Arbitrary File Read & SQL Injection in Avada Builder
Avada (Fusion) Builder version 3.15.1 has two vulnerabilities: Arbitrary file read (e.g. leak wp-config.php) and unauthenticated SQL injection.
17 May 2026
Read moreWP Mail Gateway – Missing Authorisation on Email Settings
The WP Mail Gateway plugin has a critical authorisation flaw in version 1.8 and earlier. Any authenticated user, including a Subscriber with no special permissions, can modify your site's email gateway settings. This means redirecting all outgoing mail to an attacker's server, intercepting password resets, and escalating to administrator access.
15 May 2026
Read moreW3 Total Cache Security Token Exposure (CVE-2026-5032)
W3 Total Cache is used on millions of sites and does everything from page caching to CDN integration. But today, I want to talk about a specific security flaw that highlights why "internal maintenance" features can be a liability if they aren't properly locked down.
12 May 2026
Read moreKadence Blocks: Missing Authorisation Allows Arbitrary File Uploads
This is a bit of an older one, but it's still important to highlight. The popular Kadence Blocks plugin had a missing authorisation vulnerability in versions up to 3.6.3. This allowed authenticated users with the Contributor role to upload arbitrary files to the Media Library.
11 May 2026
Read moreCustomer Reviews for WooCommerce: Verified Review Bypass
The Customer Reviews for WooCommerce plugin 5.103.0 and below has a critical weakness that allows attackers to post fake/spam reviews.
22 April 2026
Read moreMissing Authorisation in Subscriptions for WooCommerce – Anyone Can Cancel Any Subscription
Subscriptions for WooCommerce version 1.9.2 is a missing authorisation check that lets any user delete or reactivate any subscription.
11 April 2026
Read moreUnauthenticated SQL Injection in Ally
Versions of Ally (One Click Accessibility) up to and including 4.0.3 are open to an unauthenticated SQL injection vulnerability. An attacker can extract sensitive data from the database, without logging in.
10 April 2026
Read moreUnauthenticated RCE in File Uploader for WooCommerce
File Uploader for WooCommerce up to 1.0.3 exposes an unauthenticated REST endpoint that pulls an attacker-controlled file from Uploadcare into the uploads directory with any extension. Full pre-auth RCE (CVE-2025-13329, CVSS 9.8).
9 April 2026
Read moreVendor IDOR in WCFM Frontend Manager for WooCommerce
WCFM Frontend Manager for WooCommerce is the dashboard lots of multi-vendor marketplaces sit on top of. It gives each vendor a front-end area to manage their own products, orders and content without ever touching wp-admin. Versions up to and including 6.7.25 had a set of matching authorisation bugs in that dashboard that let any logged-in vendor reach well beyond their own shop. CVE-2026-4896 covers the lot.
6 April 2026
Read moreUnauthenticated REST API Bypass in WooCommerce Order Alert Plugin
Order Notification for WooCommerce (woc-order-alert) plays audio alerts in the browser when new orders come in. It's useful if you're running a busy shop and want a heads-up without refreshing your site's admin dashboard. Before version 3.6.3 there was a serious problem. A permission bypass meant the entire WooCommerce REST API was open to unauthenticated requests. No API keys, no cookies, no login required. It was an absolute howler.
4 April 2026
Read moreArbitrary file move in MW WP Form lets attackers take over your site
MW WP Form versions up to and including 5.1.0 have a path traversal vulnerability that let attackers completely take over your site. It's a common pattern, with this plugin when file uploads are enabled.
3 April 2026
Read moreMissing Authorisation in Product Filter for WooCommerce Lets Anyone Delete Your Filter Data
Product Filter for WooCommerce: unauthorised attackers can delete all filter configurations. Learn about CVE-2026-3138 and protect your store now.
2 April 2026
Read more