#plugin-vulnerability
5 articles
Web hosting and e-commerce sites have been the primary targets in a recent wave of plugin vulnerabilities, with five CVEs reported between April 17 and May 17, 2026. The most critical is CVE-2026-6433, carrying a CVSS score of 9.8, alongside CVE-2026-4782 and CVE-2026-4798. Two medium-severity vulnerabilities, CVE-2021-47957 and CVE-2022-50945, also feature in the mix, which includes two medium, one high, and two critical severity issues affecting digital media, publishing, and technology sectors.
MEDIUMCookie Law Bar 1.2.1 Stored XSS Enables Cookie Theft
CVE-2021-47957 (CVSS 6.4) in Cookie Law Bar 1.2.1 lets authenticated attackers inject persistent scripts via the Bar Message field, affecting all WordPress site visitors.
HIGHAvada Builder WordPress Plugin Flaws Expose Site Credentials
CVE-2026-4782 and CVE-2026-4798 in Avada Builder (1M+ installs) let attackers read wp-config.php and extract database hashes. Patch to version 3.15.3.
CRITICALCustom css-js-php WordPress Plugin SQLi Leads to RCE (CVE-2026-6433)
CVE-2026-6433: Unauthenticated SQL injection in Custom css-js-php plugin ≤2.0.7 lets attackers execute arbitrary PHP via eval(). No patch available.
MEDIUMWordPress 3dady Stats Plugin Stored XSS Lets Attackers Hijack Sessions
CVE-2022-50945 (CVSS 6.4): Stored XSS in WordPress 3dady real-time web stats plugin 1.0 lets authenticated attackers inject JavaScript via unsanitized input fields, enabling...
CRITICALWordPress Supply Chain Attack Infects 30+ Plugins Planted Malicous Backdoor
A malicious buyer used the Flippa marketplace to acquire a plugin developer, injecting a backdoor into over 30 WordPress plugins with hundreds of thousands of installations to deploy hidden SEO spam.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.