CVE Disclosures
This page documents seven vulnerabilities discovered through systematic security research and responsibly disclosed to vendors. The portfolio spans WordPress plugin security and Kubernetes infrastructure, including CVE-2026-3288 — a High severity (CVSS 8.8) configuration injection in ingress-nginx enabling RCE and cluster-wide Secret disclosure. Each CVE represents the complete vulnerability lifecycle: discovery, private disclosure, vendor coordination, patch development, and public documentation. All vulnerabilities have been patched — check each CVE for specific remediation versions.
Start Here
External Verification
All CVE disclosures are officially registered and independently verified.
Key Concepts
- CVE
- Common Vulnerabilities and Exposures - A unique identifier assigned to publicly disclosed security vulnerabilities, enabling consistent tracking across security tools and databases.
- CVSS
- Common Vulnerability Scoring System - A standardized severity rating from 0-10 based on exploitability, impact, and environmental factors. Scores above 7.0 are considered High severity.
- IDOR
- Insecure Direct Object Reference - A vulnerability where applications expose internal object references (like database IDs) without proper authorization checks, allowing attackers to access other users' data.
- Responsible Disclosure
- The practice of privately reporting vulnerabilities to vendors before public disclosure, allowing time for patches to be developed. All CVEs here followed this process.
- WordPress Plugin Vulnerability
- Security flaws in WordPress extensions that can affect millions of websites. Plugin vulnerabilities are particularly impactful due to WordPress's ~40% market share.
Frequently Asked Questions
How are these CVEs verified? ▼
All CVEs are officially registered through MITRE, documented in the National Vulnerability Database (NVD), and verified through Wordfence's researcher program. External links to official sources are provided for each disclosure.
Are these vulnerabilities still exploitable? ▼
No. All disclosed vulnerabilities have been patched by vendors. We only publish details after fixes are available and users have had reasonable time to update. Check each CVE page for specific remediation versions.
How can I protect my WordPress site? ▼
Keep all plugins updated, use a Web Application Firewall (Wordfence recommended), regularly audit installed plugins, remove unused plugins, and monitor security advisories for your specific plugins.
Do you do private security testing? ▼
This research is published for educational purposes. For professional penetration testing services or private vulnerability assessments, please reach out through LinkedIn.
All Articles
CVE-2026-3288: Configuration Injection in ingress-nginx
CVSS 8.8 (High) — Configuration Injection via rewrite-target annotation in ingress-nginx. RCE and cluster-wide Secret disclosure.
CVE-2026-1208: CSRF in Friendly Functions for Welcart
CVSS 4.3 (Medium) — Cross-Site Request Forgery to Settings Update in Friendly Functions for Welcart plugin.
CVE-2025-12030: IDOR in ACF to REST API
CVSS 4.3 (Medium) — Insecure Direct Object Reference vulnerability in ACF to REST API plugin.
CVE-2025-12163: Stored XSS in OmniPress
CVSS 6.4 (Medium) — Authenticated Stored Cross-Site Scripting in OmniPress plugin.
CVE-2025-11174: Missing Auth in Document Library Lite
CVSS 5.3 (Medium) — Missing Authorization leading to Sensitive Information Exposure.
CVE-2025-11171: Missing Auth in Chartify
CVSS 5.3 (Medium) — Missing Authentication for Administrative Function in Chartify plugin.
CVE-2025-9776: SQL Injection in CatFolders
CVSS 6.5 (Medium) — Authenticated SQL Injection via CSV Import in CatFolders plugin.