by Ivan Sorkin | Feb 18, 2026 | Plugins
Attack Vectors Remove Post Type Slug (slug: remove-post-type-slug) has a Medium-severity Cross-Site Request Forgery (CSRF) vulnerability (CVSS 4.3, CVE: CVE-2025-14167) affecting versions up to and including 1.0.2. An unauthenticated attacker cannot directly “log in,”...
by Ivan Sorkin | Feb 18, 2026 | Plugins
Attack Vectors TalkJS (WordPress plugin slug: talkjs) versions 0.1.15 and earlier are affected by a Medium-severity vulnerability (CVE-2026-1055, CVSS 4.4) that allows stored cross-site scripting (XSS) through an administrator settings field named welcomeMessage. The...
by Ivan Sorkin | Feb 18, 2026 | Plugins
Attack Vectors The iXML – Google XML sitemap generator plugin (versions up to and including 0.6) has a Medium-severity vulnerability (CVSS 6.1) identified as CVE-2025-14076. It is a reflected cross-site scripting (XSS) issue triggered via the iXML_email parameter....
by Ivan Sorkin | Feb 18, 2026 | Plugins
Attack Vectors Slider Future (WordPress plugin slug: slider-future) versions 1.0.5 and below are affected by a Critical vulnerability (CVSS 9.8) identified as CVE-2026-1405. This issue can be exploited without logging in, meaning an attacker can attempt to compromise...
by Ivan Sorkin | Feb 18, 2026 | Plugins
Attack Vectors Dealia – Request a quote (slug: dealia-request-a-quote) has a Medium severity vulnerability (CVSS 4.3) tracked as CVE-2026-2504. The risk comes from authenticated users who already have basic publishing-related access in WordPress—specifically users...
by Ivan Sorkin | Feb 18, 2026 | Plugins
Attack Vectors Easy Author Image (slug: easy-author-image) is affected by a Medium-severity stored cross-site scripting (XSS) vulnerability (CVSS 6.4; vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) tracked as CVE-2026-1373. The key business-relevant point: an...
Recent Comments