A PHP Object Injection vulnerability exists in the Tasty Daily WordPress theme (park_of_ideas) through version 1.27, caused by unsafe deserialization of untrusted data (CWE-502). This vulnerability allows attackers to inject arbitrary PHP objects, potentially leading to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. While no CVSS score or EPSS data is currently published, the vulnerability affects an active WordPress theme distribution and has been documented by Patchstack security researchers.
A PHP Object Injection vulnerability exists in the park_of_ideas Goldish theme due to insecure deserialization of untrusted data, allowing attackers to inject arbitrary objects and potentially achieve remote code execution or other malicious outcomes. The vulnerability affects Goldish versions prior to 3.47. While no CVSS score or EPSS data is publicly available, the CWE-502 classification indicates a serious deserialization flaw that could be exploited if untrusted data is processed without validation.
A deserialization of untrusted data vulnerability exists in the park_of_ideas KIDZ theme that permits object injection attacks. All versions of KIDZ through 5.24 are affected, as confirmed via CPE cpe:2.3:a:park_of_ideas:kidz:*:*:*:*:*:*:*:*. An attacker can inject malicious serialized PHP objects to achieve arbitrary code execution or other unintended actions on affected WordPress installations running this theme.
A PHP object injection vulnerability exists in FantasticPlugins SUMO Affiliates Pro due to unsafe deserialization of untrusted data (CWE-502). This allows attackers to inject malicious serialized objects, potentially achieving remote code execution or other arbitrary actions depending on available gadget chains in the WordPress environment. All versions before 11.4.0 are affected, and a patch has been made available by the vendor.
This is a PHP Object Injection vulnerability in the Metagauss EventPrime WordPress plugin (eventprime-event-calendar-management) caused by unsafe deserialization of untrusted data. All versions up to and including 4.2.8.0 are affected, allowing attackers to inject malicious serialized objects that can lead to remote code execution or arbitrary actions depending on available PHP gadget chains. The vulnerability has been publicly disclosed and documented by Patchstack; exploitation likelihood and real-world impact depend on the presence of exploitable gadget chains in the target WordPress environment.
A PHP Object Injection vulnerability exists in AncoraThemes Beelove WordPress theme through version 1.2.6, allowing attackers to inject and deserialize untrusted objects. This insecure deserialization flaw (CWE-502) enables object injection attacks that could lead to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. No CVSS score, EPSS data, or KEV confirmation is currently available; however, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15515, indicating it is tracked in official vulnerability databases.
A PHP object injection vulnerability exists in the Axiom Themes m2 | Construction and Tools Store theme through version 1.1.2, stemming from unsafe deserialization of untrusted data (CWE-502). This allows remote attackers to inject malicious serialized objects that can lead to arbitrary code execution or privilege escalation depending on available gadget chains in the WordPress environment. No CVSS score, EPSS data, or KEV status is currently available, but the vulnerability was reported by Patchstack and affects all installations running the vulnerable theme version.
RewardsWP, a WordPress plugin by Andrew Munro/AffiliateWP, contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows authenticated or unauthenticated attackers to escalate their privileges within the plugin and potentially the WordPress installation. Affected versions are RewardsWP up to and including 1.0.4. This vulnerability enables privilege escalation attacks, allowing attackers with limited access to gain elevated permissions and control over reward or affiliate functionality.
An Incorrect Privilege Assignment vulnerability (CWE-266) exists in uxper Golo theme versions up to and including 1.7.0, enabling privilege escalation attacks. This WordPress theme vulnerability allows attackers to elevate their privileges within the application, potentially gaining unauthorized administrative access. The vulnerability was reported by Patchstack and affects all versions from an unspecified baseline through 1.7.0; no CVSS score, EPSS data, or active KEV status information is currently available.
Elated-Themes Search & Go contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation attacks. All versions up to and including version 2.8 are affected. An attacker can exploit this flaw to escalate privileges within the WordPress environment, gaining unauthorized administrative or elevated capabilities. While CVSS and EPSS scores are not available, the vulnerability has been documented by security researcher Patchstack and assigned ENISA EUVD tracking ID EUVD-2026-15582, indicating it has received third-party security scrutiny.
This is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Xagio SEO WordPress plugin that allows privilege escalation. The vulnerability affects Xagio SEO versions up to and including 7.1.0.30. An attacker can exploit this flaw to elevate their privileges within the affected WordPress installation, potentially gaining administrative access or performing unauthorized actions. No CVSS score, EPSS data, or KEV status information is currently available, and the vulnerability has not been confirmed as actively exploited in the wild.
SQL injection in Simple Laundry System 1.0 PHP application allows unauthenticated remote attackers to execute arbitrary database queries through the serviceId parameter in /checkcheckout.php. Public exploit code exists for this vulnerability, and no patch is currently available.
This vulnerability allows userspace applications to trivially trigger kernel warning backtraces in the AMD GPU (amdgpu) driver's user queue (userq) implementation by passing intentionally small num_fences values or exploiting legitimate growth between successive ioctl calls. While not a traditional security vulnerability enabling code execution or data theft, it constitutes an information disclosure issue through kernel log pollution and denial-of-service potential via warning spam. The Linux kernel across all versions utilizing the affected amdgpu userq code path is impacted, though the actual attack surface is limited to systems with AMD GPUs and unprivileged users with access to the amdgpu device interface.
This vulnerability is a stored cross-site scripting (XSS) flaw in GitLab's Mermaid diagram rendering that allows authenticated users to inject arbitrary JavaScript code into other users' browsers through improperly sanitized entity-encoded content. The vulnerability affects GitLab CE/EE versions 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1, with a CVSS score of 5.4 (medium severity). A public proof-of-concept exploit is available on HackerOne, indicating active awareness in the security community.
A deserialization vulnerability in OpenTelemetry Java instrumentation versions prior to 2.26.1 allows remote code execution when the RMI instrumentation endpoint processes untrusted data without serialization filters. The vulnerability affects applications using the OpenTelemetry Java agent with network-reachable RMI/JMX endpoints and gadget-chain-compatible libraries on the classpath. This was responsibly disclosed in coordination with Datadog, and a patch is available in version 2.26.1.
A blind SQL injection vulnerability exists in the PublishPress Revisions WordPress plugin through version 3.7.23, allowing attackers to execute arbitrary SQL commands against the underlying database. The vulnerability affects all installations of PublishPress Revisions up to and including version 3.7.23, enabling attackers to extract sensitive data, modify database contents, or potentially achieve remote code execution depending on database permissions and WordPress configuration. No CVSS score or EPSS data is currently available, and KEV status is unknown, though the vulnerability has been documented by Patchstack security researchers with a public reference available.
A blind SQL injection vulnerability exists in QuantumCloud ChatBot plugin affecting versions up to and including 7.7.9, allowing attackers to execute arbitrary SQL commands through improper neutralization of special elements in SQL queries. The vulnerability impacts all installations of the ChatBot plugin across the affected version range, potentially enabling unauthorized data extraction, manipulation, or deletion depending on database permissions. While no CVSS score or EPSS data is currently available, the blind SQL injection classification indicates a high-risk condition requiring immediate patching.
A blind SQL injection vulnerability exists in the Product Rearrange for WooCommerce plugin (versions up to 1.2.2) that allows attackers to execute arbitrary SQL commands against the WooCommerce database without direct output visibility. This affects WordPress installations using the Devteam HaywoodTech product-rearrange-woocommerce plugin, enabling attackers to extract sensitive data, modify database records, or potentially escalate privileges. While no CVSS score or EPSS data is currently published, the vulnerability's classification as blind SQL injection combined with its presence in a publicly available WordPress plugin suggests moderate to high real-world risk of exploitation.
A SQL injection vulnerability exists in the eyecix Addon Jobsearch Chat plugin for WordPress, affecting all versions through 3.0, that allows attackers to execute arbitrary SQL commands against the underlying database. The vulnerability stems from improper neutralization of special SQL characters in user-supplied input, classified under CWE-89 (SQL Injection). While no CVSS score or EPSS metric is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD tracking ID EUVD-2026-15695, indicating active awareness in vulnerability tracking systems.
A blind SQL injection vulnerability exists in King-Theme's Lumise Product Designer WordPress plugin, allowing unauthenticated attackers to extract sensitive data through time-based or boolean-based SQL inference techniques without direct query result visibility. The vulnerability affects all versions of Lumise Product Designer prior to 2.0.9. Attackers can exploit this to bypass authentication, enumerate database schemas, or extract user credentials and plugin configuration data.
A blind SQL injection vulnerability exists in the NooTheme Jobmonster WordPress theme that allows unauthenticated attackers to execute arbitrary SQL queries against the underlying database. The vulnerability affects Jobmonster versions prior to 4.8.4, and while no active exploitation in the wild has been confirmed via KEV status, the vulnerability was disclosed by Patchstack with sufficient technical detail to enable exploitation. This is a critical web application flaw that could lead to complete database compromise, including extraction of sensitive user data, credentials, and job postings.
A blind SQL injection vulnerability exists in WPFactory's Advanced WooCommerce Product Sales Reporting plugin (versions through 4.1.3) that allows attackers to execute arbitrary SQL commands against the underlying database. This WordPress plugin is widely deployed on e-commerce sites using WooCommerce, and the blind SQL injection technique enables attackers to extract sensitive data without requiring direct error message feedback. While no CVSS score, EPSS value, or KEV status has been assigned at this time, the vulnerability is classified as CWE-89 (SQL Injection) and has been documented by Patchstack, indicating active research and potential proof-of-concept availability.
A SQL Injection vulnerability exists in Pebas Lisfinity Core, a WordPress plugin, affecting versions up to and including 1.5.0. This improper neutralization of special elements in SQL commands (CWE-89) allows attackers to inject arbitrary SQL code, potentially leading to unauthorized data access, modification, or deletion of the underlying database. The vulnerability has been documented by Patchstack and assigned EUVD-2026-15489, though no CVSS score, EPSS data, or confirmed active exploitation status is currently available in the provided intelligence.
Improper path validation in macOS (Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4) allows sandboxed applications to escape their sandbox restrictions through directory path traversal. A local attacker with the ability to run malicious apps can exploit this weakness to execute code outside sandbox boundaries with full system privileges. No patch is currently available for this critical vulnerability.
The PeproDev Ultimate Invoice WordPress plugin through version 2.2.5 contains an information disclosure vulnerability in its bulk download invoices feature, which generates ZIP archives with predictably named files containing exported invoice PDFs. An unauthenticated or low-privileged attacker can brute force the predictable ZIP file naming scheme to retrieve and download archives containing sensitive personally identifiable information (PII) from invoices. A public proof-of-concept exploit is available via WPScan, making this vulnerability actively exploitable in the wild.
Sandbox escape vulnerability in Apple iOS, iPadOS, macOS, and visionOS allows local attackers to break out of application sandboxes through improper path validation, potentially enabling unauthorized access to system resources and data. An attacker with local access could leverage this flaw to execute arbitrary operations outside application boundaries and bypass security restrictions. No patch is currently available for this critical vulnerability affecting multiple Apple platforms.
A Code Injection vulnerability (CWE-94) exists in Nelio AB Testing WordPress plugin through version 8.2.7 that allows attackers to execute arbitrary code on affected installations. The vulnerability affects the Nelio Software product across all versions up to and including 8.2.7, potentially enabling remote code execution (RCE). This is a critical severity issue as it permits unauthenticated or low-privilege attackers to gain complete control over WordPress sites running the vulnerable plugin.
A Code Injection vulnerability (CWE-94) exists in the Jonathan Daggerhart Widget Wrangler WordPress plugin through version 2.3.9, allowing unauthenticated attackers to execute arbitrary code on affected installations. This Remote Code Execution (RCE) vulnerability enables complete server compromise and data exfiltration. Active exploitation has been documented by Patchstack, indicating this is a practical, real-world threat requiring immediate patching.
An unrestricted file upload vulnerability (CWE-434) exists in Jordy Meow's Photo Engine WordPress plugin versions up to and including 6.4.9, allowing attackers to upload malicious web shells to compromised servers. The vulnerability affects the wplr-sync component and permits arbitrary file uploads with dangerous types, potentially leading to remote code execution. No CVSS score, EPSS probability, or KEV status information is currently available, but the ability to upload executable web shells represents a critical exploitation path.
A missing authorization vulnerability exists in Arraytics WPCafe WordPress plugin versions up to 3.0.7, where incorrectly configured access control allows attackers to bypass authentication and authorization checks. This broken access control flaw (CWE-862) enables unauthorized users to perform actions they should not have permission to execute, potentially leading to unauthorized data access, modification, or plugin functionality abuse. The vulnerability affects all installations of WPCafe through version 3.0.7 and is tracked under ENISA EUVD ID EUVD-2026-15773 with confirmation from Patchstack vulnerability research.
N2WS Backup & Recovery before version 4.4.0 contains a remote code execution vulnerability in its RESTful API that requires a two-step attack chain to exploit. An unauthenticated attacker can execute arbitrary code on affected systems, potentially compromising backup and disaster recovery infrastructure. This vulnerability affects the N2WS product line and should be treated as critical given the RCE classification and the security-sensitive nature of backup systems.
Bit SMTP version 1.2.2 and earlier contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation attacks. The vulnerability affects the Bit SMTP WordPress plugin and permits attackers to elevate their privileges beyond their intended authorization level. While no CVSS score or EPSS data is currently published, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15882, indicating formal recognition of the security issue.
Authenticated attackers with Subscriber-level access can delete arbitrary files on WordPress servers running WP Job Portal plugin versions up to 2.4.9, enabling remote code execution by removing critical files like wp-config.php. The vulnerability stems from insufficient file path validation in the removeFileCustom function. EPSS exploitation probability is 0.25% (48th percentile), indicating low predicted real-world exploitation likelihood, though the CVSS score of 8.8 reflects high potential impact when successfully exploited. No public exploit identified at time of analysis.
Domoticz versions prior to 2026.1 contain a stored cross-site scripting (XSS) vulnerability in the web interface's Add Hardware and device rename functionality that allows authenticated administrators to inject arbitrary JavaScript or HTML markup. The injected malicious code is stored persistently and executed in the browsers of any users viewing the affected pages, potentially enabling unauthorized session hijacking or malicious actions performed under the victim's privileges. A patch is available from the vendor, and while this requires administrator-level access to exploit, the persistent nature of the vulnerability and user interaction requirement represent moderate real-world risk within administrative environments.
Authenticated attackers can bypass file path restrictions in PHP's code16/sharp package by injecting path separators into file extensions, enabling arbitrary file writes outside intended directories. The vulnerability stems from incomplete input sanitization in the FileUtil class where extensions are extracted but never validated before being passed to storage functions. A patch is available to address this high-severity path traversal issue affecting all users of the vulnerable package.
A privilege escalation vulnerability exists in ralphje Signify versions prior to 0.9.2, affecting the signed_data.py and context.py components. Remote attackers can exploit this flaw to escalate privileges within the application's cryptographic signature verification context. While CVSS and EPSS scores are not currently available, the vulnerability has been patched in version 0.9.2 and related issues have been addressed in the upstream osslsigncode project.
A deserialization of untrusted data vulnerability in the JS Archive List jQuery widget (jquery-archive-list-widget) versions up to 6.1.7 allows remote attackers to inject malicious objects and achieve code execution or information disclosure. The vulnerability affects WordPress installations using the vulnerable plugin versions, and exploitation requires sending crafted serialized PHP objects to the affected endpoint. No CVSS vector or EPSS score has been assigned, and KEV status is unknown, though the vulnerability was reported by Patchstack security researchers.
The code16/sharp Laravel admin panel package contains a critical file upload vulnerability that allows authenticated users to bypass all file type restrictions by manipulating client-controlled validation rules. Affected versions prior to 9.20.0 accept a user-supplied validation_rule parameter that is passed directly to Laravel's validator, enabling attackers to upload arbitrary files including PHP webshells. With a CVSS score of 8.8, this vulnerability can lead to Remote Code Execution when the storage disk is publicly accessible, though default configurations provide some protection against direct execution.
A directory traversal vulnerability exists in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils versions prior to commit 6d780b3378829318ba5c2d29547e0012d5b29642, allowing attackers to escape the intended extraction directory and write arbitrary files to the filesystem, potentially leading to remote code execution. The vulnerability affects any application using vulnerable versions of plexus-utils for archive extraction operations. A proof-of-concept has been publicly disclosed via a GitHub Gist, and the fix has been merged into the project repository.
An access control vulnerability exists in Kiteworks Core versions 9.2.0 and 9.2.1 that allows authenticated users to access unauthorized content within the private data network. With a CVSS score of 8.8 (High), an attacker with low-level authenticated access can potentially access, modify, or delete sensitive data they should not have permissions to view. No public proof-of-concept or active exploitation (KEV listing) has been reported at this time.
SQL injection in OpenEMR versions prior to 8.0.0.3 enables authenticated attackers to execute arbitrary SQL commands through the CAMOS form's ajax_save functionality, potentially leading to complete database compromise including extraction of sensitive health records, data modification, and service disruption. The vulnerability requires low-privilege authentication (PR:L) with no user interaction (UI:N) and is network-exploitable (AV:N), though EPSS assigns only 0.03% (8th percentile) exploitation probability and no public exploit identified at time of analysis. Vendor-released patch available in version 8.0.0.3.
A PHP object injection vulnerability exists in BoldGrid weForms plugin through version 1.6.26 due to unsafe deserialization of untrusted data, allowing attackers to instantiate arbitrary objects and potentially execute remote code or manipulate application state. This affects WordPress installations using the vulnerable weForms plugin versions, and exploitation requires no authentication based on the deserialization attack vector. While no CVSS score or EPSS data is currently available, the CWE-502 classification and object injection capability represent a critical-severity issue typical of deserialization flaws that often lead to remote code execution.
A PHP object injection vulnerability exists in the sbthemes WooCommerce Infinite Scroll plugin (versions up to and including 1.6.2) due to unsafe deserialization of untrusted data. This vulnerability allows attackers to inject malicious serialized objects, potentially leading to remote code execution or arbitrary object instantiation depending on available gadget chains within the WordPress environment. The vulnerability affects all installations of this plugin through version 1.6.2 and has been documented by Patchstack, though CVSS scoring and exploitation metrics are currently unavailable.
Apicona, a WordPress theme by thememount, contains a PHP object injection vulnerability stemming from unsafe deserialization of untrusted data (CWE-502). All versions through 24.1.0 are affected. An attacker can exploit this to inject arbitrary objects into the application, potentially leading to remote code execution or other malicious object manipulation depending on available gadget chains within the PHP environment.
A deserialization of untrusted data vulnerability exists in the Rascals Vex theme (CWE-502) that allows attackers to perform PHP object injection attacks. The vulnerability affects Vex versions prior to 1.2.9, as confirmed by Patchstack reporting and ENISA EUVD-2026-15684. An attacker exploiting this flaw can inject malicious serialized objects to achieve arbitrary code execution or other malicious outcomes depending on available PHP magic methods in the application environment.
A deserialization of untrusted data vulnerability exists in Pendulum (a PHP datetime library) versions prior to 3.1.5, allowing attackers to perform object injection attacks. The vulnerability affects the rascals Pendulum library through unvalidated deserialization of user-supplied data. An attacker can exploit this to instantiate arbitrary PHP objects, potentially leading to remote code execution or other malicious outcomes depending on the application's gadget chain availability.
A PHP Object Injection vulnerability exists in the Rascals Meloo WordPress theme due to unsafe deserialization of untrusted data, classified under CWE-502 (Deserialization of Untrusted Data). This vulnerability affects Meloo versions prior to 2.8.2 and allows attackers to inject malicious objects that could lead to remote code execution or other security compromises. While no CVSS score, EPSS probability, or KEV status has been publicly assigned, the vulnerability was reported by Patchstack and has been assigned ENISA EUVD tracking ID EUVD-2026-15679, indicating active monitoring by European vulnerability databases.
A PHP Object Injection vulnerability exists in NooTheme Visionary Core plugin versions up to and including 1.4.9, stemming from unsafe deserialization of untrusted data. An attacker can inject malicious serialized objects to achieve arbitrary code execution or other critical impacts depending on available magic methods in the WordPress environment. No CVSS score, EPSS data, or KEV confirmation is currently available; however, the vulnerability is documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15602.
A PHP Object Injection vulnerability exists in NooTheme Jobica Core plugin through version 1.4.1, stemming from unsafe deserialization of untrusted data. This affects WordPress installations using the vulnerable Jobica Core plugin, allowing attackers to inject malicious serialized objects that can lead to arbitrary code execution or information disclosure depending on available gadget chains. The vulnerability has been identified by Patchstack but lacks public CVSS scoring and KEV confirmation at this time.
A PHP Object Injection vulnerability exists in NooTheme's Organici Library plugin through version 2.1.2, stemming from unsafe deserialization of untrusted data. This vulnerability allows attackers to inject arbitrary PHP objects into the application, potentially leading to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. No active exploitation in the wild (KEV status) or published proof-of-concept has been confirmed from available sources, but the vulnerability was reported by Patchstack and assigned EUVD-2026-15592, indicating it is tracked in official vulnerability databases.