4 posts tagged with WordPress.
CVE-2026-39534 was a custom-MVC dispatcher in WP Directory Kit that took a method name from POST and called it. No authentication, no nonce, no model allowlist. POST a model name, get the rows back. How the dispatcher pattern hides this class of bug and a checklist to find it in any plugin that ships its own MVC.
Read more →
CVE-2026-39511 was an unauthenticated SQL injection in the WP Photo Album Plus plugin. The query went through wpdb::prepare() correctly and then through stripslashes() right after, deleting the very escapes prepare() had just added. How the anti-pattern works, the exploitable payload and a checklist to grep your own plugin source for the same shape.
Read more →
CVE-2025-4392 was an unauthenticated stored XSS in the Shared Files plugin. A sanitizer that only ran for SVGs and silently passed everything else through. How the gate made the function's name a lie, and a checklist to grep your own plugin source for the same pattern.
Read more →
A walkthrough of CVE-2025-3769, an IDOR in the LatePoint plugin that exposed customer data from about 100K WordPress sites. How I found it, the code-review pattern behind it and a checklist for auditing WordPress plugins yourself.
Read more →