WordPress
CVE-2026-2599 : Unauthenticated PHP Object Injection → WP_HTML_Token POP Chain
A technical breakdown of CVE-2026-2599, a CVSS 9.8 Critical unauthenticated PHP Object Injection vulnerability in the "Contact Form Entries" WordPress plugin (≤ 1.4.7). The download_csv function deserializes untrusted user input without allowed_classes restrictions. When combined with WordPress 6.4.0-6.4.1, the built-in WP_HTML_Token class provides a complete all-public POP chain leading to full Remote Code Execution via two unauthenticated HTTP requests.
Wed 25 March 2026
CVE-2026-1357: Unauthenticated RCE in WPvivid Backup Plugin
A technical breakdown of CVE-2026-1357, a CVSS 9.8 critical unauthenticated remote code execution...
Fri 20 February 2026
AI-automated Attack surface, Privacy Analysis, Wordpress agent, and more.
Ostorlab's January 2025 update introduces AI-powered attack surface discovery and improves IDE pe...
Mon 20 January 2025
Deep Dive: Stored XSS Vulnerability in LiteSpeed Cache Plugin for WordPress (CVE-2024-47374)
An in-depth look at the CVE-2024-47374 vulnerability affecting LiteSpeed Cache plugin for WordPre...
Thu 10 October 2024