High-Severity Flaws Expose WordPress JS Plugins to SQL and Object Injection
Two high-severity vulnerabilities have been disclosed in WordPress plugins using the JS branding, affecting sites that have not updated to fixed versions. CVE-2026-32534 impacts JoomSky's JS Help Desk plugin (js-support-ticket) through version 3.0.3 and allows blind SQL injection due to improper neutralization of special elements in SQL commands. The issue is rated CVSS 3.1 8.6 with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L, indicating network-reachable exploitation with low attack complexity and significant confidentiality impact.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-32534 record updated with CVSS details
The CVE record for the JS Help Desk plugin vulnerability was updated with a CVSS v3.1 vector describing a network-accessible blind SQL injection issue with high confidentiality impact. The update referenced Patchstack as the source documenting the vulnerability.
CVE-2026-32513 record updated with CVSS and CWE details
The CVE record for the JS Archive List plugin vulnerability was updated to add a CVSS v3.1 vector and CWE-502 classification, confirming high impact to confidentiality, integrity, and availability. The update also referenced Patchstack as the source documenting the issue.
Patchstack documents SQL injection in JS Help Desk plugin
Patchstack documented a blind SQL injection vulnerability in the WordPress JS Help Desk plugin (js-support-ticket) affecting versions up to and including 3.0.3. The issue was later tracked as CVE-2026-32534.
Patchstack documents PHP object injection in JS Archive List plugin
Patchstack documented a deserialization of untrusted data flaw in the WordPress JS Archive List plugin affecting versions through 6.1.7, allowing PHP object injection. The issue was later tracked as CVE-2026-32513.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-32534 - WordPress JS Help Desk plugin <= 3.0.3 - SQL Injection vulnerability
cvefeed.io
Open sourceCVE-2026-32513 - WordPress JS Archive List plugin <= 6.1.7 - PHP Object Injection vulnerability
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple CMS Plugin Vulnerabilities: WordPress CVEs and Joomla Novarain/Tassos Framework Flaws
Three newly described **WordPress plugin vulnerabilities** affect ShopLentor, Advanced AJAX Product Filters, and WP Maps. **CVE-2026-1714** allows **unauthenticated email relay abuse** in *ShopLentor* (<= `3.3.2`) via the `woolentor_suggest_price_action` AJAX endpoint due to missing validation of parameters such as `send_to` and `product_title`; the `wlemail` parameter can be abused for **CRLF injection** to control sender details, enabling spam/phishing relay through the victim site. **CVE-2026-1426** is a **PHP object injection** issue in *Advanced AJAX Product Filters* (<= `3.1.9.6`) reachable by **authenticated users (Author+)** through deserialization of untrusted input in `shortcode_check` within a Live Composer compatibility layer; impact depends on the presence of a usable **POP chain** in another installed plugin/theme and requires the *Live Composer* plugin to be installed and active. **CVE-2025-12062** affects *WP Maps* (<= `4.8.6`) and enables **authenticated (Subscriber+) limited local file inclusion** via `fc_load_template`, potentially leading to sensitive data exposure or code execution in scenarios where attacker-controlled `.html` content can be uploaded and then included. Separately, Joomla sites using the **Novarain/Tassos Framework** (`plg_system_nrframework`) face critical issues enabling **unauthenticated file read, file deletion, and SQL injection**, which can be chained toward **administrator takeover** and potentially **persistent RCE**. The reported weaknesses stem from an AJAX handler that processes `task=include` without sufficient hardening, allowing attackers to reach internal classes implementing `onAjax` and abuse gadget-like behaviors (e.g., CSV loading for arbitrary file read, a `remove` action for path deletion, and attacker-influenced query construction for SQL injection). The risk propagates through multiple popular Tassos extensions that bundle the framework (including **Convert Forms**, **EngageBox**, **Google Structured Data**, **Advanced Custom Fields**, and **Smile Pack**), and remediation requires applying vendor updates for affected releases.
Mar 21, 2026
Critical WordPress Plugin Flaws Expose Sites to RCE and Privilege Escalation
Two high-severity vulnerabilities have been disclosed in widely deployed WordPress plugins, exposing internet-facing sites to **unauthenticated compromise**. `CVE-2026-3584` affects **Kali Forms** through version `2.4.9` and allows **remote code execution** because user-controlled input can be mapped into internal placeholder storage and later invoked via `call_user_func` in the `form_process` path. The issue is classified as `CWE-94` and carries a `CVSS 3.1` score with the vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating critical impact on confidentiality, integrity, and availability. A second flaw, `CVE-2026-4038`, affects **Aimogen Pro** through version `2.7.5` and enables **unauthenticated privilege escalation** through an arbitrary function call in `aiomatic_call_ai_function_realtime` caused by a missing capability check. According to the disclosure, attackers can invoke WordPress functions such as `update_option` to change the default registration role to administrator and enable user registration, effectively creating a path to full site takeover. The vulnerability is tracked as `CWE-862` and was likewise rated with a high-impact `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`.
Mar 21, 2026
Critical WordPress Plugin Flaws Expose Sites to File Upload, SQL Injection, and Takeover
Multiple **WordPress plugins** were flagged for severe vulnerabilities that could let attackers take over sites through unauthenticated file upload, SQL injection, arbitrary file deletion, and authorization bypass. References point to issues in plugins including **WP Duplicate**, **Ninja Forms File Upload**, **Ultimate Member**, **Product Addons for WooCommerce**, **CleanTalk Spam Protect**, **Ally**, **Perfmatters**, and **Kali Forms**, alongside identifiers such as **`CVE-2024-48930`**, **`CVE-2025-13192`**, and **`CVE-2026-1104`**. Several flaws were described as allowing arbitrary plugin installation, malicious file upload, or direct database manipulation, creating a path to remote code execution and full site compromise. Wordfence reports indicate the exposure spans **hundreds of thousands of WordPress sites**, with some bugs already under **active exploitation**. The most serious cases include an unauthenticated SQL injection flaw in the **Ally** plugin affecting roughly **400,000 sites**, an arbitrary file deletion issue in **Perfmatters** affecting about **200,000 sites**, and active attacks targeting a critical flaw in **Kali Forms**. Taken together, the disclosures show a broad wave of high-impact plugin security failures that increase the risk of website defacement, malware deployment, data theft, and administrator-level compromise across the WordPress ecosystem.
May 25, 2026