Disclosures

1 reported

2026-02-07 WordPress Backdoor (CVE-2026-6443) Unauthenticated RCE — a backdoored plugin update added a public REST endpoint that fetches a remote payload and passes it to unserialize(), giving PHP object injection and code execution. CVSS 9.8, spanning the maintainer's entire plugin library. Critical Disclosed →