Security Advisory - Published 2026-06-24 - WordPress

WordPress XSS and SSRF batch: check comments, forms, 404 records, and outbound logs

This batch covers Email JavaScript Cloak, Cincopa, Kargo Takip, URL Preview, WP Meta SEO, and ARForms. Patch or disable the affected plugin, then review content that administrators open inside wp-admin and any outbound requests made by preview or tracking features.

Defensive scope: this page is for site owners and approved repair work. It avoids script samples, request examples, and instructions for testing sites you do not control.

Affected plugins

CVEPluginAffectedReviewCVSS
CVE-2026-3652ARForms<= 7.1.3form entries7.2
CVE-2026-10092Cincopa video and media plugin<= 1.163comments7.2
CVE-2026-10091Email JavaScript Cloak<= 1.03shortcodes7.2
CVE-2026-12095Kargo Takip<= 1.2outbound logs7.2
CVE-2026-12100URL Preview<= 1.0outbound logs7.2
CVE-2026-9643WP Meta SEO<= 4.5.18404 records7.2

Owner self-check

wp plugin list --fields=name,version,status | egrep 'email-javascript-cloaker|video-playlist-and-gallery-plugin|kargo-takip|link-preview|wp-meta-seo|arforms'
wp comment list --status=all --fields=comment_ID,comment_author,comment_date,comment_approved | tail -80
wp post list --post_type=post,page --post_status=publish,draft --fields=ID,post_title,post_modified | tail -80
grep -Rni 'wp-meta-seo\\|arforms\\|link-preview\\|kargo\\|cincopa\\|email-js' wp-content/debug.log logs 2>/dev/null | tail -180
grep -Rni 'metadata\\|169.254\\|localhost\\|127.0.0.1\\|wp-admin/admin.php' logs wp-content/debug.log 2>/dev/null | tail -120

What to review

  • Recent comments, moderation queues, and pages containing plugin shortcodes.
  • ARForms partial entries and form submissions that administrators opened during the exposure window.
  • WP Meta SEO 404 and redirect records, especially entries created by unusual URLs.
  • Outbound web requests from the WordPress host to internal services or hosting metadata addresses.
  • Administrator sessions that viewed plugin dashboards after suspicious content was stored.

Safe fix path

  1. Patch affected plugins. If a fixed release is not available, disable the plugin and remove it from disk.
  2. Moderate or remove suspicious comments, shortcode content, partial entries, and 404 records after preserving evidence.
  3. Restrict outbound requests from the WordPress host to internal networks and metadata services.
  4. Rotate administrator credentials if plugin dashboards were opened while suspicious content was present.

Repair help

Use Ping7 CVE Repair when admin pages may have loaded suspicious stored content, outbound logs show internal access, or form and SEO records are too noisy to review safely.

References

Author: Ping7 security team - Published: 2026-06-24 - WordPress XSS and SSRF CVE batch - Defensive self-check only.