News & Sicurezza

CVE ID :CVE-2026-4483 Published : April 8, 2026, 7:25 a.m. | 31 minutes ago Description :An exposed IOCTL with an insufficient access control vulnerability has been identified in the utility, MxGeneralIo, for Moxa’s industrial x86 computers. The affected utility, MxGeneralIo, exposes IOCTL methods that permit direct read and write access to MSR and system memory. A local attacker with high privileges could abuse these interfaces to perform unauthorized operations. Successful exploitation may result in privilege escalation on Windows 7 systems or cause a system crash (BSoD) on Windows 10 and 11 systems, leading to a denial-of-service condition. The vulnerability could slightly affect the confidentiality and integrity of the device, but availability might be heavily impacted. No impact to the subsequent system has been identified. Severity: 7.0 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Critical Security Update: IBM Patches Multiple Vulnerabilities in Verify Identity and Access IBM has released a comprehensive bulletin addressing a series of vulnerabilities within its Verify Identity Access and Security Verify Access product lines. The flaws range from low-impact redirection ... Read more Published Date: Apr 08, 2026 (1 day, 3 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-1346 CVE-2026-1343 CVE-2026-1342 CVE-2026-35616 CVE-2026-4364 CVE-2026-4101 CVE-2026-2862 CVE-2026-1345 CVE-2026-5281 CVE-2026-3502 CVE-2026-33032 CVE-2025-32975

CVE ID :CVE-2026-5169 Published : April 8, 2026, 7:16 a.m. | 39 minutes ago Description :The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Form Header' field in versions up to and including 1.0. This is due to insufficient input sanitization when saving via update_option() and lack of output escaping when displaying the stored value. The vulnerability exists in two locations: (1) the plugin settings page at inq_form.php line 180 where the value is echoed into an HTML attribute without esc_attr(), and (2) the front-end shortcode output at inquery_form_to_posts_or_pages.php line 139 where the value is output in HTML content without esc_html(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that will execute whenever a user accesses the plugin settings page or views a page containing the [inquiry_form] shortcode. Severity: 4.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-5506 Published : April 8, 2026, 7:16 a.m. | 39 minutes ago Description :The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wave` shortcode in all versions up to, and including, 0.2.6. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-5508 Published : April 8, 2026, 7:16 a.m. | 39 minutes ago Description :The WowPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wowpress` shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

The Gerador de Certificados – DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile() function in all versions up to, and including, 1.3.6. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVE ID :CVE-2026-4141 Published : April 8, 2026, 7:16 a.m. | 39 minutes ago Description :The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation in the quran_playlist_options() function that handles the plugin's settings page. The function processes POST requests to update plugin options via update_option() without any wp_nonce_field() in the form or wp_verify_nonce()/check_admin_referer() verification before processing. This makes it possible for unauthenticated attackers to modify plugin settings (toggling display options for PDF, RSS, podcast, media player links, playlist title, and playlist code) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Severity: 4.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-4338 Published : April 8, 2026, 7:16 a.m. | 39 minutes ago Description :The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-4871 Published : April 8, 2026, 7:16 a.m. | 39 minutes ago Description :The Sports Club Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' attributes of the `scm_member_data` shortcode in all versions up to, and including, 1.12.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-5167 Published : April 8, 2026, 7:16 a.m. | 39 minutes ago Description :The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-3781 Published : April 8, 2026, 7:16 a.m. | 39 minutes ago Description :The Attendance Manager plugin for WordPress is vulnerable to SQL Injection via the 'attmgr_off' parameter in all versions up to, and including, 0.6.2. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Severity: 5.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, and including, 1.1. The function is exposed via a `wp_ajax_nopriv_` hook, requiring no authentication. It fetches a user-supplied URL as a CSS file, extracts URLs from its content, and downloads those files to a publicly accessible directory without validating the file type. This makes it possible for unauthenticated attackers to upload arbitrary files including PHP webshells, leading to remote code execution. The exploit requires the site to use one of a handful of specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely).