News & Sicurezza

The Lucky Wheel Giveaway plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.22 via the conditional_tags parameter. This is due to the plugin using PHP's eval() function on user-controlled input without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.

CVE ID : CVE-2025-14541 Published : Feb. 11, 2026, 2:15 a.m. | 6 hours, 8 minutes ago Description : The Lucky Wheel Giveaway plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.22 via the conditional_tags parameter. This is due to the plugin using PHP's eval() function on user-controlled input without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server. Severity: 7.2 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

GitLab Patch Alert: High-Severity Web IDE Flaw Exposes Private Repos GitLab has released a sweeping security update for its Community (CE) and Enterprise (EE) editions, patching a high-severity vulnerability that could have allowed unauthenticated attackers to steal ac ... Read more Published Date: Feb 11, 2026 (12 hours, 59 minutes ago) Vulnerabilities has been mentioned in this article.

CVE ID : CVE-2025-13431 Published : Feb. 11, 2026, 2:15 a.m. | 6 hours, 8 minutes ago Description : The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the ‘args’ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID : CVE-2026-1231 Published : Feb. 11, 2026, 2:15 a.m. | 6 hours, 8 minutes ago Description : The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `js` Global Settings parameter in all versions up to, and including, 2.10.0.5 due to missing capability checks on save_global_settings() function and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and above who have been granted beaver builder access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID : CVE-2025-15524 Published : Feb. 11, 2026, 2:15 a.m. | 6 hours, 8 minutes ago Description : The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and including, 3.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve metadata (name, image count, thumbnail URL) of private, draft, and password-protected galleries by enumerating gallery IDs. Severity: 4.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID : CVE-2026-1571 Published : Feb. 11, 2026, 1:15 a.m. | 7 hours, 8 minutes ago Description : User-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL. An attacker could run script in the device web UI context, potentially enabling credential theft, session hijacking, or unintended actions if a privileged user is targeted. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Microsoft Patch Tuesday February 2026 Microsoft’s February 2026 Patch Tuesday, released on February 9, 2026, addressed 58 vulnerabilities across Windows, Office, and other components, including six actively exploited zero-days.This update ... Read more Published Date: Feb 11, 2026 (11 hours, 51 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-21533 CVE-2026-21525 CVE-2026-21519 CVE-2026-21514 CVE-2026-21513 CVE-2026-21510 CVE-2026-21231 CVE-2026-1731

Under Siege: GTIG Report Exposes North Korean Spies & Russian Drone Hacks in Defense Sector A new report from Google Threat Intelligence Group (GTIG) paints a stark picture of the modern battlefield, where the front lines have shifted from trenches to server rooms. The defense industrial bas ... Read more Published Date: Feb 11, 2026 (12 hours, 8 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-24858 CVE-2026-21509 CVE-2026-20045

“Fiber” Optic Failure: Predictable UUIDs Expose Go Web Framework to Hijacking A critical vulnerability has been uncovered in Fiber, the high-performance web framework for Go that powers countless modern web applications. The flaw, tracked as CVE-2025-66630, carries a CVSS score ... Read more Published Date: Feb 11, 2026 (10 hours, 9 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-66630 CVE-2026-24858 CVE-2026-21509 CVE-2026-20045 CVE-2025-7783 CVE-2024-38513 CVE-2024-25124 CVE-2023-4001

Sleeping with the Enemy: Dormant Backdoors Found in Ivanti EPMM A stealthy new cyber espionage campaign is targeting Ivanti Endpoint Manager Mobile (EPMM), but unlike typical ransomware gangs that smash and grab, these attackers are planting seeds and walking away ... Read more Published Date: Feb 11, 2026 (10 hours, 15 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-1340 CVE-2026-1281 CVE-2026-24858 CVE-2026-21509 CVE-2026-20045 CVE-2025-21590

Sandbox Breakout: Critical SandboxJS Flaw (CVE-2026-25881) Allows Host Takeover A critical vulnerability has been discovered in SandboxJS, a popular library designed to safely execute untrusted JavaScript code. The flaw, tracked as CVE-2026-25881, allows malicious code to escape ... Read more Published Date: Feb 11, 2026 (10 hours, 20 minutes ago) Vulnerabilities has been mentioned in this article.