Skip to main content
CVE-2026-20262 MEDIUM POC KEV THREAT NEWS This Month

Arbitrary file write via path traversal in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticated low-privileged attacker to create or overwrite any file on the underlying operating system by sending crafted HTTP requests to affected API endpoints. The vulnerability stems from insufficient validation of user-supplied input during the file upload process (CWE-22), and a successful exploit can serve as a reliable stepping stone to root-level privilege escalation on the management host. No public exploit has been identified at time of analysis, and the vulnerability is not currently listed in CISA KEV; however, the integrity impact combined with root escalation potential elevates real-world risk above the CVSS 6.5 Medium baseline.

Path Traversal Cisco File Upload Cisco Catalyst Sd Wan Manager
NVD VulDB GitHub
CVSS 3.1
6.5
EPSS
1.7%
Threat
4.4
CVE-2026-8935 CRITICAL POC PATCH Act Now

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.

WordPress Information Disclosure Wp Maps Pro
NVD WPScan
CVSS 3.1
9.8
EPSS
0.1%
CVE-2018-25436 CRITICAL POC Act Now

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE WordPress PHP Baggage Freight Shipping Australia
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.7%
CVE-2026-49952 CRITICAL POC PATCH Act Now

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to access database backup and restore functionality exposed by dbbak.php. The flaw stems from a shared cryptographic key (CWE-323) between UCenter integration and the backup API, which lets an attacker abuse an encryption oracle in logging_ctl::logging_more() to mint legitimately signed authorization tokens, and chain a race condition to impersonate arbitrary users. Publicly available exploit code exists and an upstream fix has been published on Gitee.

PHP Authentication Bypass Oracle Discuz X5 0
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2016-20068 HIGH POC This Week

WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi Booking Calendar Contact Form
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2016-20071 HIGH POC Monitor

The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi 404 Redirection Manager
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2016-20073 HIGH POC Monitor

Answer My Question 1.3 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi Answer My Question
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2016-20072 HIGH POC Monitor

BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Information Disclosure Bbs E Franchise
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2016-20069 HIGH POC This Week

WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Booking Calendar Contact Form
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2016-20081 HIGH POC Monitor

WordPress Plugin HB Audio Gallery Lite 1.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the file_path parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Path Traversal Hb Audio Gallery Lite
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.6%
CVE-2016-20076 HIGH POC This Week

WordPress Simple-Backup 2.7.11 contains multiple vulnerabilities that allow unauthenticated attackers to delete arbitrary files and download sensitive files by manipulating the delete_backup_file and. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Path Traversal Simple Backup
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.6%
CVE-2016-20075 HIGH POC This Week

WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Authentication Bypass RCE WordPress +1
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2018-25437 HIGH POC Monitor

WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Information Disclosure WordPress PHP Cherry Framework Themes
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-49954 HIGH POC This Week

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a path traversal flaw in the plugin import routine with file upload functionality to run arbitrary PHP as the web server user. Publicly available exploit code exists (published by Karma Insecurity / VulnCheck) demonstrating a race-condition-assisted bypass of sanitization, but the issue is not listed in CISA KEV and no public EPSS signal was provided. The high PR:H requirement limits attackers to those already holding administrator credentials or able to obtain them.

File Upload RCE LFI Path Traversal PHP +1
NVD
CVSS 4.0
8.6
EPSS
0.5%
CVE-2026-53571 HIGH POC PATCH GHSA This Week

Arbitrary file disclosure in Vite's development server on Windows allows remote unauthenticated attackers to read sensitive files (such as `.env`, `*.pem`, `*.crt`) that are nominally protected by the `server.fs.deny` allowlist. The flaw stems from Windows-specific path-form quirks (NTFS Alternate Data Stream syntax `::$DATA` and 8.3 short filename aliases) that bypass deny-list normalization, and publicly available exploit code exists in the GHSA advisory. Only dev servers explicitly exposed to the network via `--host`/`server.host` are reachable.

Path Traversal Microsoft Node.js
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-48779 HIGH POC PATCH GHSA This Week

Memory exhaustion denial of service in the npm 'ws' WebSocket library allows a remote unauthenticated peer to crash a Node.js process by streaming many tiny WebSocket fragments that force the receiver to allocate structural wrappers far exceeding the documented maxPayload limit, ultimately triggering an out-of-memory termination. The flaw affects ws versions prior to 5.2.5, 6.2.4, 7.5.11, and 8.21.0, and publicly available exploit code exists in the GitHub Security Advisory GHSA-96hv-2xvq-fx4p.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-12222 HIGH POC This Week

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows authenticated adjacent-network attackers to corrupt memory via the BlueToothTest handler exposed by the Web FastCGI service. Supplying crafted btMac, pin, or reserved parameters to /api/inner/bttest triggers the overflow inside mod_webd.BlueToothTest, with publicly available exploit code exists demonstrating an off-by-one write. The flaw is reachable from the LAN rather than the public internet, but the vendor has not responded to disclosure and no patched firmware has been published.

Stack Overflow Buffer Overflow Sip T46U
NVD VulDB
CVSS 4.0
7.3
EPSS
0.4%
CVE-2026-12221 HIGH POC This Week

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers with low privileges to corrupt memory via crafted uid or start_offset parameters sent to the /api/upgrade/upgrade firmware chunk upload endpoint. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure, leaving deployed devices without an official patch. CVSS 4.0 rates this 8.6 (High) with proof-of-concept maturity (E:P).

Stack Overflow Buffer Overflow Sip T46U
NVD VulDB
CVSS 4.0
7.3
EPSS
0.4%
CVE-2026-12220 HIGH POC This Week

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers with low-privilege credentials to corrupt memory via the uid parameter of the /api/upgrade/accupgradebychunk firmware chunk upload endpoint. Publicly available exploit code exists and the vendor did not respond to coordinated disclosure, raising the practical risk despite the adjacent-only attack vector. No public exploit identified as actively exploited in the wild (not on CISA KEV).

Stack Overflow Buffer Overflow Sip T46U
NVD VulDB
CVSS 4.0
7.3
EPSS
0.4%
CVE-2026-12218 HIGH POC This Week

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.87.50.1) allows adjacent-network attackers with low-privileged access to corrupt memory via the port argument processed by the StartReportInformation function in the /api/inner/beforewifitest endpoint of the Web FastCGI Service. Publicly available exploit code exists, and the vendor was notified without response, leaving deployed devices unmitigated. No public exploit identified as active in-the-wild campaigns, but exploitation is feasible given the released PoC.

Stack Overflow Buffer Overflow Sip T46U
NVD VulDB
CVSS 4.0
7.3
EPSS
0.4%
CVE-2019-25746 HIGH POC This Week

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post'. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi Sliced Invoices
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2016-20079 MEDIUM POC This Month

WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Path Traversal LFI Dharma Booking
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.8%
CVE-2016-20078 MEDIUM POC Monitor

WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Path Traversal LFI Imdb Profile Widget
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.7%
CVE-2016-20080 MEDIUM POC Monitor

WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Path Traversal LFI Brandfolder
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2016-20077 MEDIUM POC This Month

WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress LFI Photocart Link
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2016-20082 MEDIUM POC This Month

WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress LFI Abtest
NVD Exploit-DB GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2016-20083 MEDIUM POC This Month

WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF WordPress More Fields
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-49953 MEDIUM POC This Month

CAPTCHA challenge controls in Discuz! X5.0 (releases 20260320-20260501) can be reliably defeated by unauthenticated remote attackers who harvest samples from exposed forum endpoints and train a custom optical character recognition model to predict challenge text. The underlying weakness - CWE-804 - stems from a limited, predictable character set and insufficient visual distortion in generated images, enabling automation of login, registration, and other abuse-protected flows. Critically, a publicly available exploit exists and KarmaInsecurity has documented chaining this bypass with a race condition to achieve full remote code execution, substantially elevating practical risk beyond the standalone CVSS 4.0 score of 6.9.

Authentication Bypass Discuz X5 0
NVD
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-48836 CRITICAL Act Now

Remote code execution in the Easy Invoice WordPress plugin (versions <= 2.1.19) allows unauthenticated attackers to run arbitrary code on the underlying server via a code injection flaw (CWE-94). The maximum CVSS 10.0 score reflects network reachability, no privileges, no user interaction, and a scope change with full confidentiality, integrity, and availability impact on the hosting WordPress site. No public exploit identified at time of analysis, but the trivial exploitability profile makes weaponization likely once technical details are published by Patchstack.

Code Injection RCE Easy Invoice
NVD
CVSS 3.1
10.0
EPSS
0.6%
CVE-2026-40772 CRITICAL Act Now

Unauthenticated arbitrary file upload in the GeekyBot WordPress plugin (versions 1.2.2 and earlier) allows remote attackers to upload arbitrary files, including PHP webshells, to the web server without any authentication. Reported by Patchstack and tracked as EUVD-2026-36981, this issue carries a maximum 10.0 CVSS due to network-reachable exploitation with no privileges, no user interaction, and a scope change leading to full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the CWE-434 class is heavily targeted on WordPress plugins and routinely leads to full site compromise once disclosed.

File Upload Geekybot
NVD VulDB
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-52704 CRITICAL Act Now

Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows unauthenticated remote attackers to inject and execute arbitrary code on the host WordPress site. The CVSS 10.0 score with scope change reflects the severe impact: attackers can fully compromise the WordPress instance and potentially pivot beyond it. No public exploit identified at time of analysis, but the trivial attack vector (AV:N/AC:L/PR:N/UI:N) makes mass exploitation likely once details surface.

Code Injection WordPress RCE Woocommerce Pdf Invoice Builder
NVD
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-39591 CRITICAL Act Now

Arbitrary file upload in the WP-BusinessDirectory WordPress plugin (versions through 4.0.0) allows authenticated users holding only the low-privilege Subscriber role to upload files of attacker-chosen types to the host site. The CVSS scope-changed 9.9 rating reflects that a successful upload of executable content (e.g., a PHP webshell) yields code execution under the WordPress process and pivots impact beyond the plugin into the wider site and host. No public exploit identified at time of analysis, but Subscriber-level file upload bugs are routinely weaponised against WordPress sites that allow open registration.

File Upload Wp Businessdirectory
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-9862 CRITICAL Act Now

Remote unauthenticated command injection in Fortra's Core Privileged Access Manager (BoKS) allows network-adjacent attackers to execute arbitrary OS commands with the privileges of the boks_autoregisterd service. The flaw resides in autoregistration processing and carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating, though no public exploit identified at time of analysis. Because BoKS is a privileged access management product, successful exploitation can directly undermine the security control plane intended to protect enterprise privileged accounts.

Command Injection Core Privileged Access Manager Boks
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2026-50871 CRITICAL Act Now

Remote code execution in kanishka-linux Reminiscence v0.3.0 allows unauthenticated attackers to execute arbitrary OS commands by supplying crafted input to the media archiving and export pipeline component. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full impact to confidentiality, integrity, and availability, though no public exploit identified at time of analysis and EPSS sits at 0.67% (47th percentile) indicating limited observed exploitation pressure so far.

Command Injection Code Injection RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-49768 CRITICAL Act Now

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to deliver attacker-controlled serialized objects that get deserialized by the plugin, potentially leading to remote code execution, file manipulation, or data compromise on the underlying WordPress site. No public exploit identified at time of analysis, but the CVSS 9.8 rating and unauthenticated network attack vector make this a high-priority issue for any site running the plugin. Reported by Patchstack with a corresponding advisory in their WordPress vulnerability database.

PHP Deserialization Happyforms
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-38065 CRITICAL Act Now

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_ims_on_with_apn via the ims_apn parameter.

Command Injection Tenda N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-49766 CRITICAL Act Now

Arbitrary file deletion in the WordPress WP User Manager plugin versions 2.9.16 and earlier allows authenticated subscriber-level users to delete arbitrary files on the underlying server via a path traversal flaw. Successful exploitation can corrupt the WordPress installation and, when wp-config.php is targeted, force the site into setup mode enabling a takeover chain. No public exploit identified at time of analysis, but the CVSS 9.9 rating and low privilege requirement make this a priority patch for affected sites.

Path Traversal Wp User Manager
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-38062 CRITICAL Act Now

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_rat_mode via the ratMode parameter.

Command Injection Tenda N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-38060 CRITICAL Act Now

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_unlock_sim via the pin parameter.

Command Injection Tenda N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-38064 CRITICAL Act Now

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_dial_call via the dialNumber parameter.

Command Injection Tenda N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-38063 CRITICAL Act Now

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_radio_on_with_ia_apn via the ia parameter.

Command Injection Tenda N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-38061 CRITICAL Act Now

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volume parameter.

Command Injection Tenda N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-27053 CRITICAL PATCH Act Now

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the application. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and CWE-502 root cause, successful exploitation can lead to remote code execution, data theft, or full site takeover when suitable gadget chains are present in the WordPress stack. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

PHP Deserialization Broadcast Live Video
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49769 CRITICAL Act Now

Unauthenticated PHP Object Injection in the wpForo Forum WordPress plugin versions 3.1.0 and earlier allows remote attackers to deliver untrusted serialized payloads that are deserialized by the plugin, leading to potential remote code execution, data tampering, and full site compromise depending on available POP gadget chains. The flaw is reachable without authentication over the network and carries a vendor CVSS of 9.8; no public exploit identified at time of analysis and the issue is not currently on the CISA KEV list.

PHP Deserialization Wpforo Forum
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49765 CRITICAL Act Now

Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions <= 1.1.8) allows remote attackers to deserialize attacker-controlled data, potentially leading to remote code execution when a suitable POP (property-oriented programming) gadget chain exists in the WordPress environment. The flaw is reachable without authentication and carries a CVSS 9.8 rating, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. The plugin is distributed by CRM Perks and was disclosed via Patchstack.

PHP Deserialization Integration For Mailchimp And Contact Form 7 Wpforms Elementor Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49763 CRITICAL Act Now

Unauthenticated PHP Object Injection in the Integration for Contact Form 7 HubSpot WordPress plugin (versions <= 1.3.7) allows remote attackers to inject malicious serialized PHP objects, which can lead to full site compromise when a suitable POP gadget chain exists in WordPress core or co-installed plugins. The flaw is reachable without authentication or user interaction (CVSS 9.8) and was reported by Patchstack. No public exploit identified at time of analysis.

PHP Deserialization Integration For Contact Form 7 Hubspot
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49109 CRITICAL Act Now

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms' (versions <= 1.4.3) allows remote attackers to pass attacker-controlled serialized data into PHP's unserialize() function. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and no authentication required, successful exploitation can lead to arbitrary code execution, data theft, or full site takeover when a suitable POP gadget chain is present. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Integration For Salesforce And Contact Form 7 Wpforms Elementor Formidable Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49106 CRITICAL Act Now

Unauthenticated PHP Object Injection in the WordPress plugin Integration for Contact Form 7 and Constant Contact (versions <= 1.1.6) allows remote attackers to inject crafted serialized PHP objects that get deserialized server-side. When a suitable POP (property-oriented programming) gadget chain is present in WordPress core, another active plugin, or a theme, this can escalate to arbitrary file read/write, deletion, or remote code execution on the host. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects the unauthenticated network-reachable attack surface.

PHP Deserialization Integration For Contact Form 7 And Constant Contact
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49104 CRITICAL Act Now

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms' (versions 1.2.1 and earlier) allows remote attackers to inject crafted serialized objects that can be deserialized by the plugin, potentially leading to full site compromise. No public exploit identified at time of analysis, but the CVSS 9.8 score and unauthenticated network attack vector make this a high priority for any WordPress site running the affected plugin. EPSS and CISA KEV data were not provided in the input, so real-world exploitation prevalence is undetermined.

PHP Deserialization Integration For Keap Infusionsoft And Contact Form 7 Wpforms Elementor Formidable Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-9691 CRITICAL Act Now

Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions 1.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, enabling abuse of POP gadget chains for code execution, file operations, or data tampering. The flaw scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and impacts any WordPress site running the affected CRM Perks integration plugin. There is no public exploit identified at time of analysis, but the unauthenticated nature and prevalence of WordPress as a target make this a high-priority patching item.

PHP Deserialization Integration For Activecampaign And Contact Form 7 Wpforms Elementor Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
Page 1 of 9 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy