Multiple CMS Plugin Vulnerabilities: WordPress CVEs and Joomla Novarain/Tassos Framework Flaws
Three newly described WordPress plugin vulnerabilities affect ShopLentor, Advanced AJAX Product Filters, and WP Maps. CVE-2026-1714 allows unauthenticated email relay abuse in ShopLentor (<= 3.3.2) via the woolentor_suggest_price_action AJAX endpoint due to missing validation of parameters such as send_to and product_title; the wlemail parameter can be abused for CRLF injection to control sender details, enabling spam/phishing relay through the victim site. CVE-2026-1426 is a PHP object injection issue in Advanced AJAX Product Filters (<= 3.1.9.6) reachable by authenticated users (Author+) through deserialization of untrusted input in shortcode_check within a Live Composer compatibility layer; impact depends on the presence of a usable POP chain in another installed plugin/theme and requires the Live Composer plugin to be installed and active. CVE-2025-12062 affects WP Maps (<= 4.8.6) and enables authenticated (Subscriber+) limited local file inclusion via fc_load_template, potentially leading to sensitive data exposure or code execution in scenarios where attacker-controlled .html content can be uploaded and then included.
Separately, Joomla sites using the Novarain/Tassos Framework (plg_system_nrframework) face critical issues enabling unauthenticated file read, file deletion, and SQL injection, which can be chained toward administrator takeover and potentially persistent RCE. The reported weaknesses stem from an AJAX handler that processes task=include without sufficient hardening, allowing attackers to reach internal classes implementing onAjax and abuse gadget-like behaviors (e.g., CSV loading for arbitrary file read, a remove action for path deletion, and attacker-influenced query construction for SQL injection). The risk propagates through multiple popular Tassos extensions that bundle the framework (including Convert Forms, EngageBox, Google Structured Data, Advanced Custom Fields, and Smile Pack), and remediation requires applying vendor updates for affected releases.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Advanced AJAX Product Filters object injection disclosed as CVE-2026-1426
A PHP object injection vulnerability affecting Advanced AJAX Product Filters versions through 3.1.9.6 was disclosed. Authenticated Author-level users or higher can exploit unsafe deserialization in the shortcode_check function, with possible file deletion, data access, or code execution if a usable POP chain exists and Live Composer is active.
ShopLentor email relay flaw disclosed as CVE-2026-1714
A vulnerability in ShopLentor versions through 3.3.2 was disclosed that allows unauthenticated attackers to abuse the woolentor_suggest_price_action AJAX endpoint to send arbitrary emails. The flaw can turn vulnerable sites into open email relays for spam or phishing, including sender-address manipulation via CRLF injection.
WP Maps LFI vulnerability disclosed as CVE-2025-12062
A local file inclusion vulnerability affecting WP Maps plugin versions through 4.8.6 was disclosed. Authenticated users with Subscriber-level access or higher can abuse the fc_load_template function to include arbitrary .html files, potentially leading to sensitive data access or code execution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2026-1714 - ShopLentor <= 3.3.2 - Unauthenticated Email Relay Abuse via 'woolentor_suggest_price_action' AJAX Action
cvefeed.io
Open sourceCVE-2026-1426 - Advanced AJAX Product Filters <= 3.1.9.6 - Authenticated (Author+) PHP Object Injection via Live Composer Compatibility
cvefeed.io
Open sourceCVE-2025-12062 - WP Maps <= 4.8.6 - Authenticated (Subscriber+) Limited Local File Inclusion
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Public Exploits Surface for Unauthenticated File Inclusion Flaws in Joomla and WordPress Plugins
Researchers disclosed multiple file inclusion vulnerabilities affecting popular CMS extensions, including the **Tassos/Novarain Framework** for Joomla and the **Kubio AI Page Builder** plugin for WordPress. SSD Secure Disclosure reported flaws in the Joomla framework, while a GitHub proof-of-concept tied to `CVE-2026-21627` described an unauthenticated arbitrary PHP file inclusion issue in the `ajaxTaskInclude()` function of `plg_system_nrframework`, potentially allowing attackers to load unintended server-side files without logging in. Separately, several GitHub repositories published exploit material for `CVE-2025-2294`, an unauthenticated local file inclusion vulnerability affecting **Kubio AI Page Builder** versions `<= 2.5.1`. The repeated publication of public exploit code for both CMS ecosystems lowers the barrier to opportunistic attacks, particularly against internet-exposed Joomla and WordPress sites that have not patched or removed vulnerable components.
May 25, 2026
High-Severity Flaws Expose WordPress JS Plugins to SQL and Object Injection
Two high-severity vulnerabilities have been disclosed in WordPress plugins using the `JS` branding, affecting sites that have not updated to fixed versions. `CVE-2026-32534` impacts JoomSky's **JS Help Desk** plugin (`js-support-ticket`) through version `3.0.3` and allows **blind SQL injection** due to improper neutralization of special elements in SQL commands. The issue is rated `CVSS 3.1 8.6` with vector `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L`, indicating network-reachable exploitation with low attack complexity and significant confidentiality impact.
Mar 25, 2026
Multiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
A series of critical vulnerabilities have been disclosed affecting a wide range of popular software platforms, including WordPress plugins, web frameworks, developer tools, and enterprise applications. Notable issues include unauthenticated remote code execution (RCE) flaws in Next.js (CVE-2025-66478), WordPress core (CVE-2025-6389), and the ACF Extended plugin (CVE-2025-13486), as well as privilege escalation and authentication bypass vulnerabilities in the WP Directory Kit plugin (CVE-2025-13390) and cPanel. Several of these vulnerabilities are reported to be under active exploitation, with proof-of-concept code available for some, increasing the urgency for immediate patching and mitigation. Other significant disclosures include a high-severity flaw in Vim for Windows (CVE-2025-66476) allowing arbitrary code execution, a critical SQL injection chain in Synology BeeStation, and a directory traversal vulnerability in cPanel that could lead to full server takeover. Additional advisories cover issues in lz4-java, Longwatch OT surveillance, Django, Elementor, Apache Struts, nopCommerce, and OpenVPN, with many rated as critical or high severity by CVSS. Organizations are strongly advised to review affected products and apply security updates promptly to mitigate the risk of exploitation.
Mar 21, 2026