This page collects WhisperX intelligence signals tagged #WordPress. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical vulnerability has been identified in the WordPress Sentinel plugin, stemming from improper handling of user input. The flaw resides in the plugin's failure to apply the `wp_unslash()` function to `$_POST` superglobal arrays before sanitizing them with functions like `sanitize_text_field`. Because WordPress a...
WordPress용 Jobica Core 플러그인 1.4.2 이하 버전에 심각한 인증 우회 취약점(CVE-2026-27049)이 존재한다. 이 취약점은 CVSS 9.8의 위험 등급을 부여받았으며, 공격자가 특정 경로를 통해 인증 절차를 완전히 우회할 수 있게 한다. 인증 검증이 누락된 이 경로는 CWE-288(인증 우회용 대체 경로/채널)에 해당하며, 공격자가 네트워크를 통해 직접 접근하여 관리자 권한을 포함한 모든 계정을 탈취할 수 있는 가능성을 열어둔다. 취약점은 NooTheme에서 개발한 Jobica Core 플러그인에 존재하며, 1.4.2 및 그 이전 버전을...
WordPress 프리미엄 테마 'LuxeDrive'의 1.0 이하 버전에 심각한 보안 취약점이 공개적으로 식별됐다. CVE-2026-27076으로 추적되는 이 취약점은 CWE-98 'PHP 파일 포함 제어 불량'에 해당하며, 공격자가 네트워크를 통해 시스템의 민감한 로컬 파일을 읽거나 임의 코드를 실행할 수 있는 위험을 초래한다. CVSS 3.1 기준 8.1점의 높은 위험 등급이 부여됐으며, 기밀성, 무결성, 가용성 모두에 높은 영향을 미칠 수 있다. 이 취약점은 Mikado-Themes가 개발한 LuxeDrive 테마 버전 1.0 및 그 이전 버전에 영향을 미친...
WordPress용 PitchPrint 플러그인의 11.1.2 이하 버전에서 심각한 경로 탐색(Path Traversal) 취약점이 공개적으로 식별됐다. CVE-2026-22448로 지정된 이 취약점은 네트워크를 통해 원격으로 악용될 수 있으며, 공격자가 낮은 복잡성으로 시스템의 임의 파일을 삭제할 수 있는 위험을 초래한다. CVSS 3.1 기준 위험도 점수는 7.5(높음)로 평가되어 즉각적인 주의가 요구된다. 이 취약점은 플러그인 개발사인 flexcubed의 PitchPrint 제품에 영향을 미친다. 공격 벡터 분석에 따르면, 공격자는 특별한 권한이나 사용자 상호...
A critical security vulnerability has been identified in the PPOM for WooCommerce plugin, exposing sensitive store data to unauthenticated users. The plugin's entire REST API, comprising seven distinct endpoints, is configured with a blanket `'permission_callback' => '__return_true'`. This configuration effectively byp...
A critical Remote Code Execution (RCE) vulnerability in a core WooCommerce JavaScript library exposes every merchant's admin panel and potentially storefront pages to attack. The `@woocommerce/number` package, which registers as the `wc-number` script in WordPress, depends on a vulnerable version of the `locutus` libra...
Cloudflare is directly challenging the dominance of WordPress by launching EmDash, an open-source platform designed to solve what it calls WordPress's "core problems" through a radical method: handing control of websites to AI agents. This move positions EmDash not just as another content management system but as a "sp...
A daily critical vulnerability report for April 10, 2026, reveals a stark anomaly: zero new CVEs were published in the last 24 hours, yet the list highlights three existing critical flaws with CVSS scores as high as 9.9. The absence of new entries against a backdrop of severe, unpatched threats signals a potential lull...
A daily CVE report for April 9, 2026, reveals a deceptive calm: zero new vulnerabilities were published in the last 24 hours, yet the landscape remains dominated by high-severity, actively exploitable flaws in widely used software. The highest CVSS score noted is a critical 9.9, underscoring the persistent latent risk ...
A critical daily CVE report for April 9, 2026, reveals a high-stakes security landscape with zero new vulnerabilities published, yet three existing flaws with CVSS scores of 9.8 and 9.9 remain actively critical. The most severe is CVE-2026-39888, a 9.9-rated vulnerability in the PraisonAI multi-agent teams system. The ...
A daily security scan reveals a deceptive calm: zero new CVEs were published in the last 24 hours, yet the landscape remains seeded with active, medium-severity threats. The highest recorded CVSS score stands at a critical 9.6, underscoring that the absence of new entries does not equate to safety. This lull spotlights...
A critical security vulnerability in WooCommerce's REST API allowed unauthenticated users to access and potentially manipulate guest order fulfillment data. The flaw was rooted in a missing permission check within the API endpoint responsible for handling order fulfillments, specifically for orders placed without a cus...
A critical supply chain attack has compromised the security of thousands of WordPress websites. Dozens of popular plugins were allegedly hijacked to push malware after their ownership was transferred to a new corporate entity. This incident represents a sophisticated breach of trust, weaponizing the routine process of ...
Ein Angreifer hat die Kontrolle über eine Entwicklungsfirma erlangt, die mehr als 30 WordPress-Plugins veröffentlicht. Kurz nach der Übernahme schleuste der Angreifer Nutzern heimlich eine Backdoor in die Software ein. Dieser gezielte Angriff auf die Lieferkette gefährdet Tausende von Websites, die auf die betroffenen ...
A critical, unauthenticated Local File Inclusion (LFI) vulnerability has been publicly documented for the HUSKY Products Filter Professional plugin for WooCommerce, designated as CVE-2025-1661. The flaw allows attackers to directly target WordPress sites by sending a malicious POST request to the `/wp-admin/admin-ajax....
Более 30 плагинов для WordPress из пакета EssentialPlugin оказались скомпрометированы и содержат скрытый бэкдор. ИБ-специалисты установили, что еще в 2025 году неизвестные злоумышленники внедрили вредоносный код, предоставляющий им несанкционированный доступ к управлению сайтами. Эта долгосрочная кампания создала крити...
A critical Server-Side Request Forgery (SSRF) vulnerability has been patched in the Hunter AI plugin's image generator for WordPress. The flaw allowed the AI engine to potentially fetch images from internal network addresses, exposing servers to significant risk. The core issue was the use of the `wp_remote_get` functi...
A critical security flaw has been identified in WordPress version 3.4.4, exposing sites to cross-site scripting (XSS) attacks. The vulnerability, detailed in a public support forum topic, allows malicious actors to inject and execute arbitrary scripts in the context of a user's browser. This type of exploit can lead to...
Une trentaine d'extensions WordPress populaires ont été discrètement vérolées, transformant des sites web en cibles faciles pour des attaquants. L'attaque ne provient pas d'une vulnérabilité technique classique, mais d'un changement de propriétaire malveillant. Après l'acquisition de l'entreprise indienne EssentialPlug...
A confirmed stored cross-site scripting vulnerability in the Sermon Manager WordPress plugin remains without an upstream patch, leaving websites vulnerable to authenticated attacks that execute malicious code in every visitor's browser. CVE-2025-12368 carries a CVSS score of 6.4 (Medium), but security researchers have ...