Security Advisory - Published 2026-06-24 - WordPress

WordPress account takeover batch: check resets, roles, and site options

This batch covers WordPress plugins where account or privilege boundaries can fail: Invoice Generator, SignUp & SignIn, Welcome Software Publishing, and Ultimate Member. Patch or disable the affected plugin first, then check whether accounts, roles, password reset events, or WordPress options changed outside normal admin work.

Defensive scope: use these checks only on sites you own or are approved to repair. This page avoids reproduction details and focuses on inventory, evidence preservation, patching, and cleanup.

Affected plugins

CVEPluginAffectedReviewCVSS
CVE-2026-12416Invoice Generator<= 1.0.0password resets9.8
CVE-2026-12417SignUp & SignIn<= 1.0.0admin users9.8
CVE-2026-7761Ultimate Member<= 2.11.4reset links8.8
CVE-2026-4297Welcome Software Publishing<= 0.0.31site options8.8

Owner self-check

wp plugin list --fields=name,version,status | egrep 'invoice-creator|signup-signin|newscred-publishing|ultimate-member'
wp user list --fields=ID,user_login,user_email,roles,user_registered
wp option get default_role
wp option get users_can_register
find wp-content -type f -mtime -10 2>/dev/null | egrep '\\.php$|\\.phtml$|\\.phar$|\\.zip$'
grep -Rni 'password reset\\|user_register\\|xmlrpc\\|ultimate-member\\|invoice-creator\\|signup-signin' wp-content/debug.log logs 2>/dev/null | tail -180

What to review

  • New administrators, changed emails, changed passwords, unexpected application passwords, or unfamiliar sessions.
  • Password reset activity for administrator and editor accounts during the exposure window.
  • Subscriber, contributor, or customer accounts created shortly before privilege changes.
  • WordPress options such as default role, registration settings, site URL, active plugins, and upload behavior.
  • XML-RPC access if Welcome Software Publishing is installed or was installed recently.

Safe fix path

  1. Patch to a fixed release when one is available. If no fixed release is available, disable and remove the plugin from disk.
  2. Preserve web logs, WordPress debug logs, user lists, and recent file timestamps before cleanup.
  3. Force password resets for administrators and rotate hosting, SFTP, database, and integration credentials when account changes are unclear.
  4. Restore files from a clean backup only after the vulnerable plugin is patched or removed.

Repair help

Use Ping7 CVE Repair when the site has unknown users, unexpected role changes, changed options, redirects, SEO spam, or unclear password reset history.

References

Author: Ping7 security team - Published: 2026-06-24 - WordPress account takeover CVE batch - Defensive self-check only.