#wordpress
13 articles
E-commerce, web hosting, and publishing sectors face heightened risk from a cluster of WordPress vulnerabilities, with 13 articles published between April 13 and May 19, 2026. The archive covers four critical, five high, and four medium severity issues, including CVE-2026-4883 and CVE-2026-6433, both scoring 9.8 on the CVSS scale, alongside three medium-severity CVEs from 2021: CVE-2021-47926, CVE-2021-47927, and CVE-2021-47929. These flaws impact organizations globally across technology and digital media, with a severity mix of four critical, five medium, and four high.
CRITICALCVE-2026-4883: Piotnet Forms Plugin RCE via Phar Upload
CVE-2026-4883 (CVSS 9.8) in Piotnet Forms ≤2.1.40 lets unauthenticated attackers upload .phar or .phtml files via an incomplete extension blacklist, enabling remote code execution.
MEDIUMCookie Law Bar 1.2.1 Stored XSS Enables Cookie Theft
CVE-2021-47957 (CVSS 6.4) in Cookie Law Bar 1.2.1 lets authenticated attackers inject persistent scripts via the Bar Message field, affecting all WordPress site visitors.
HIGHAvada Builder WordPress Plugin Flaws Expose Site Credentials
CVE-2026-4782 and CVE-2026-4798 in Avada Builder (1M+ installs) let attackers read wp-config.php and extract database hashes. Patch to version 3.15.3.
CRITICALCustom css-js-php WordPress Plugin SQLi Leads to RCE (CVE-2026-6433)
CVE-2026-6433: Unauthenticated SQL injection in Custom css-js-php plugin ≤2.0.7 lets attackers execute arbitrary PHP via eval(). No patch available.
MEDIUMThree WordPress Plugins Carry Stored XSS Flaws (CVE-2021-47926-929)
CVE-2021-47926, CVE-2021-47927, and CVE-2021-47929 each carry a CVSS 6.4 stored XSS in Filterable Portfolio Gallery, WP Symposium Pro, and Contact Form to Email — authenticated...
MEDIUMWordPress 3dady Stats Plugin Stored XSS Lets Attackers Hijack Sessions
CVE-2022-50945 (CVSS 6.4): Stored XSS in WordPress 3dady real-time web stats plugin 1.0 lets authenticated attackers inject JavaScript via unsanitized input fields, enabling...
MEDIUMWordPress Curtain Plugin CSRF Lets Attackers Toggle Maintenance Mode
CVE-2022-50955: WordPress Curtain 1.0.2 CSRF flaw lets attackers trick admins into toggling site maintenance mode via forged requests without nonce validation.
MEDIUMWordPress GetPaid Plugin HTML Injection Flaw CVE-2021-47948
CVE-2021-47948 (CVSS 5.4): Authenticated attackers can inject arbitrary HTML via the Help Text field in GetPaid 2.4.6, enabling stored XSS attacks on payment forms.
CRITICALWordPress Supply Chain Attack Infects 30+ Plugins Planted Malicous Backdoor
A malicious buyer used the Flippa marketplace to acquire a plugin developer, injecting a backdoor into over 30 WordPress plugins with hundreds of thousands of installations to deploy hidden SEO spam.
HIGHEssentialPlugin WordPress Suite Compromised to Deploy Backdoor on Thousands of
The EssentialPlugin suite, comprising over 30 popular WordPress plugins, has been compromised to inject a backdoor granting attackers administrative access to thousands of websites. The supply chain attack is actively being exploited.
HIGHWordPress Plugin Supply Chain Attack Deploys Backdoor After 8-Month Dormancy
A threat actor purchased a legitimate WordPress plugin business and hid a backdoor in updates for eight months before activating it, compromising thousands of sites in a sophisticated supply chain attack.
CRITICALCritical WordPress Plugin Flaw Allows Unauthenticated Admin Takeover
A critical flaw (CVE-2026-1492) in the User Registration & Membership WordPress plugin allows unauthenticated attackers to bypass login and gain full administrator access, impacting thousands of sites.
HIGHBackdoored Smart Slider 3 Pro Update Deployed via Compromised Plugin Servers
Unknown threat actors compromised the update infrastructure for the Smart Slider 3 Pro WordPress plugin, pushing a backdoored version (3.5.1.35) to users. The attack leverages a supply chain compromise to gain administrative access.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.