Wordfence Intelligence Weekly WordPress Vulnerability Report (March 30, 2026 to April 5, 2026)

Last week, there were 56 vulnerabilities disclosed in 50 WordPress Plugins that have been added to the Wordfence Intelligence Vulnerability Database, and there were 38 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to...

CVE-2026-35479 InvenTree Plugin Installation - Insufficient Permissions

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions such as...

CVE-2026-39322

PolarLearn (0-PRERELEASE-15 and earlier) is affected. The issue: POST /api/v1/auth/sign-in creates a valid session for banned accounts before password verification, and that session is accepted on authenticated /api routes, allowing account data access and authenticated actions as the banned user...

CVE-2026-5599

A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds...

EUVD-2026-19085

A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds...

CVE-2026-5599 API allows deletion of users of other instance

A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds...

CVE-2026-20042 Cisco Nexus Dashboard Configuration REST API Unauthorized Access Vulnerability

A vulnerability in the configuration backup feature of Cisco Nexus Dashboard could allow an attacker who has the encryption password and access to Full or Config-only backup files to access sensitive information. This vulnerability exists because authentication details are included in the encrypt...

CVE-2025-55274

HCL Aftermarket DPC is affected by Cross-Origin Resource Sharing vulnerability. CORS misconfigurations includes the exposure of sensitive user information to attackers, unauthorized access to APIs, and possible data manipulation or leakage. If an attacker to exploit CORS misconfiguration, they...

CVE-2026-33469

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through /api/config/raw. This exposes sensitive values that are intentionally redacted from /api/config,...

CVE-2026-33469 Authenticated Frigate users can read the full unredacted configuration via `/api/config/raw

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through /api/config/raw. This exposes sensitive values that are intentionally redacted from /api/config,...

CVE-2026-4312

GCB/FCB Audit Software developed by DrangSoft has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access certain APIs to create a new administrative account...

CVE-2025-55274

HCL Aftermarket DPC is affected by Cross-Origin Resource Sharing vulnerability. CORS misconfigurations includes the exposure of sensitive user information to attackers, unauthorized access to APIs, and possible data manipulation or leakage. If an attacker to exploit CORS misconfiguration, they...

CVE-2026-20114

A vulnerability in the Lobby Ambassador web-based management API of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate their privileges and access management APIs that would not normally be available for Lobby Ambassador users. This vulnerability exists because...

Protection Mechanism Failure

Overview Affected versions of this package are vulnerable to Protection Mechanism Failure through the fn process in the /wait endpoint, which embeds user-supplied input directly into executable JavaScript without enforcing the intended security policy. An attacker can execute arbitrary JavaScript...

UBUNTU-CVE-2026-23921

A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data...

CVE-2026-23921

A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data...

PT-2026-27630

Name of the Vulnerable Software and Affected Versions PinchTab versions prior to 0.8.5 Description PinchTab, a standalone HTTP server for controlling a Chrome browser with AI agents, contains a Windows-only command injection issue within the orphaned Chrome cleanup path. The issue arises because...

PT-2026-27475

Name of the Vulnerable Software and Affected Versions Zabbix versions prior to 7.4.6 Description A Zabbix user with API access can exploit a blind SQL injection in the CApiService.php file. The issue resides in the sortfield parameter, allowing an attacker to execute arbitrary SQL selects. While...

CVE-2025-10736 ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More <= 2.2.10 - Incorrect Authorization to Unauthenticated Information Exposure and Data Manipulation

The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to unauthorized access of data due to improper authorization checks on the userAccessibility function in all versions up to, and including, 2.2.10. This...

CVE-2026-29108 Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As...