The DoLeads Integrator WordPress plugin through 0.65, wp2epub WordPress plugin through 0.65 have been seen to be used to achieve RCE, once they are added adding to a blog, for example using a vulnerability where unclosed extensions from wordpress.org can be installed by unauthorized users.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-4375 represents a critical vulnerability affecting WordPress installations running the DoLeads Integrator and wp2epub plugins through version 0.65. The vulnerability stems from a weakness in WordPress plugin validation that allows unauthorized users to install unclosed extensions from wordpress.org, bypassing normal authentication controls. Once installed, these plugins can be leveraged to achieve Remote Code Execution (RCE) on the affected WordPress server. This is particularly dangerous because WordPress powers over 43% of all websites, making it an attractive target for attackers seeking to compromise web infrastructure at scale. Any organization running these vulnerable plugin versions faces immediate risk of server compromise, data theft, and lateral movement into their broader network.
While this CVE currently shows no mapped MITRE ATT&CK techniques and zero matching Casky skills in the database, practitioners using Casky.ai's Claude-powered platform should monitor for attack patterns consistent with T1190 (Exploit Public-Facing Application) and T1021 (Remote Services) when investigating WordPress environments. As security teams configure extended reasoning across Casky's 754 mapped skills, the platform would detect suspicious plugin installation activity through behavioral analysis—such as unexpected administrative actions, plugin files appearing outside normal directories, or database modifications indicating unauthorized plugin activation. Practitioners should watch for indicators of compromise including unusual wp-admin access patterns, shell file creation in wp-content directories, and outbound connections from web server processes. This vulnerability underscores the importance of maintaining strict plugin governance policies and implementing Web Application Firewall (WAF) rules to prevent unauthorized administrative operations.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-4375. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation