Security Advisory - Published 2026-07-11 - WordPress / WooCommerce
WordPress plugin batch: check accounts, uploads, checkout data, forms, and query errors
This batch is useful for site owners and agencies running WordPress, WooCommerce, Elementor add-ons, booking plugins, form plugins, or social login plugins. The urgent work is version inventory, account review, file review, and patching before cache cleanup.
Affected CVEs in this batch
| CVE | Product | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-57807 | miniOrange OAuth Single Sign On | <= 38.5.8 | SSO flows, password reset events, administrator accounts, and login logs | 9.8 |
| CVE-2026-12761 | miniOrange Social Login and Register | <= 7.7.0 | social-login callbacks, account changes, reset events, and admin users | 9.8 |
| CVE-2025-6784 | Code Engine | <= 0.3.5 | shortcodes, post content, administrator edits, and plugin files | 8.8 |
| CVE-2026-15155 | Essential Addons for Elementor | <= 6.6.10 | login/register flows, email changes, reset activity, and admin sessions | 8.8 |
| CVE-2026-1359 | Genolve AI image AI video generation | vendor advisory | plugin options, administrator changes, generated media, and access logs | 8.8 |
| CVE-2026-14262 | Simple JWT Login | <= 3.6.6 | JWT settings, REST login events, new sessions, and administrator roles | 8.8 |
| CVE-2026-2354 | Swiss Toolkit For WP | <= 1.4.2 | uploads, plugin extension files, executable files, and recent file changes | 8.8 |
| CVE-2026-13756 | WP Grid Builder | <= 2.3.3 | role changes, grid settings, user meta changes, and admin sessions | 8.8 |
| CVE-2026-13353 | WP Ultimate CSV Importer | <= 8.0.1 | CSV imports, add-on installs, administrator activity, and modified files | 8.8 |
| CVE-2026-7655 | SureCart | <= 4.2.3 | customer accounts, administrator users, orders, webhooks, and login history | 8.1 |
| CVE-2026-15335 | Booking Package | <= 1.7.20 | booking forms, database errors, customer records, and plugin logs | 7.5 |
| CVE-2026-15338 | LA-Studio Element Kit for Elementor | <= 1.6.1 | Elementor templates, theme files, PHP errors, and page-builder edits | 7.5 |
| CVE-2026-9282 | W3 Total Cache | <= 2.9.4 | manual minify settings, cache files, sensitive file access, and web logs | 7.5 |
| CVE-2026-4661 | WP CTA - Sticky CTA Builder | <= 1.7.4 | CTA forms, database errors, query logs, and lead data access | 7.5 |
| CVE-2026-6939 | CorvusPay WooCommerce Payment Gateway | <= 2.7.4 | payment callbacks, order notes, checkout fields, and WooCommerce logs | 7.2 |
| CVE-2026-13378 | Form Vibes | <= 1.5.2 | form submissions, Contact Form 7 fields, exported entries, and admin views | 7.2 |
| CVE-2026-13114 | Motors Car Dealership and Classified Listings | <= 1.4.108 | comments, user profiles, listings, and front-end scripts | 7.2 |
| CVE-2026-3576 | Planyo Online Reservation System | <= 3.0 | reservation settings, outbound requests, local file access, and web logs | 7.2 |
| CVE-2026-1667 | Squirrly SEO | <= 14.0.0 | new posts, SEO metadata, public scripts, and author activity | 7.2 |
| CVE-2026-13010 | JoomSport | <= 5.7.9 | sports shortcodes, database errors, event pages, and query logs | 6.5 |
| CVE-2026-15073 | KiviCare | <= 4.5.0 | clinic records, query errors, user roles, and appointment data | 6.5 |
| CVE-2026-13262 | Majestic Support | <= 1.1.8 | support tickets, search activity, database errors, and agent accounts | 6.5 |
| CVE-2026-11990 | KiviCare | <= 4.4.0 | patient records, payment gateways, appointment data, and access logs | 5.3 |
| CVE-2026-13250 | Solace Extra | <= 1.5.3 | theme options, admin actions, public endpoints, and web logs | 5.3 |
| CVE-2026-12994 | WCFM Frontend Manager for WooCommerce | <= 6.7.27 | vendor access, enquiry records, store settings, and WooCommerce roles | 5.3 |
| CVE-2026-10628 | Points and Rewards for WooCommerce | <= 2.10.0 | reward balances, order notes, customer accounts, and role checks | 4.3 |
What to check first
- Whether any affected plugin is installed, active, bundled in a theme, or present on a staging site that shares production credentials.
- New administrator users, role changes, password reset activity, social-login callbacks, JWT settings, and WooCommerce customer sessions.
- Unexpected PHP files in uploads, cache, plugin folders, theme folders, import folders, or generated media directories.
- Database errors, long requests, unusual form submissions, booking records, support tickets, checkout notes, and reward or vendor-account changes.
Safe fix path
- Disable the affected plugin when a fixed release is not already installed.
- Preserve access logs, WordPress debug logs, security-plugin logs, and a file listing before deleting suspicious files.
- Patch the plugin, clear only the minimum cache needed, and verify the fixed version is active on the live site.
- Rotate administrator passwords, application passwords, SMTP keys, payment keys, and API keys when account or checkout integrity is uncertain.
Compromise indicators
- Admin sessions or role changes that do not match a real maintenance window.
- New executable files under uploads, cache, import, temporary, or page-builder folders.
- Checkout records, booking records, support tickets, or form entries changed outside normal business activity.
- Database errors or repeated requests tied to plugin endpoints during the exposure window.
When to ask Ping7 for repair
Use Ping7 CVE Repair when a WordPress site is public, customer or checkout data may be involved, uploads contain unknown files, or you need a written clean / suspicious / compromised verdict before reopening the site.