Threat Entry Updated 2026-02-03

CVE-2026-21855 - Tarkov Data Manager Plugin

The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, a reflected Cross Site Scripting (XSS) vulnerability in the toast notification system allows any attacker to execute arbitrary JavaScript in the context of a victim's browser session by crafting a malicious URL. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities.

PLUGIN Tarkov Data Manager

CVE-2026-21855

CRITICAL CVSS 9.3 2026-01-07

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-08

CVE-2026-22542 - QC 60/90/120 Plugin

An attacker with access to the system's internal network can cause a denial of service on the system by making two concurrent connections through the Telnet service.

PLUGIN QC 60/90/120

CVE-2026-22542

CRITICAL CVSS 9.2 2026-01-07

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-08

CVE-2026-22540 - QC60/90/120 Plugin

The massive sending of ARP requests causes a denial of service on one board of the charger that allows control of the EV interfaces. Since the board must be operating correctly for the charger to also function correctly.

PLUGIN QC60/90/120

CVE-2026-22540

CRITICAL CVSS 9.2 2026-01-07

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-08

CVE-2026-0650 - Flagr Plugin

OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data.

PLUGIN Flagr

CVE-2026-0650

CRITICAL CVSS 9.3 2026-01-07

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-08

CVE-2025-15018 - Optional Email Plugin

The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'random_password' filter to registration contexts, allowing the filter to affect password reset key generation. This makes it possible for unauthenticated attackers to set a known password reset key when initiating a password reset, reset the password of any user including administrators, and gain access to their accounts.

PLUGIN Optional Email

CVE-2025-15018

CRITICAL CVSS 9.8 2026-01-07

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-08

CVE-2025-30996 - Cted Upload Of File With Dangerous Type Vulnerability In Themify Themify Sidepane Theme

Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Sidepane WordPress Theme, Themify Themify Newsy, Themify Themify Folo, Themify Themify Edmin, Themify Bloggie, Themify Photobox, Themify Wigi, Themify Rezo, Themify Slide allows Upload a Web Shell to a Web Server.This issue affects Themify Sidepane WordPress Theme: from n/a through 1.9.8; Themify Newsy: from n/a through 1.9.9; Themify Folo: from n/a through 1.9.6; Themify Edmin: from n/a through 2.0.0; Bloggie: from n/a through 2.0.8; Photobox: from n/a through 2.0.1; Wigi: from n/a through 2.0.1; Rezo: from n/a through 1.9.7;…

THEME Cted Upload Of File With Dangerous Type Vulnerability In Themify Themify Sidepane

CVE-2025-30996

CRITICAL CVSS 9.9 2026-01-06

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-08

CVE-2025-15001 - Fs Registration Password Plugin

The FS Registration Password plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

PLUGIN Fs Registration Password

CVE-2025-15001

CRITICAL CVSS 9.8 2026-01-06

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-08

CVE-2025-14996 - As Password Field In Default Registration Form Plugin

The AS Password Field In Default Registration Form plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

PLUGIN As Password Field In Default Registration Form

CVE-2025-14996

CRITICAL CVSS 9.8 2026-01-06

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-12

CVE-2026-21675 - iccDEV Plugin

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version 2.3.1.1.

PLUGIN iccDEV

CVE-2026-21675

CRITICAL CVSS 9.8 2026-01-06

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-08

CVE-2026-0625 - DIR-600 Plugin

Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device’s DNS settings without valid credentials, enabling DNS hijacking (“DNSChanger”) attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed…

PLUGIN DIR-600

CVE-2026-0625

CRITICAL CVSS 9.3 2026-01-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-08

CVE-2026-21440 - Core Plugin

AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.

PLUGIN Core

CVE-2026-21440

CRITICAL CVSS 9.2 2026-01-02

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-02

CVE-2025-14998 - Branda White Labeling Plugin

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

PLUGIN Branda White Labeling

CVE-2025-14998

CRITICAL CVSS 9.8 2026-01-02

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-20

CVE-2025-52835 - WordPress Core

Cross-Site Request Forgery (CSRF) vulnerability in ConoHa by GMO WING WordPress Migrator allows Upload a Web Shell to a Web Server.This issue affects WING WordPress Migrator: from n/a through 1.1.9.

CORE WordPress Core

CVE-2025-52835

CRITICAL CVSS 9.6 2025-12-30

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-20

CVE-2025-68987 - For Movie Studios And Filmmakers Cinerama Allows Php Local File Inclusion Theme

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Cinerama - A WordPress Theme for Movie Studios and Filmmakers cinerama allows PHP Local File Inclusion.This issue affects Cinerama - A WordPress Theme for Movie Studios and Filmmakers: from n/a through

THEME For Movie Studios And Filmmakers Cinerama Allows Php Local File Inclusion

CVE-2025-68987

CRITICAL CVSS 9.8 2025-12-30

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-20

CVE-2025-68974 - WordPress Core

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange WordPress Social Login and Register miniorange-login-openid allows PHP Local File Inclusion.This issue affects WordPress Social Login and Register: from n/a through

CORE WordPress Core

CVE-2025-68974

CRITICAL CVSS 9.8 2025-12-30

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-12-29

CVE-2025-13773 - Delivery Notes For Woocommerce Plugin

The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server.

PLUGIN Delivery Notes For Woocommerce

CVE-2025-13773

CRITICAL CVSS 9.8 2025-12-24

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-12-23

CVE-2025-14388 - Phastpress Plugin

The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path.

PLUGIN Phastpress

CVE-2025-14388

CRITICAL CVSS 9.8 2025-12-23

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-12-23

CVE-2025-13619 - Flex Store Users Plugin

The Flex Store Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.0. This is due to the 'fsUserHandle::signup' and the 'fsSellerRole::add_role_seller' functions not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can be exploited with the 'fs_type' parameter if the Flex Store Seller plugin is also activated.

PLUGIN Flex Store Users

CVE-2025-13619

CRITICAL CVSS 9.8 2025-12-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-12-23

CVE-2025-13329 - File Uploader For Woocommerce Plugin

The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site's server which may make remote code execution possible.

PLUGIN File Uploader For Woocommerce

CVE-2025-13329

CRITICAL CVSS 9.8 2025-12-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-20

CVE-2025-64231 - Contact Form 7 Plugin

Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet & Database: from n/a through

PLUGIN Contact Form 7

CVE-2025-64231

CRITICAL CVSS 9.8 2025-12-18

Risk Score

Open Full Technical Breakdown