A WordPress plugin vulnerability allows authenticated users with subscriber-level access or higher to permanently delete arbitrary media attachments belonging to other users, including administrators. The issue stems from missing ownership validation on user-controlled attachment IDs in the User Registration & Membership plugin. The vulnerability was disclosed on 2026-05-28 with a CVSS 3.1 score of 5.3 (M [truncated]
The Everest Forms WordPress plugin is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function. This allows authenticated attackers with Subscriber-level access and above to send test emails to arbitrary addresses from the server. The vulnerability affects all versions up to and including 3.4.7. The issue was disclosed on 2026-05-28 and has a CVSS 3.1 sc [truncated]
