News & Sicurezza

CVE ID :CVE-2026-3177 Published : April 7, 2026, 8:16 a.m. | 3 hours, 39 minutes ago Description :The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook events. This makes it possible for unauthenticated attackers to forge payment_intent.succeeded webhook payloads and mark pending donations as completed without a real payment. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Microsoft Warns Storm-1175 Exploits Web-Facing Assets 0-Day Flaws in Medusa Ransomware Attacks A new ransomware campaign is putting organizations on high alert. A financially motivated threat group known as Storm-1175 has been running fast-paced attacks targeting vulnerable, internet-facing sys ... Read more Published Date: Apr 07, 2026 (21 hours, 5 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-23760 CVE-2025-10035

50,000 WordPress Sites Exposed to Critical Ninja Forms File Upload RCE Vulnerability A critical security flaw in the popular WordPress plugin “Ninja Forms – File Upload” has left approximately 50,000 websites vulnerable to complete takeover. Tracked as CVE-2026-0740, this flaw boasts ... Read more Published Date: Apr 07, 2026 (21 hours, 19 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-0740

Cisco meldt grootschalige diefstal van inloggegevens via React2Shell-lek Aanvallers hebben honderden servers via het React2Shell-lek gehackt om zo allerlei inloggegevens te stelen, dat meldt Cisco in een analyse. Via de kwetsbaarheid kan een ongeauthenticeerde aanvaller op ... Read more Published Date: Apr 07, 2026 (21 hours, 35 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-55182

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account — including Administrator — by injecting an arbitrary `externalId` value when updating their own provider profile.

CVE ID :CVE-2026-5465 Published : April 7, 2026, 7:16 a.m. | 4 hours, 39 minutes ago Description :The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account — including Administrator — by injecting an arbitrary `externalId` value when updating their own provider profile. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-1900 Published : April 7, 2026, 7:16 a.m. | 4 hours, 39 minutes ago Description :The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-1114 Published : April 7, 2026, 7:16 a.m. | 4 hours, 39 minutes ago Description :In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0. Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2025-15611 Published : April 7, 2026, 7:16 a.m. | 4 hours, 39 minutes ago Description :The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-4079 Published : April 7, 2026, 7:16 a.m. | 4 hours, 39 minutes ago Description :The SQL Chart Builder WordPress plugin before 2.3.8 does not properly escape user input as it is concatened to SQL queries, making it possible for attackers to conduct SQL Injection attacks against the dynamic filter functionality. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and ... Read more Published Date: Apr 07, 2026 (22 hours, 19 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-3055 CVE-2026-1731 CVE-2026-23760 CVE-2025-52691 CVE-2025-53521 CVE-2025-10035 CVE-2025-31161 CVE-2024-57728 CVE-2024-57727 CVE-2024-57726 CVE-2024-27199 CVE-2024-27198 CVE-2024-1709 CVE-2024-1708 CVE-2024-21887 CVE-2023-46805 CVE-2023-27351 CVE-2023-27350 CVE-2023-21529

FortiClientEMS Vulnerabilities Under Active Exploitation, Expose Systems to RCE A newly disclosed set of vulnerabilities affecting Fortinet’s endpoint management platform has raised serious concerns among cybersecurity professionals, particularly as both flaws are already being a ... Read more Published Date: Apr 07, 2026 (22 hours, 28 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-35616 CVE-2026-21643