Security Advisory - Published 2026-07-11 - WordPress / WooCommerce

WordPress plugin batch: check accounts, uploads, checkout data, forms, and query errors

This batch is useful for site owners and agencies running WordPress, WooCommerce, Elementor add-ons, booking plugins, form plugins, or social login plugins. The urgent work is version inventory, account review, file review, and patching before cache cleanup.

Defensive scope: use this checklist only on sites you own or are approved to repair. It avoids exploit steps and keeps the review on versions, logs, users, files, and recovery decisions.

Affected CVEs in this batch

CVEProductAffectedReviewCVSS
CVE-2026-57807miniOrange OAuth Single Sign On<= 38.5.8SSO flows, password reset events, administrator accounts, and login logs9.8
CVE-2026-12761miniOrange Social Login and Register<= 7.7.0social-login callbacks, account changes, reset events, and admin users9.8
CVE-2025-6784Code Engine<= 0.3.5shortcodes, post content, administrator edits, and plugin files8.8
CVE-2026-15155Essential Addons for Elementor<= 6.6.10login/register flows, email changes, reset activity, and admin sessions8.8
CVE-2026-1359Genolve AI image AI video generationvendor advisoryplugin options, administrator changes, generated media, and access logs8.8
CVE-2026-14262Simple JWT Login<= 3.6.6JWT settings, REST login events, new sessions, and administrator roles8.8
CVE-2026-2354Swiss Toolkit For WP<= 1.4.2uploads, plugin extension files, executable files, and recent file changes8.8
CVE-2026-13756WP Grid Builder<= 2.3.3role changes, grid settings, user meta changes, and admin sessions8.8
CVE-2026-13353WP Ultimate CSV Importer<= 8.0.1CSV imports, add-on installs, administrator activity, and modified files8.8
CVE-2026-7655SureCart<= 4.2.3customer accounts, administrator users, orders, webhooks, and login history8.1
CVE-2026-15335Booking Package<= 1.7.20booking forms, database errors, customer records, and plugin logs7.5
CVE-2026-15338LA-Studio Element Kit for Elementor<= 1.6.1Elementor templates, theme files, PHP errors, and page-builder edits7.5
CVE-2026-9282W3 Total Cache<= 2.9.4manual minify settings, cache files, sensitive file access, and web logs7.5
CVE-2026-4661WP CTA - Sticky CTA Builder<= 1.7.4CTA forms, database errors, query logs, and lead data access7.5
CVE-2026-6939CorvusPay WooCommerce Payment Gateway<= 2.7.4payment callbacks, order notes, checkout fields, and WooCommerce logs7.2
CVE-2026-13378Form Vibes<= 1.5.2form submissions, Contact Form 7 fields, exported entries, and admin views7.2
CVE-2026-13114Motors Car Dealership and Classified Listings<= 1.4.108comments, user profiles, listings, and front-end scripts7.2
CVE-2026-3576Planyo Online Reservation System<= 3.0reservation settings, outbound requests, local file access, and web logs7.2
CVE-2026-1667Squirrly SEO<= 14.0.0new posts, SEO metadata, public scripts, and author activity7.2
CVE-2026-13010JoomSport<= 5.7.9sports shortcodes, database errors, event pages, and query logs6.5
CVE-2026-15073KiviCare<= 4.5.0clinic records, query errors, user roles, and appointment data6.5
CVE-2026-13262Majestic Support<= 1.1.8support tickets, search activity, database errors, and agent accounts6.5
CVE-2026-11990KiviCare<= 4.4.0patient records, payment gateways, appointment data, and access logs5.3
CVE-2026-13250Solace Extra<= 1.5.3theme options, admin actions, public endpoints, and web logs5.3
CVE-2026-12994WCFM Frontend Manager for WooCommerce<= 6.7.27vendor access, enquiry records, store settings, and WooCommerce roles5.3
CVE-2026-10628Points and Rewards for WooCommerce<= 2.10.0reward balances, order notes, customer accounts, and role checks4.3

What to check first

  • Whether any affected plugin is installed, active, bundled in a theme, or present on a staging site that shares production credentials.
  • New administrator users, role changes, password reset activity, social-login callbacks, JWT settings, and WooCommerce customer sessions.
  • Unexpected PHP files in uploads, cache, plugin folders, theme folders, import folders, or generated media directories.
  • Database errors, long requests, unusual form submissions, booking records, support tickets, checkout notes, and reward or vendor-account changes.

Safe fix path

  1. Disable the affected plugin when a fixed release is not already installed.
  2. Preserve access logs, WordPress debug logs, security-plugin logs, and a file listing before deleting suspicious files.
  3. Patch the plugin, clear only the minimum cache needed, and verify the fixed version is active on the live site.
  4. Rotate administrator passwords, application passwords, SMTP keys, payment keys, and API keys when account or checkout integrity is uncertain.

Compromise indicators

  • Admin sessions or role changes that do not match a real maintenance window.
  • New executable files under uploads, cache, import, temporary, or page-builder folders.
  • Checkout records, booking records, support tickets, or form entries changed outside normal business activity.
  • Database errors or repeated requests tied to plugin endpoints during the exposure window.

When to ask Ping7 for repair

Use Ping7 CVE Repair when a WordPress site is public, customer or checkout data may be involved, uploads contain unknown files, or you need a written clean / suspicious / compromised verdict before reopening the site.

References