PatchSiren

davidanderson CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH davidanderson CVE published 2026-06-11

CVE-2026-10795

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictab [truncated]

HIGH davidanderson CVE published 2026-06-06

CVE-2026-8438

The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This is due to insufficient input sanitization in the get_rest_route() function and missing output escaping in the column_default() method of the debug log list table. When the 'Disable REST API for non-logged in users' feature (aiowps_disallow_una [truncated]

MEDIUM davidanderson CVE published 2026-05-28

CVE-2026-7660

A reflected cross-site scripting (XSS) vulnerability exists in the Easy Updates Manager WordPress plugin, affecting versions up to and including 9.0.20. The flaw resides in the pagination() function, where insufficient input sanitization and output escaping of the 'paged' parameter allow attackers to inject arbitrary web scripts. Successful exploitation requires tricking an administrator into clicking a m [truncated]