High-Severity Flaws Expose WordPress JS Plugins to SQL and Object Injection
Two high-severity vulnerabilities have been disclosed in WordPress plugins using the JS branding, affecting sites that have not updated to fixed versions. CVE-2026-32534 impacts JoomSky's JS Help Desk plugin (js-support-ticket) through version 3.0.3 and allows blind SQL injection due to improper neutralization of special elements in SQL commands. The issue is rated CVSS 3.1 8.6 with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L, indicating network-reachable exploitation with low attack complexity and significant confidentiality impact.
Timeline
Mar 25, 2026
CVE-2026-32534 record updated with CVSS details
The CVE record for the JS Help Desk plugin vulnerability was updated with a CVSS v3.1 vector describing a network-accessible blind SQL injection issue with high confidentiality impact. The update referenced Patchstack as the source documenting the vulnerability.
Mar 25, 2026
CVE-2026-32513 record updated with CVSS and CWE details
The CVE record for the JS Archive List plugin vulnerability was updated to add a CVSS v3.1 vector and CWE-502 classification, confirming high impact to confidentiality, integrity, and availability. The update also referenced Patchstack as the source documenting the issue.
Mar 25, 2026
Patchstack documents SQL injection in JS Help Desk plugin
Patchstack documented a blind SQL injection vulnerability in the WordPress JS Help Desk plugin (js-support-ticket) affecting versions up to and including 3.0.3. The issue was later tracked as CVE-2026-32534.
Mar 25, 2026
Patchstack documents PHP object injection in JS Archive List plugin
Patchstack documented a deserialization of untrusted data flaw in the WordPress JS Archive List plugin affecting versions through 6.1.7, allowing PHP object injection. The issue was later tracked as CVE-2026-32513.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Multiple CMS Plugin Vulnerabilities: WordPress CVEs and Joomla Novarain/Tassos Framework Flaws
Three newly described **WordPress plugin vulnerabilities** affect ShopLentor, Advanced AJAX Product Filters, and WP Maps. **CVE-2026-1714** allows **unauthenticated email relay abuse** in *ShopLentor* (<= `3.3.2`) via the `woolentor_suggest_price_action` AJAX endpoint due to missing validation of parameters such as `send_to` and `product_title`; the `wlemail` parameter can be abused for **CRLF injection** to control sender details, enabling spam/phishing relay through the victim site. **CVE-2026-1426** is a **PHP object injection** issue in *Advanced AJAX Product Filters* (<= `3.1.9.6`) reachable by **authenticated users (Author+)** through deserialization of untrusted input in `shortcode_check` within a Live Composer compatibility layer; impact depends on the presence of a usable **POP chain** in another installed plugin/theme and requires the *Live Composer* plugin to be installed and active. **CVE-2025-12062** affects *WP Maps* (<= `4.8.6`) and enables **authenticated (Subscriber+) limited local file inclusion** via `fc_load_template`, potentially leading to sensitive data exposure or code execution in scenarios where attacker-controlled `.html` content can be uploaded and then included. Separately, Joomla sites using the **Novarain/Tassos Framework** (`plg_system_nrframework`) face critical issues enabling **unauthenticated file read, file deletion, and SQL injection**, which can be chained toward **administrator takeover** and potentially **persistent RCE**. The reported weaknesses stem from an AJAX handler that processes `task=include` without sufficient hardening, allowing attackers to reach internal classes implementing `onAjax` and abuse gadget-like behaviors (e.g., CSV loading for arbitrary file read, a `remove` action for path deletion, and attacker-influenced query construction for SQL injection). The risk propagates through multiple popular Tassos extensions that bundle the framework (including **Convert Forms**, **EngageBox**, **Google Structured Data**, **Advanced Custom Fields**, and **Smile Pack**), and remediation requires applying vendor updates for affected releases.
1 months ago
Critical WordPress Plugin Flaws Expose Sites to RCE and Privilege Escalation
Two high-severity vulnerabilities have been disclosed in widely deployed WordPress plugins, exposing internet-facing sites to **unauthenticated compromise**. `CVE-2026-3584` affects **Kali Forms** through version `2.4.9` and allows **remote code execution** because user-controlled input can be mapped into internal placeholder storage and later invoked via `call_user_func` in the `form_process` path. The issue is classified as `CWE-94` and carries a `CVSS 3.1` score with the vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating critical impact on confidentiality, integrity, and availability. A second flaw, `CVE-2026-4038`, affects **Aimogen Pro** through version `2.7.5` and enables **unauthenticated privilege escalation** through an arbitrary function call in `aiomatic_call_ai_function_realtime` caused by a missing capability check. According to the disclosure, attackers can invoke WordPress functions such as `update_option` to change the default registration role to administrator and enable user registration, effectively creating a path to full site takeover. The vulnerability is tracked as `CWE-862` and was likewise rated with a high-impact `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`.
1 months ago
Code Injection Flaws Expose WordPress Snippet Plugins to Remote Code Execution
Two high-severity vulnerabilities have been disclosed in popular WordPress snippet-management plugins, exposing sites to **remote code execution** through `CWE-94` code injection flaws. `CVE-2026-25001` affects **Post Snippets** by Saad Iqbal in versions through `4.0.12`, while `CVE-2026-25366` affects **Woody ad snippets** (`insert-php`) by Themeisle in versions through `2.7.1`. Both issues were documented with Patchstack references and indicate that attackers could inject or include malicious code on vulnerable WordPress installations. The two CVEs differ in attack complexity but both carry severe impact to confidentiality, integrity, and availability. `CVE-2026-25001` is scored with `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H`, while `CVE-2026-25366` carries `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`, making the Woody ad snippets flaw easier to exploit once low privileges are obtained. Organizations running either plugin should identify affected versions, prioritize updates beyond the vulnerable releases, and review WordPress environments for signs of unauthorized code execution.
1 months ago