Aggregator

A vulnerability was found in MasterStudy LMS Plugin up to 3.7.11 on WordPress. It has been declared as problematic. This affects the function stm_lms_courses_grid_display of the component Shortcode Handler. Such manipulation leads to cross site scripting. This vulnerability is traded as CVE-2026-0559. The attack may be launched remotely. There is no exploit available.

A vulnerability categorized as problematic has been discovered in Allow HTML in Category Descriptions Plugin up to 1.2.4 on WordPress. This issue affects the function wp_kses_data. Executing a manipulation of the argument term_description/link_description/link_notes/user_description can lead to cross site scripting. This vulnerability is handled as CVE-2026-0693. The attack can be executed remotely. There is not any exploit available.

A vulnerability labeled as problematic has been found in User Language Switch Plugin up to 1.6.10 on WordPress. The affected element is an unknown function. The manipulation of the argument tab_color_picker_language_switch results in cross site scripting. This vulnerability was named CVE-2026-0735. The attack may be performed from remote. There is no available exploit.

A vulnerability, which was classified as problematic, was found in Collect.chat Chatbot Plugin up to 2.4.8 on WordPress. Affected by this issue is some unknown functionality. The manipulation of the argument _inpost_head_script[synth_header_script] results in cross site scripting. This vulnerability is cataloged as CVE-2026-0736. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in Link Hopper Plugin up to 2.5 on WordPress. It has been classified as problematic. This issue affects some unknown processing. Performing a manipulation of the argument hop_name results in cross site scripting. This vulnerability is reported as CVE-2025-15483. The attack is possible to be carried out remotely. No exploit exists.

2026，祝全体白帽“马”上发财！新春快乐！阖家团圆！

A new evolution in the ClickFix social engineering campaign, which now employs a custom DNS hijacking technique to deliver malware. This attack method tricks users into executing malicious commands that utilize DNS lookups to fetch the next stage of the infection, allowing attackers to bypass traditional detection methods and blend in with normal network traffic. […]

The post New Clickfix Exploit Tricks Users into Changing DNS Settings for Malware Installation appeared first on Cyber Security News.

A new alleged Russia-linked APT group targeted Ukrainian defense, government, and energy groups, with CANFAIL malware. Google Threat Intelligence Group identified a previously undocumented threat actor behind attacks on Ukrainian organizations using CANFAIL malware. The group is possibly linked to Russian intelligence services and has targeted defense, military, government, and energy entities at both regional […]

Разделяющиеся боеголовки, чтобы бить одной ракетой по разным городам? А что, идея.

A vulnerability identified as critical has been detected in Starfish Review Generation & Marketing Plugin up to 3.1.19 on WordPress. This impacts the function srm_restore_options_defaults. The manipulation leads to improper authorization. This vulnerability is listed as CVE-2025-15157. The attack may be initiated remotely. There is no available exploit.

A vulnerability labeled as problematic has been found in PixelYourSite Pro Plugin up to 12.4.0.2 on WordPress. Affected is the function pys_landing_page. The manipulation of the argument pysTrafficSource results in cross site scripting. This vulnerability is cataloged as CVE-2026-1844. The attack may be launched remotely. There is no exploit available.

A vulnerability marked as problematic has been reported in PixelYourSite Plugin up to 11.2.0 on WordPress. Affected by this vulnerability is the function pys_landing_page. This manipulation of the argument pysTrafficSource causes cross site scripting. This vulnerability is registered as CVE-2026-1841. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability was found in BFG Tools Plugin up to 1.0.7 on WordPress. It has been rated as critical. Affected is the function zip of the file /wp-content/plugins/. The manipulation of the argument first_file leads to path traversal. This vulnerability is referenced as CVE-2025-13681. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability categorized as problematic has been discovered in StickEasy Protected Contact Form Plugin up to 1.0.1/1.0.2 on WordPress. Affected by this vulnerability is an unknown functionality of the file wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt. The manipulation results in information disclosure. This vulnerability is identified as CVE-2025-13973. The attack can be executed remotely. There is not any exploit available.

A vulnerability identified as problematic has been detected in Easy Form Builder Plugin up to 3.9.3 on WordPress. Affected by this issue is some unknown functionality. This manipulation causes missing authorization. This vulnerability is tracked as CVE-2025-14067. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability labeled as problematic has been found in WP Last Modified Info Plugin up to 1.9.5 on WordPress. This affects the function bulk_save. Such manipulation of the argument post_ids leads to improper control of resource identifiers. This vulnerability is listed as CVE-2025-14608. The attack may be performed from remote. There is no available exploit.

A vulnerability identified as problematic has been detected in BlueSnap Payment Gateway for WooCommerce Plugin up to 3.3.0 on WordPress. This issue affects the function WC_Geolocation::get_ip_address of the component X-Forwarded-For Handler. Performing a manipulation results in missing authorization. This vulnerability is identified as CVE-2026-0692. The attack can be initiated remotely. There is not any exploit available.

A vulnerability marked as problematic has been reported in personal-authors-category Plugin up to 0.3 on WordPress. The affected element is an unknown function. The manipulation leads to cross site scripting. This vulnerability is listed as CVE-2026-1754. The attack may be initiated remotely. There is no available exploit.

A vulnerability described as problematic has been identified in Simple Wp Colorfull Accordion Plugin up to 1.0 on WordPress. The impacted element is an unknown function of the component Shortcode Handler. The manipulation of the argument Title results in cross site scripting. This vulnerability is cataloged as CVE-2026-1904. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as problematic has been found in Easy Voice Mail Plugin up to 1.2.5 on WordPress. This affects an unknown function. This manipulation of the argument Message causes cross site scripting. This vulnerability is registered as CVE-2026-1164. Remote exploitation of the attack is possible. No exploit is available.