// #cms
4 articles
Drupal SA-CORE-2026-004: Highly Critical SQL Injection CVE-2026-9082 — PostgreSQL Sites Must Patch Immediately
Drupal published SA-CORE-2026-004 on 20 May, disclosing CVE-2026-9082, a highly critical unauthenticated SQL injection vulnerability in Drupal's database abstraction API affecting sites running PostgreSQL. The flaw is zero-click and unauthenticated, and Drupal warned that exploit code turnaround would be measured in hours. CISA added the CVE to the Known Exploited Vulnerabilities catalogue on 22 May after confirmed exploitation.
Burst Statistics WordPress Plugin Authentication Bypass Actively Exploited for Mass Site Takeovers
Threat actors are actively exploiting an authentication bypass vulnerability in the Burst Statistics WordPress analytics plugin, allowing unauthenticated attackers to gain administrative access to any WordPress site with the plugin installed. Over 100,000 WordPress sites use Burst Statistics. Sites have been observed being defaced, backdoored, and redirected to malicious domains within hours of exploitation.
Smart Slider 3 Pro Update Infrastructure Compromised — Backdoored Plugin Pushed to 800,000 Sites
Attackers breached Nextend's update servers and distributed a fully weaponised backdoor through the official Smart Slider 3 Pro update channel, affecting WordPress and Joomla sites that auto-updated between 7–8 April 2026. The compromised version 3.5.1.35 creates rogue admin accounts, drops persistent remote access tools, and exfiltrates credentials — all delivered through the trusted plugin update mechanism.
Craft CMS CVSS 10 Code Injection CVE-2025-32432 Added to CISA KEV
CISA added CVE-2025-32432, a maximum-severity code injection vulnerability in Craft CMS, to its Known Exploited Vulnerabilities catalogue on 20 March 2026. The flaw allows unauthenticated remote attackers to execute arbitrary code on any publicly accessible Craft CMS installation. Exploitation has been ongoing since at least February 2025 and the Mimo threat actor has been actively using it to deploy cryptocurrency miners and residential proxy malware.