Quick Playground for WordPress 1.3.1 - Unauthenticated Remote Code Execution

Exploit Title: Quick Playground for WordPress 1.3.1 - Unauthenticated Remote Code Execution Google Dork: N/A Date: 2026-05-22 Exploit Author: cardosource Vendor Homepage: https://quickplayground.com Software Link: https://downloads.wordpress.org/plugin/quick-playground.1.3.1.zip Version: \ wp...

PT-2026-44960

Name of the Vulnerable Software and Affected Versions JetBrains TeamCity versions prior to 2026.1 Description An open redirect exists within the SAML plugin. An open redirect occurs when an application takes a user-supplied URL and redirects the user to it without sufficient validation, potential...

WordPress plugin Frontend Admin by DynamiApps SQL注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

PT-2026-44977

Name of the Vulnerable Software and Affected Versions Formie versions prior to 2.2.21 Formie versions prior to 3.1.26 Description Unauthenticated users can modify existing submissions by sending a known or guessed submission ID to the 'formie/submissions/save-submission' endpoint. Recommendations...

PT-2026-44746

The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 6.3.7. This is due to insufficient access controls on the 'ays poll get user information' AJAX action, which serializes and returns the...

📄 WordPress Prodigy Commerce 3.2.9 Local File Inclusion

WordPress Prodigy Commerce plugin versions 3.2.9 and below suffer from a local file inclusion vulnerability. Exploit Title: Prodigy Commerce 3.3.0 - Local File Inclusion Date: 23-05-2026 Exploit Author: Diamorphine Vendor Homepage: https://prodigycommerce.com/ Software Link:...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.5.18 contained security vulnerabilities. These vulnerabilities stemmed from a range-bypass vulnerability in the Gateway chat.send route, allowing clients with restricted ranges to...

PT-2026-44962

Name of the Vulnerable Software and Affected Versions JetBrains IntelliJ IDEA versions prior to 2026.1 Description Code execution is possible through template injection within the Copyright plugin. Template injection occurs when untrusted input is embedded into a template and executed by the...

PT-2026-44894

QuickCMS is vulnerable to Cross-Site Scripting XSS through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle MITM attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the plugin list endpoint. When a...

CVE-2026-8809

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the aftervalidatesavepost function unconditionally trusting the attacker-controlled acfpostid POST...

CVE-2026-6816

An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users. This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2...

CVE-2026-8809

Summary: CVE-2026-8809 affects the Advanced Custom Fields: Extended (ACFE) WordPress plugin up to version 0.9.2.5. The root cause is an after_validate_save_post() path that unconditionally trusts the attacker-controlled _acf_post_id POST parameter to choose a cleanup branch, bypassing authenticat...

CVE-2026-8809 Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the aftervalidatesavepost function unconditionally trusting the attacker-controlled acfpostid POST...

CVE-2026-8809 Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the aftervalidatesavepost function unconditionally trusting the attacker-controlled acfpostid POST...

CVE-2026-48116

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separato...

CVE-2026-44848

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, The Docker plugin management endpoints /plugins/ were not registered...

WordPress Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin <= 1.0.271 - Missing Authorization to Unauthenticated Homepage Settings Modification vulnerability

Missing Authorization to Unauthenticated Homepage Settings Modification vulnerability discovered by ? in WordPress Plugin Rank Math SEO versions = 1.0.271...

CVE-2026-44848

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, The Docker plugin management endpoints /plugins/ were not registered...

CVE-2026-44848

CVE-2026-44848 concerns Portainer Community Edition where missing authorization on the Docker plugin endpoints allowed a non-admin Portainer user with endpoint access to perform privileged Docker plugin operations directly against the Docker daemon. Affected releases include 2.33.0–2.33.7, 2.39.0...

CVE-2026-44848 Portainer: Missing authorization on Docker plugin endpoints allows host RCE

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, The Docker plugin management endpoints /plugins/ were not registered...