Multiple CMS Plugin Vulnerabilities: WordPress CVEs and Joomla Novarain/Tassos Framework Flaws
Three newly described WordPress plugin vulnerabilities affect ShopLentor, Advanced AJAX Product Filters, and WP Maps. CVE-2026-1714 allows unauthenticated email relay abuse in ShopLentor (<= 3.3.2) via the woolentor_suggest_price_action AJAX endpoint due to missing validation of parameters such as send_to and product_title; the wlemail parameter can be abused for CRLF injection to control sender details, enabling spam/phishing relay through the victim site. CVE-2026-1426 is a PHP object injection issue in Advanced AJAX Product Filters (<= 3.1.9.6) reachable by authenticated users (Author+) through deserialization of untrusted input in shortcode_check within a Live Composer compatibility layer; impact depends on the presence of a usable POP chain in another installed plugin/theme and requires the Live Composer plugin to be installed and active. CVE-2025-12062 affects WP Maps (<= 4.8.6) and enables authenticated (Subscriber+) limited local file inclusion via fc_load_template, potentially leading to sensitive data exposure or code execution in scenarios where attacker-controlled .html content can be uploaded and then included.
Separately, Joomla sites using the Novarain/Tassos Framework (plg_system_nrframework) face critical issues enabling unauthenticated file read, file deletion, and SQL injection, which can be chained toward administrator takeover and potentially persistent RCE. The reported weaknesses stem from an AJAX handler that processes task=include without sufficient hardening, allowing attackers to reach internal classes implementing onAjax and abuse gadget-like behaviors (e.g., CSV loading for arbitrary file read, a remove action for path deletion, and attacker-influenced query construction for SQL injection). The risk propagates through multiple popular Tassos extensions that bundle the framework (including Convert Forms, EngageBox, Google Structured Data, Advanced Custom Fields, and Smile Pack), and remediation requires applying vendor updates for affected releases.
Timeline
Feb 18, 2026
Advanced AJAX Product Filters object injection disclosed as CVE-2026-1426
A PHP object injection vulnerability affecting Advanced AJAX Product Filters versions through 3.1.9.6 was disclosed. Authenticated Author-level users or higher can exploit unsafe deserialization in the shortcode_check function, with possible file deletion, data access, or code execution if a usable POP chain exists and Live Composer is active.
Feb 18, 2026
ShopLentor email relay flaw disclosed as CVE-2026-1714
A vulnerability in ShopLentor versions through 3.3.2 was disclosed that allows unauthenticated attackers to abuse the woolentor_suggest_price_action AJAX endpoint to send arbitrary emails. The flaw can turn vulnerable sites into open email relays for spam or phishing, including sender-address manipulation via CRLF injection.
Feb 17, 2026
WP Maps LFI vulnerability disclosed as CVE-2025-12062
A local file inclusion vulnerability affecting WP Maps plugin versions through 4.8.6 was disclosed. Authenticated users with Subscriber-level access or higher can abuse the fc_load_template function to include arbitrary .html files, potentially leading to sensitive data access or code execution.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Affected Products
Sources
Related Stories
High-Severity Flaws Expose WordPress JS Plugins to SQL and Object Injection
Two high-severity vulnerabilities have been disclosed in WordPress plugins using the `JS` branding, affecting sites that have not updated to fixed versions. `CVE-2026-32534` impacts JoomSky's **JS Help Desk** plugin (`js-support-ticket`) through version `3.0.3` and allows **blind SQL injection** due to improper neutralization of special elements in SQL commands. The issue is rated `CVSS 3.1 8.6` with vector `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L`, indicating network-reachable exploitation with low attack complexity and significant confidentiality impact.
1 months ago
Multiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
A series of critical vulnerabilities have been disclosed affecting a wide range of popular software platforms, including WordPress plugins, web frameworks, developer tools, and enterprise applications. Notable issues include unauthenticated remote code execution (RCE) flaws in Next.js (CVE-2025-66478), WordPress core (CVE-2025-6389), and the ACF Extended plugin (CVE-2025-13486), as well as privilege escalation and authentication bypass vulnerabilities in the WP Directory Kit plugin (CVE-2025-13390) and cPanel. Several of these vulnerabilities are reported to be under active exploitation, with proof-of-concept code available for some, increasing the urgency for immediate patching and mitigation. Other significant disclosures include a high-severity flaw in Vim for Windows (CVE-2025-66476) allowing arbitrary code execution, a critical SQL injection chain in Synology BeeStation, and a directory traversal vulnerability in cPanel that could lead to full server takeover. Additional advisories cover issues in lz4-java, Longwatch OT surveillance, Django, Elementor, Apache Struts, nopCommerce, and OpenVPN, with many rated as critical or high severity by CVSS. Organizations are strongly advised to review affected products and apply security updates promptly to mitigate the risk of exploitation.
1 months ago
Multiple Unrelated Critical Vulnerabilities Disclosed in October 2025
A series of critical and high-severity vulnerabilities affecting a diverse set of software products were publicly disclosed in October 2025. Epsilon RH by Grupo Castilla was found to have a SQL injection vulnerability (CVE-2025-41028) that allows attackers to manipulate the database by sending crafted POST requests to the 'sEstadoUsr' parameter in the '/epsilonnetws/WSAvisos.asmx' endpoint. Lanscope Endpoint Manager (CVE-2025-61932) was reported to have an improper origin verification flaw, enabling attackers to execute arbitrary code via specially crafted packets, though remote exploitation is not possible. Galaxy Software Services Vitals ESP Forum Module (CVE-2025-31342) was discovered to allow remote authenticated users to upload dangerous files, leading to arbitrary command execution. Fsas Technologies Inc.'s ETERNUS SF (CVE-2025-62577) contains incorrect default permissions, allowing low-privileged users to obtain database credentials and potentially escalate privileges to execute OS commands as an administrator. Excellent Infotek's Document Management System (CVE-2025-11948) is vulnerable to unauthenticated arbitrary file upload, enabling attackers to deploy web shells and execute code on the server. Vvveb CMS up to version 1.0.5 is susceptible to authenticated code injection via its Code Editor, allowing attackers to modify files and achieve remote code execution. The Theme Editor plugin for WordPress (CVE-2025-9890) is vulnerable to cross-site request forgery, which can be exploited to achieve remote code execution if an administrator is tricked into clicking a malicious link. The PPOM plugin for WooCommerce (CVE-2025-11391) allows unauthenticated arbitrary file uploads, posing a severe risk to affected e-commerce sites. The Appointments plugin for WordPress (CVE-2017-20206) and the Flickr Gallery plugin (CVE-2017-20207) both suffer from unauthenticated PHP object injection vulnerabilities, which have been actively exploited to create backdoors using the WP_Theme() class. RegistrationMagic (CVE-2017-20208) is also affected by a PHP object injection flaw, allowing attackers to fetch and install remote files. Finally, BLU-IC2 and BLU-IC4 devices (CVE-2025-11925) have an API that returns an incorrect Content-Type header, potentially enabling HTML/JavaScript injection in responses. Each of these vulnerabilities presents a significant risk, with several allowing remote code execution, privilege escalation, or the installation of persistent backdoors. The affected products span web applications, content management systems, endpoint management tools, and specialized enterprise software. Security teams are advised to review the specific advisories, apply patches or mitigations where available, and monitor for signs of exploitation, as several vulnerabilities have been reported as actively exploited in the wild. The diversity and severity of these disclosures underscore the ongoing need for rigorous vulnerability management and timely response to public advisories.
1 months ago