DeadExpl0it

3 exploits Active since Nov 2025
CVE-2026-27540 NOMISEC CRITICAL SUSPICIOUS
WordPress Woocommerce Wholesale Lead Capture plugin <= 2.0.3.1 - Arbitrary File Upload vulnerability
Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture woocommerce-wholesale-lead-capture allows Using Malicious Files.This issue affects Woocommerce Wholesale Lead Capture: from n/a through <= 2.0.3.1.
1 stars
CVSS 9.0
CVE-2025-12057 NOMISEC CRITICAL WORKING POC
WavePlayer WP <3.8.0 - Unauthenticated RCE
The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload arbitrary file on the server and lead to RCE
CVSS 9.8
CVE-2026-1492 NOMISEC CRITICAL SUSPICIOUS
WordPress User Registration & Membership Plugin <=5.1.2 - Privilege Escalation
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.
CVSS 9.8