WWordPress Vulnerability Database

Hong Kong Community Vulnerability Registry(CVE20240000)

Open Source Vulnerability Database
0
Shares
0
0
0
0
Plugin Name Tune Library
Type of Vulnerability Open-source vulnerability
CVE Number N/A
Urgency High
CVE Publish Date 2026-02-10
Source URL https://www.cve.org/CVERecord/SearchResults?query=N/A

Urgent Action Required — How to Protect Your WordPress Sites From Today’s Plugin Vulnerabilities

Author: Hong Kong Security Expert

Published: 2026-02-10

NOTE: Over the past 24 hours a large batch of WordPress plugin vulnerabilities was disclosed affecting a broad set of plugin types — booking systems, form builders, marketplace modules, import utilities and more. Site operators should treat this as an immediate operations brief: identify exposures, triage by risk, apply mitigations, and patch without delay.

Why this matters now

Multiple widely used plugins were disclosed with issues ranging from stored cross‑site scripting (XSS) and SQL injection (SQLi) to SSRF, CSRF and insecure direct object references (IDOR). Some are exploitable by unauthenticated users; others require low‑privilege authenticated accounts (subscriber/contributor). Low‑privilege flaws are frequently chained into privilege elevation and full site compromise — do not defer action based on privilege level alone.

Public disclosure leads to automated scanning and rapid exploitation by bots. The remediation window is short. Read the technical risks below, understand realistic attacker flows, and follow the prioritized mitigation checklist immediately.

Snapshot: representative vulnerability types disclosed

Representative examples of the disclosed weaknesses and their potential impact:

  • Authenticated (Subscriber+) Stored XSS via CSV import — Arbitrary JavaScript stored in the database; when admins view records it can steal sessions or perform privileged actions.
  • Unauthenticated Stored XSS in public submissions — Payloads execute in any visitor’s context, including admins who browse public pages.
  • SSRF via data‑source or callback save endpoints — Server can be induced to fetch internal resources (cloud metadata, internal APIs).
  • Sensitive Information Disclosure from flawed AJAX endpoints — Unauthenticated endpoints leaking orders, transactions or personal data.
  • Broken Access Control / IDOR — Low‑privilege or unauthenticated actors can alter orders or create refunds.
  • SQL Injection via shortcode attributes — Server‑side injection with potential database compromise.
  • CSRF to admin/settings endpoints — Remote change of site configuration if an admin visits a malicious page.
  • Unauthenticated Authorization Bypass from insecure default keys — Token checks bypassed, exposing privileged endpoints.

Observed CVSS ranges for these disclosures were between medium (~5.x) and high/critical (~8–8.5). Treat CVSS ≥ 7 as high priority, especially when combined with unauthenticated or public‑facing attack surface.

How attackers exploit these in the wild — realistic scenarios

Understanding attacker flows guides prioritization and detection.

  1. Stored XSS via CSV upload

    An attacker crafts a CSV with