webshellseo8

7 exploits Active since Mar 2026
CVE-2026-48908 GITHUB CRITICAL
Joomla Extension - joomshaper.com - Remote Code Execution in SP Pagebuilder extension for Joomla < 6.6.12
A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
CVE-2026-32488 NOMISEC HIGH SUSPICIOUS
WordPress User Registration plugin <= 4.4.9 - Privilege Escalation vulnerability
Incorrect Privilege Assignment vulnerability in wpeverest User Registration user-registration allows Privilege Escalation.This issue affects User Registration: from n/a through <= 4.4.9.
CVSS 8.1
CVE-2026-53787 GITHUB CRITICAL SUSPICIOUS
Amasty Order Attributes for Magento 2 < 4.0.0 Unauthenticated Arbitrary File Upload
Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated attackers to write arbitrary files to the store's media directory by submitting files of any type or name to the upload endpoint without authentication, session validation, or cart context. Attackers can upload PHP files to achieve remote code execution on servers where the media directory permits PHP execution, or alternatively enable malware hosting, stored cross-site scripting via HTML or SVG uploads, and path traversal to write files outside the intended upload directory.
CVSS 9.8
CVE-2026-1555 GITHUB CRITICAL SUSPICIOUS
WebStack <= 1.2024 - Unauthenticated Arbitrary File Upload
The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up to, and including, 1.2024. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS 9.8
CVE-2026-10795 GITHUB HIGH python WORKING POC
UpdraftPlus: WP Backup & Migration Plugin <= 1.26.4 - Unauthenticated Authentication Bypass via UpdraftCentral udrpc
The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.
CVSS 8.1
CVE-2026-48907 GITHUB CRITICAL python WORKING POC
Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
CVSS 9.8
CVE-2026-21628 NOMISEC CRITICAL WORKING POC
File Management Feature - Unauthenticated RCE
A improperly secured file management feature allows uploads of dangerous data types for unauthenticated users, leading to remote code execution.
CVSS 9.8