A malicious buyer used the Flippa marketplace to acquire a plugin developer, injecting a backdoor into over 30 WordPress plugins with hundreds of thousands of installations to deploy hidden SEO spam.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.