WordPress ShiftUp theme <= 1.3 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Denver Jackson in WordPress Theme ShiftUp versions = 1.3...

WordPress WooCommerce Product Filters plugin < 2.0.6 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Phat RiO in WordPress Plugin WooCommerce Product Filters versions 2.0.6...

Exploit for Deserialization of Untrusted Data in Roundcube Webmail

CVE-2025-49113 — Roundcube Post-Auth RCE via PHP Object Deseri...

CVE-2026-3017 Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts <= 3.0.12 - Authenticated (Administrator+) PHP Object Injection

The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.12 via deserialization of untrusted input in the importshortcodes function. This makes it possible for authenticate...

CVE-2026-3017

The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.12 via deserialization of untrusted input in the importshortcodes function. This makes it possible for authenticate...

WordPress Smart Post Show - Post Grid, Post Carousel & Slider, and List Category Posts plugin <= 3.0.12 - Authenticated (Administrator+) PHP Object Injection vulnerability

WordPress Smart Post Show - Post Grid, Post Carousel & Slider, and List Category Posts plugin = 3.0.12 - Authenticated Administrator+ PHP Object Injection vulnerability discovered by Vilaysone CHANTHAVONG 0xJ0cKkY - Cyberus Technologies in WordPress Plugin Post Grid, Post Carousel, & List Categor...

PT-2026-32599

The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.12 via deserialization of untrusted input in the import shortcodes function. This makes it possible for authenticat...

WordPress Post Duplicator plugin <= 3.0.10 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin Post Duplicator versions = 3.0.10...

WordPress Micdrop theme <= 1.3.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Denver Jackson in WordPress Theme Micdrop versions = 1.3.1...

WordPress SingleMalt theme <= 1.5 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Denver Jackson in WordPress Theme SingleMalt versions = 1.5...

WordPress Mildhill theme <= 1.5 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Denver Jackson in WordPress Theme Mildhill versions = 1.5...

WordPress Santé theme <= 1.5.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Denver Jackson in WordPress Theme Santé versions = 1.5.1...

WordPress Valiance theme <= 1.2 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Denver Jackson in WordPress Theme Valiance versions = 1.2...

WordPress Playroom theme <= 1.4.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Denver Jackson in WordPress Theme Playroom versions = 1.4.1...

WordPress Fidalgo theme <= 1.2.2 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Denver Jackson in WordPress Theme Fidalgo versions = 1.2.2...

WordPress Töbel theme <= 1.8.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Denver Jackson in WordPress Theme Töbel versions = 1.8.1...

WordPress Aperitif theme <= 1.6 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Denver Jackson in WordPress Theme Aperitif versions = 1.6...

CVE-2026-3296 Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize on stored entry meta...

CVE-2026-3328

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'postcontent' of adminform posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's maybeunserialize function without class restrictions on...

CVE-2026-2626

The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize on the data, this could be furth...