Skip to main content
CVE-2026-3376 HIGH POC This Week

Remote code execution in Tenda F453 firmware (v1.0.0.3) via a buffer overflow in the SafeMacFilter function allows authenticated attackers to execute arbitrary code with full system privileges. The vulnerability stems from insufficient input validation on the page parameter in the /goform/SafeMacFilter endpoint and can be exploited remotely over the network. Public exploit code exists and no patch is currently available.

Buffer Overflow F453 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-28562 HIGH This Week

Unauthenticated SQL injection in wpForo 2.4.14 allows remote attackers to extract sensitive data from WordPress databases through the wpfob parameter via blind boolean-based attacks. The vulnerability exploits inadequate sanitization of ORDER BY clause identifiers, enabling credential theft without authentication. No patch is currently available for affected installations.

WordPress SQLi Wpforo Forum
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-13673 HIGH This Week

The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]

WordPress SQLi PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2844 HIGH This Week

Timepictra versions up to 11.3 is affected by missing authentication for critical function (CVSS 7.5).

Authentication Bypass Timepictra
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2471 HIGH This Week

Unauthenticated attackers can inject malicious serialized PHP objects into the WP Mail Logging plugin (versions up to 1.15.0) through email forms, exploiting unsafe deserialization in the BaseModel class. When administrators view the logged emails, the injected payload deserializes into arbitrary PHP objects, potentially enabling code execution if leveraged with gadget chains from other installed plugins or themes. No patch is currently available.

WordPress PHP Deserialization
NVD
CVSS 3.1
7.5
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy