Vulnerability & Patch Roundup — June 2026
Running a website means a single unpatched vulnerability can take it offline, harm your reputation, 2026-7-2 06:15:0 Author: blog.sucuri.net(查看原文) 阅读量:4 收藏

Running a website means a single unpatched vulnerability can take it offline, harm your reputation, or require cleanup. Most compromises begin with automated attacks exploiting known software flaws, usually reported and disclosed already.

To keep you protected from these threats, we’ve compiled this month’s key security updates and vulnerability patches for the WordPress ecosystem.

If you’re already using the Sucuri Firewall, you’re protected. These vulnerabilities are virtually patched for all clients. If not, consider putting a web application firewall in front of your site to block attacks before they reach your environment.


Plugins


Elementor Website Builder – Missing Authorization

Security Risk: Medium
Vulnerability: Missing Authorization
CVE: CVE-2026-49782
Number of Installations: 10,000,000+
Affected Software: Elementor Website Builder ≤ 4.1.0
Patched Versions: 4.1.1

Mitigation steps: Update to Elementor Website Builder version 4.1.1 or greater.


WPForms – Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint

Security Risk: Medium
Vulnerability: Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint
CVE: CVE-2026-7792
Number of Installations: 6,000,000+
Affected Software: WPForms ≤ 1.10.0.4
Patched Versions: 1.10.0.5

Mitigation steps: Update to WPForms version 1.10.0.5 or greater.


Rank Math SEO – Missing Authorization

Security Risk: Medium
Vulnerability: Missing Authorization
CVE: CVE-2026-34892
Number of Installations: 4,000,000+
Affected Software: Rank Math SEO ≤ 1.0.271
Patched Versions: 1.0.271.1

Mitigation steps: Update to Rank Math SEO version 1.0.271.1 or greater.


UpdraftPlus – Unauthenticated Authentication Bypass via UpdraftCentral udrpc

Security Risk: Critical
Vulnerability: Unauthenticated Authentication Bypass via UpdraftCentral udrpc
CVE: CVE-2026-10795
Number of Installations: 3,000,000+
Affected Software: UpdraftPlus ≤ 1.26.4
Patched Versions: 1.26.5

Mitigation steps: Update to UpdraftPlus version 1.26.5 or greater.


Really Simple Security (formerly Really Simple SSL) – Missing Authorization

Security Risk: Medium
Vulnerability: Missing Authorization
CVE: CVE-2026-48970
Number of Installations: 3,000,000+
Affected Software: Really Simple Security (formerly Really Simple SSL) ≤ 9.5.10
Patched Versions: 9.5.10.1

Mitigation steps: Update to Really Simple Security (formerly Really Simple SSL) version 9.5.10.1 or greater.


Really Simple Security (formerly Really Simple SSL) – Missing Authorization

Security Risk: Medium
Vulnerability: Missing Authorization
CVE: CVE-2026-48969
Number of Installations: 3,000,000+
Affected Software: Really Simple Security (formerly Really Simple SSL) ≤ 9.5.9
Patched Versions: 9.5.10

Mitigation steps: Update to Really Simple Security (formerly Really Simple SSL) version 9.5.10 or greater.


Essential Addons for Elementor – Missing Authorization to Unauthenticated Information Exposure via ‘load_more’ AJAX Handler

Security Risk: High
Vulnerability: Missing Authorization to Unauthenticated Information Exposure via 'load_more' AJAX Handler
CVE: CVE-2026-7665
Number of Installations: 2,000,000+
Affected Software: Essential Addons for Elementor ≤ 6.6.4
Patched Versions: 6.6.5

Mitigation steps: Update to Essential Addons for Elementor version 6.6.5 or greater.


All-In-One Security (AIOS) – Unauthenticated Stored Cross-Site Scripting via REST API Request Path

Security Risk: High
Vulnerability: Unauthenticated Stored Cross-Site Scripting via REST API Request Path
CVE: CVE-2026-8438
Number of Installations: 1,000,000+
Affected Software: All-In-One Security (AIOS) ≤ 5.4.7
Patched Versions: 5.4.8

Mitigation steps: Update to All-In-One Security (AIOS) version 5.4.8 or greater.


WPvivid – Authenticated (Admin+) Arbitrary Directory Deletion

Security Risk: Low
Vulnerability: Authenticated (Admin+) Arbitrary Directory Deletion
CVE: CVE-2025-12656
Number of Installations: 900,000+
Affected Software: WPvivid ≤ 0.9.128
Patched Versions: 0.9.129

Mitigation steps: Update to WPvivid version 0.9.129 or greater.


Smart Slider 3 – Authenticated (Administrator+) Path Traversal to Arbitrary File Read via ‘src’/’srcset’ Attribute in HTML Export

Security Risk: Low
Vulnerability: Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'src'/'srcset' Attribute in HTML Export
CVE: CVE-2026-9197
Number of Installations: 800,000+
Affected Software: Smart Slider 3 ≤ 3.5.1.36
Patched Versions: 3.5.1.37

Mitigation steps: Update to Smart Slider 3 version 3.5.1.37 or greater.


The Events Calendar – Unauthenticated SQL Injection

Security Risk: Critical
Vulnerability: Unauthenticated SQL Injection
CVE: CVE-2026-49772
Number of Installations: 700,000+
Affected Software: The Events Calendar 6.15.12 - 6.16.2
Patched Versions: 6.16.3

Mitigation steps: Update to The Events Calendar version 6.16.3 or greater.


WooCommerce Stripe Payment Gateway – Missing Authorization to Unauthenticated Order Status Manipulation via ‘order’ Parameter

Security Risk: Medium
Vulnerability: Missing Authorization to Unauthenticated Order Status Manipulation via 'order' Parameter
CVE: CVE-2026-2381
Number of Installations: 700,000+
Affected Software: WooCommerce Stripe Payment Gateway ≤ 10.7.0
Patched Versions: 10.8.0

Mitigation steps: Update to WooCommerce Stripe Payment Gateway version 10.8.0 or greater.


Click to Chat – HoliThemes – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘num’ Shortcode Parameter

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Parameter
CVE: CVE-2026-7795
Number of Installations: 700,000+
Affected Software: Click to Chat – HoliThemes ≤ 4.39
Patched Versions: 4.40

Mitigation steps: Update to Click to Chat – HoliThemes version 4.40 or greater.


MainWP Child – Missing Authorization

Security Risk: Medium
Vulnerability: Missing Authorization
CVE: CVE-2026-27366
Number of Installations: 700,000+
Affected Software: MainWP Child ≤ 6.1.1
Patched Versions: 6.1.2

Mitigation steps: Update to MainWP Child version 6.1.2 or greater.


Forminator Forms – Unauthenticated Stored Cross-Site Scripting

Security Risk: High
Vulnerability: Unauthenticated Stored Cross-Site Scripting
CVE: CVE-2026-56071
Number of Installations: 600,000+
Affected Software: Forminator Forms ≤ 1.53.1
Patched Versions: 1.53.2

Mitigation steps: Update to Forminator Forms version 1.53.2 or greater.


WP Statistics – Unauthenticated Stored Cross-Site Scripting

Security Risk: High
Vulnerability: Unauthenticated Stored Cross-Site Scripting
CVE: CVE-2026-48839
Number of Installations: 600,000+
Affected Software: WP Statistics ≤ 14.16.6
Patched Versions: 14.16.7

Mitigation steps: Update to WP Statistics version 14.16.7 or greater.


Royal Addons for Elementor –  Authenticated (Contributor+) Arbitrary File Read via Data Table Widget CSV File Source

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) Arbitrary File Read via Data Table Widget CSV File Source
CVE: CVE-2026-8118
Number of Installations: 600,000+
Affected Software: Royal Addons for Elementor 1.7.1058 - 1.7.1059
Patched Versions: 1.7.1060

Mitigation steps: Update to Royal Addons for Elementor version 1.7.1060 or greater.


Enable Media Replace – Authenticated (Author+) Stored Cross-Site Scripting via ‘location_dir’ Parameter

Security Risk: Medium
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via 'location_dir' Parameter
CVE: CVE-2026-5714
Number of Installations: 600,000+
Affected Software: Enable Media Replace ≤ 4.1.8
Patched Versions: 4.1.9

Mitigation steps: Update to Enable Media Replace version 4.1.9 or greater.


TablePress – Reflected Cross-Site Scripting

Security Risk: Low
Vulnerability: Reflected Cross-Site Scripting
CVE: CVE-2026-56051
Number of Installations: 600,000+
Affected Software: TablePress ≤ 3.3.1
Patched Versions: 3.3.2

Mitigation steps: Update to TablePress version 3.3.2 or greater.


Kadence Blocks – Authenticated (Contributor+) Sensitive Information Exposure via Block Editor proData Localization

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Block Editor proData Localization
CVE: CVE-2026-11357
Number of Installations: 600,000+
Affected Software: Kadence Blocks ≤ 3.7.5
Patched Versions: 3.7.6

Mitigation steps: Update to Kadence Blocks version 3.7.6 or greater.


Kirki – Unauthenticated Privilege Escalation via ‘handle_forgot_password’

Security Risk: Critical
Vulnerability: Unauthenticated Privilege Escalation via 'handle_forgot_password'
CVE: CVE-2026-8206
Number of Installations: 500,000+
Affected Software: Kirki 6.0.0 - 6.0.6
Patched Versions: 6.0.7

Mitigation steps: Update to Kirki version 6.0.7 or greater.


Page Builder by SiteOrigin – Authenticated (Contributor+) Stored Cross-Site Scripting via panels_data Parameter

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via panels_data Parameter
CVE: CVE-2026-13295
Number of Installations: 400,000+
Affected Software: Page Builder by SiteOrigin ≤ 2.34.3
Patched Versions: 2.34.4

Mitigation steps: Update to Page Builder by SiteOrigin version 2.34.4 or greater.


Page Builder: Pagelayer – Authenticated (Contributor+) Stored Cross-Site Scripting via Anchor Block

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Anchor Block
CVE: CVE-2026-3297
Number of Installations: 400,000+
Affected Software: Page Builder: Pagelayer ≤ 2.0.9
Patched Versions: 2.1.0

Mitigation steps: Update to Page Builder: Pagelayer version 2.1.0 or greater.


Page Builder: Pagelayer – Incorrect Authorization to Authenticated (Contributor+) Mail Relay Configuration via ‘contacts’

Security Risk: Medium
Vulnerability: Incorrect Authorization to Authenticated (Contributor+) Mail Relay Configuration via 'contacts'
CVE: CVE-2026-2470
Number of Installations: 400,000+
Affected Software: Page Builder: Pagelayer ≤ 2.0.9
Patched Versions: 2.1.0

Mitigation steps: Update to Page Builder: Pagelayer version 2.1.0 or greater.


WP Activity Log – Unauthenticated PHP Object Injection

Security Risk: High
Vulnerability: Unauthenticated PHP Object Injection
CVE: CVE-2026-54806
Number of Installations: 300,000+
Affected Software: WP Activity Log ≤ 5.6.3.1
Patched Versions: 5.6.4

Mitigation steps: Update to WP Activity Log version 5.6.4 or greater.


WP Activity Log – Authenticated (Subscriber+) Stored Cross-Site Scripting

Security Risk: Medium
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE: CVE-2026-56005
Number of Installations: 300,000+
Affected Software: WP Activity Log ≤ 5.6.3.1
Patched Versions: 5.6.4

Mitigation steps: Update to WP Activity Log version 5.6.4 or greater.


Ad Inserter – Reflected Cross-Site Scripting via URL Parameters in iframe Mode

Security Risk: Medium
Vulnerability: Reflected Cross-Site Scripting via URL Parameters in iframe Mode
CVE: CVE-2026-9280
Number of Installations: 300,000+
Affected Software: Ad Inserter ≤ 2.8.15
Patched Versions: 2.8.16

Mitigation steps: Update to Ad Inserter version 2.8.16 or greater.


WP Go Maps – Unauthenticated Arbitrary Record Creation

Security Risk: Medium
Vulnerability: Unauthenticated Arbitrary Record Creation
CVE: CVE-2026-12238
Number of Installations: 300,000+
Affected Software: WP Go Maps ≤ 10.1.01
Patched Versions: 10.1.02

Mitigation steps: Update to WP Go Maps version 10.1.02 or greater.


WP Go Maps – Unauthenticated Sensitive Information Disclosure via Datatables AJAX Fallback

Security Risk: Medium
Vulnerability: Unauthenticated Sensitive Information Disclosure via Datatables AJAX Fallback
CVE: CVE-2026-8385
Number of Installations: 300,000+
Affected Software: WP Go Maps ≤ 10.0.09
Patched Versions: 10.0.10

Mitigation steps: Update to WP Go Maps version 10.0.10 or greater.


Blocksy Companion – Authenticated (Editor+) Stored Cross-Site Scripting via ‘product_description’ Parameter

Security Risk: Medium
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via 'product_description' Parameter
CVE: CVE-2026-12430
Number of Installations: 300,000+
Affected Software: Blocksy Companion ≤ 2.1.45
Patched Versions: 2.1.46

Mitigation steps: Update to Blocksy Companion version 2.1.46 or greater.


Ultimate Member – Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure

Security Risk: High
Vulnerability: Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure
CVE: CVE-2026-7761
Number of Installations: 200,000+
Affected Software: Ultimate Member ≤ 2.11.4
Patched Versions: 2.12.0

Mitigation steps: Update to Ultimate Member version 2.12.0 or greater.


Advanced Google reCAPTCHA – Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link

Security Risk: High
Vulnerability: Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link
CVE: CVE-2026-5415
Number of Installations: 200,000+
Affected Software: Advanced Google reCAPTCHA ≤ 5.38
Patched Versions: 5.39

Mitigation steps: Update to Advanced Google reCAPTCHA version 5.39 or greater.


Advanced Google reCAPTCHA – Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload

Security Risk: High
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload
CVE: CVE-2026-5411
Number of Installations: 200,000+
Affected Software: Advanced Google reCAPTCHA ≤ 5.38
Patched Versions: 5.39

Mitigation steps: Update to Advanced Google reCAPTCHA version 5.39 or greater.


Post Duplicator – Authenticated (Contributor+) PHP Object Injection

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) PHP Object Injection
CVE: CVE-2026-10749
Number of Installations: 200,000+
Affected Software: Post Duplicator < 3.0.15
Patched Versions: 3.0.15

Mitigation steps: Update to Post Duplicator version 3.0.15 or greater.


CleanTalk Anti-Spam – Unauthenticated Stored Cross-Site Scripting

Security Risk: High
Vulnerability: Unauthenticated Stored Cross-Site Scripting
CVE: CVE-2026-8071
Number of Installations: 200,000+
Affected Software: CleanTalk Anti-Spam < 6.79
Patched Versions: 6.79

Mitigation steps: Update to CleanTalk Anti-Spam version 6.79 or greater.


Gutenberg Essential Blocks – Authenticated (Author+) Server-Side Request Forgery

Security Risk: Low
Vulnerability: Authenticated (Author+) Server-Side Request Forgery
CVE: CVE-2026-10586
Number of Installations: 200,000+
Affected Software: Gutenberg Essential Blocks ≤ 6.1.3
Patched Versions: 6.1.4

Mitigation steps: Update to Gutenberg Essential Blocks version 6.1.4 or greater.


MW WP Form – Unauthenticated Stored Cross-Site Scripting

Security Risk: High
Vulnerability: Unauthenticated Stored Cross-Site Scripting
CVE: CVE-2026-48871
Number of Installations: 200,000+
Affected Software: MW WP Form ≤ 5.1.3
Patched Versions: 5.1.4

Mitigation steps: Update to MW WP Form version 5.1.4 or greater.


Photo Gallery by 10Web – Authenticated (Contributor+) SQL Injection via ‘compact_album_order_by’ Shortcode Parameter

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) SQL Injection via 'compact_album_order_by' Shortcode Parameter
CVE: CVE-2026-9829
Number of Installations: 200,000+
Affected Software: Photo Gallery by 10Web ≤ 1.8.41
Patched Versions: 1.8.42

Mitigation steps: Update to Photo Gallery by 10Web version 1.8.42 or greater.


Photo Gallery by 10Web – Authenticated (Contributor+) SQL Injection

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) SQL Injection
CVE: CVE-2026-49771
Number of Installations: 200,000+
Affected Software: Photo Gallery by 10Web ≤ 1.8.41
Patched Versions: 1.8.42

Mitigation steps: Update to Photo Gallery by 10Web version 1.8.42 or greater.


Gutenberg Essential Blocks – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘configurablePrefix’ Block Attribute

Security Risk: Medium
Vulnerability: Page Builder for Gutenberg Blocks & Patterns <= 6.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'configurablePrefix' Block Attribute
CVE: CVE-2026-10833
Number of Installations: 200,000+
Affected Software: Gutenberg Essential Blocks ≤ 6.1.4
Patched Versions: 6.2.0

Mitigation steps: Update to Gutenberg Essential Blocks version 6.2.0 or greater.


MW WP Form – Authenticated (Editor+) Stored Cross-Site Scripting via ‘memo’ Parameter

Security Risk: Medium
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via 'memo' Parameter
CVE: CVE-2026-8853
Number of Installations: 200,000+
Affected Software: MW WP Form ≤ 5.1.3
Patched Versions: 5.1.4

Mitigation steps: Update to MW WP Form version 5.1.4 or greater.


Optimole – Cross-Site Request Forgery via ‘optml_replace_file’ AJAX Action

Security Risk: Low
Vulnerability: Cross-Site Request Forgery via 'optml_replace_file' AJAX Action
CVE: CVE-2026-11784
Number of Installations: 200,000+
Affected Software: Optimole ≤ 4.2.6
Patched Versions: 4.2.7

Mitigation steps: Update to Optimole version 4.2.7 or greater.


WP Migrate Lite – Cross-Site Request Forgery

Security Risk: Low
Vulnerability: Cross-Site Request Forgery
CVE: CVE-2026-49043
Number of Installations: 200,000+
Affected Software: WP Migrate Lite ≤ 2.7.8
Patched Versions: 2.7.9

Mitigation steps: Update to WP Migrate Lite version 2.7.9 or greater.


Widget Options – Authenticated (Contributor+) Remote Code Execution

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) Remote Code Execution
CVE: CVE-2026-54823
Number of Installations: 100,000+
Affected Software: Widget Options ≤ 4.2.3
Patched Versions: 4.2.4

Mitigation steps: Update to Widget Options version 4.2.4 or greater.


Admin Columns – Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value

Security Risk: High
Vulnerability: Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value
CVE: CVE-2026-7654
Number of Installations: 100,000+
Affected Software: Admin Columns ≤ 7.0.18
Patched Versions: 7.0.19

Mitigation steps: Update to Admin Columns version 7.0.19 or greater.


LatePoint – Authenticated (Contributor+) Privilege Escalation

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) Privilege Escalation
CVE: CVE-2026-49083
Number of Installations: 100,000+
Affected Software: LatePoint ≤ 5.5.1
Patched Versions: 5.5.2

Mitigation steps: Update to LatePoint version 5.5.2 or greater.


Advanced Ads – Authenticated (Contributor+) Remote Code Execution

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) Remote Code Execution
CVE: CVE-2026-54816
Number of Installations: 100,000+
Affected Software: Advanced Ads – ≤ 2.0.21
Patched Versions: 2.0.22

Mitigation steps: Update to Advanced Ads 2.0.22 or greater.


LatePoint – Authenticated (Agent+) Privilege Escalation to Administrator via IDOR in OsOrdersController::create_or_update + Unauthenticated Customer-Cabinet Password Reset

Security Risk: High
Vulnerability: Authenticated (Agent+) Privilege Escalation to Administrator via IDOR in OsOrdersController::create_or_update + Unauthenticated Customer-Cabinet Password Reset
CVE: CVE-2026-8176
Number of Installations: 100,000+
Affected Software: LatePoint ≤ 5.5.1
Patched Versions: 5.5.2

Mitigation steps: Update to LatePoint – Calendar Booking Plugin for Appointments and Events version 5.5.2 or greater.


Responsive Lightbox & Gallery – Unauthenticated Stored Cross-Site Scripting

Security Risk: High
Vulnerability: Unauthenticated Stored Cross-Site Scripting
CVE: CVE-2026-56041
Number of Installations: 100,000+
Affected Software: Responsive Lightbox & Gallery ≤ 2.7.6
Patched Versions: 2.7.7

Mitigation steps: Update to Responsive Lightbox & Gallery version 2.7.7 or greater.


Pods – Unauthenticated Stored Cross-Site Scripting

Security Risk: High
Vulnerability: Unauthenticated Stored Cross-Site Scripting
CVE: CVE-2026-54191
Number of Installations: 100,000+
Affected Software: Pods ≤ 3.3.8
Patched Versions: 3.3.9

Mitigation steps: Update to Pods version 3.3.9 or greater.


Email Address Encoder – Unauthenticated Stored Cross-Site Scripting

Security Risk: High
Vulnerability: Unauthenticated Stored Cross-Site Scripting
CVE: CVE-2026-5305
Number of Installations: 100,000+
Affected Software: Email Address Encoder < 1.0.25
Patched Versions: 1.0.25

Mitigation steps: Update to Email Address Encoder version 1.0.25 or greater.


Advanced Order Export For WooCommerce – Authenticated (Customer+) Stored Cross-Site Scripting

Security Risk: High
Vulnerability: Authenticated (Customer+) Stored Cross-Site Scripting
CVE: CVE-2026-56042
Number of Installations: 100,000+
Affected Software: Advanced Order Export For WooCommerce ≤ 4.0.9
Patched Versions: 4.0.10

Mitigation steps: Update to Advanced Order Export For WooCommerce version 4.0.10 or greater.


Permalink Manager Lite – Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title
CVE: CVE-2026-8494
Number of Installations: 100,000+
Affected Software: Permalink Manager Lite ≤ 2.5.3.3
Patched Versions: 2.5.3.4

Mitigation steps: Update to Permalink Manager Lite version 2.5.3.4 or greater.


Photo Gallery by FooGallery – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘custom_attribute_key’ Shortcode Parameter

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via 'custom_attribute_key' Shortcode Parameter
CVE: CVE-2026-9134
Number of Installations: 100,000+
Affected Software: Photo Gallery by FooGallery ≤ 3.1.31
Patched Versions: 3.1.32

Mitigation steps: Update to Photo Gallery by FooGallery version 3.1.32 or greater.


Presto Player – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘link_url’ Shortcode Attribute

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via 'link_url' Shortcode Attribute
CVE: CVE-2026-9125
Number of Installations: 100,000+
Affected Software: Presto Player ≤ 4.2.0
Patched Versions: 4.2.1

Mitigation steps: Update to Presto Player version 4.2.1 or greater.


EmbedPress  – Authenticated (Contributor+) Stored Cross-Site Scripting via Block ‘url’ Attribute

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block 'url' Attribute
CVE: CVE-2026-7796
Number of Installations: 100,000+
Affected Software: EmbedPress ≤ 4.5.3
Patched Versions: 4.5.4

Mitigation steps: Update to EmbedPress version 4.5.4 or greater.


Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) – Authenticated (Author+) Stored Cross-Site Scripting via Image Attribute

Security Risk: Medium
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Image Attribute
CVE: CVE-2026-3722
Number of Installations: 100,000+
Affected Software: Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) ≤ 4.9
Patched Versions: 4.9.1

Mitigation steps: Update to Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) version 4.9.1 or greater.


Envira Gallery – Missing Authorization

Security Risk: Medium
Vulnerability: Missing Authorization
CVE: CVE-2026-54190
Number of Installations: 100,000+
Affected Software: Envira Gallery ≤ 1.12.5
Patched Versions: 1.12.6

Mitigation steps: Update to Envira Gallery version 1.12.6 or greater.


Schema & Structured Data for WP & AMP – Unauthenticated Arbitrary Media Upload

Security Risk: High
Vulnerability: Unauthenticated Arbitrary Media Upload
CVE: CVE-2026-9067
Number of Installations: 100,000+
Affected Software: Schema & Structured Data for WP & AMP < 1.60
Patched Versions: 1.60

Mitigation steps: Update to Schema & Structured Data for WP & AMP version 1.60 or greater.


EmbedPress – Unauthenticated Information Exposure

Security Risk: High
Vulnerability: Unauthenticated Information Exposure
CVE: CVE-2026-48872
Number of Installations: 100,000+
Affected Software: EmbedPress ≤ 4.5.2
Patched Versions: 4.5.3

Mitigation steps: Update to EmbedPress version 4.5.3 or greater.


WP All Import – Authenticated (Administrator+) SQL Injection

Security Risk: Low
Vulnerability: Authenticated (Administrator+) SQL Injection
CVE: CVE-2026-57628
Number of Installations: 100,000+
Affected Software: WP All Import ≤ 4.0.1
Patched Versions: 4.1.0

Mitigation steps: Update to WP All Import version 4.1.0 or greater.


Tutor LMS – Authenticated (Administrator+) SQL Injection via ‘data’ Parameter

Security Risk: Low
Vulnerability: Authenticated (Administrator+) SQL Injection via 'data' Parameter
CVE: CVE-2026-10736
Number of Installations: 100,000+
Affected Software: Tutor LMS ≤ 3.9.11
Patched Versions: 3.9.12

Mitigation steps: Update to Tutor LMS version 3.9.12 or greater.


Advanced Order Export For WooCommerce – Authenticated (Shop Manager+) SQL Injection via ‘sort_direction’ Parameter

Security Risk: Medium
Vulnerability: Authenticated (Shop Manager+) SQL Injection via 'sort_direction' Parameter
CVE: CVE-2026-11360
Number of Installations: 100,000+
Affected Software: Advanced Order Export For WooCommerce ≤ 4.0.10
Patched Versions: 4.1.0

Mitigation steps: Update to Advanced Order Export For WooCommerce version 4.1.0 or greater.


Ivory Search – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘menu_title’ and ‘menu_magnifier_color’ Settings

Security Risk: Low
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu_title' and 'menu_magnifier_color' Settings
CVE: CVE-2026-11356
Number of Installations: 100,000+
Affected Software: Ivory Search ≤ 5.5.15
Patched Versions: 5.5.16

Mitigation steps: Update to Ivory Search version 5.5.16 or greater.


Orbit Fox – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘menu-item-icon’ Parameter

Security Risk: Low
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter
CVE: CVE-2026-11358
Number of Installations: 100,000+
Affected Software: Orbit Fox ≤ 3.0.6
Patched Versions: 3.0.7

Mitigation steps: Update to Orbit Fox version 3.0.7 or greater.


Feeds for YouTube (YouTube video, channel, and gallery plugin) – Missing Authorization

Security Risk: Medium
Vulnerability: Missing Authorization
CVE: CVE-2026-1631
Number of Installations: 100,000+
Affected Software: Feeds for YouTube (YouTube video, channel, and gallery plugin) < 2.6.4
Patched Versions: 2.6.4

Mitigation steps: Update to Feeds for YouTube (YouTube video, channel, and gallery plugin) version 2.6.4 or greater.


LatePoint – Cross-Site Request Forgery via invoices__change_status Action

Security Risk: Low
Vulnerability: Cross-Site Request Forgery via invoices__change_status Action
CVE: CVE-2026-9719
Number of Installations: 100,000+
Affected Software: LatePoint ≤ 5.6.0
Patched Versions: 5.6.1

Mitigation steps: Update to LatePoint version 5.6.1 or greater.


JetFormBuilder – Authenticated (Subscriber+) Privilege Escalation

Security Risk: High
Vulnerability: Authenticated (Subscriber+) Privilege Escalation
CVE: CVE-2026-54196
Number of Installations: 90,000+
Affected Software: JetFormBuilder ≤ 3.6.1
Patched Versions: 3.6.1.1

Mitigation steps: Update to JetFormBuilder 3.6.1.1 or greater.


Amelia – Authenticated (Subscriber+) Privilege Escalation

Security Risk: Low
Vulnerability: Authenticated (Subscriber+) Privilege Escalation
CVE: CVE-2026-48889
Number of Installations: 90,000+
Affected Software: Amelia ≤ 2.3
Patched Versions: 2.4

Mitigation steps: Update to Booking for Appointments and Events Calendar – Amelia version 2.4 or greater.


OttoKit – Unauthenticated PHP Object Injection

Security Risk: High
Vulnerability: Unauthenticated PHP Object Injection
CVE: CVE-2026-49781
Number of Installations: 90,000+
Affected Software: OttoKit ≤ 1.1.27
Patched Versions: 1.1.28

Mitigation steps: Update to OttoKit version 1.1.28 or greater.


JetFormBuilder – Unauthenticated Stored Cross-Site Scripting

Security Risk: High
Vulnerability: Unauthenticated Stored Cross-Site Scripting
CVE: CVE-2026-54195
Number of Installations: 90,000+
Affected Software: JetFormBuilder ≤ 3.6.0.1
Patched Versions: 3.6.1

Mitigation steps: Update to JetFormBuilder version 3.6.1 or greater.


Email Encoder – Unauthenticated Stored Cross-Site Scripting

Security Risk: High
Vulnerability: Unauthenticated Stored Cross-Site Scripting
CVE: CVE-2026-5776
Number of Installations: 90,000+
Affected Software: Email Encoder < 2.4.7
Patched Versions: 2.4.7

Mitigation steps: Update to Email Encoder version 2.4.7 or greater.


SureCart – Authenticated (Subscriber+) Stored Cross-Site Scripting

Security Risk: Medium
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE: CVE-2026-57313
Number of Installations: 90,000+
Affected Software: SureCart ≤ 4.2.2
Patched Versions: 4.2.3

Mitigation steps: Update to SureCart version 4.2.3 or greater.


Advanced Import – Authenticated (Author+) Server-Side Request Forgery via ‘demo_file’ Parameter

Security Risk: Low
Vulnerability: Authenticated (Author+) Server-Side Request Forgery via 'demo_file' Parameter
CVE: CVE-2026-4328
Number of Installations: 90,000+
Affected Software: Advanced Import ≤ 1.4.6
Patched Versions: 2.0.0

Mitigation steps: Update to Advanced Import version 2.0.0 or greater.


SureCart – Reflected Cross-Site Scripting

Security Risk: TBC
Vulnerability: Reflected Cross-Site Scripting
CVE: CVE-2026-57314
Number of Installations: 90,000+
Affected Software: SureCart ≤ 4.3.2
Patched Versions: 4.3.3

Mitigation steps: Update to SureCart Products, Digital Downloads, Subscriptions, Donations, & Payments version 4.3.3 or greater.


Everest Forms – Reflected Cross-Site Scripting

Security Risk: TBC
Vulnerability: Reflected Cross-Site Scripting
CVE: CVE-2026-57312
Number of Installations: 90,000+
Affected Software: Everest Forms ≤ 3.4.8
Patched Versions: 3.5.0

Mitigation steps: Update to Everest Forms version 3.5.0 or greater.


SlimStat Analytics – Unauthenticated PHP Object Injection

Security Risk: High
Vulnerability: Unauthenticated PHP Object Injection
CVE: CVE-2026-27410
Number of Installations: 80,000+
Affected Software: SlimStat Analytics < 5.4.0
Patched Versions: 5.4.0

Mitigation steps: Update to SlimStat Analytics version 5.4.0 or greater.


Customer Reviews for WooCommerce – Unauthenticated Stored Cross-Site Scripting

Security Risk: High
Vulnerability: Unauthenticated Stored Cross-Site Scripting
CVE: CVE-2026-56043
Number of Installations: 80,000+
Affected Software: Customer Reviews for WooCommerce ≤ 5.110.1
Patched Versions: 5.111.0

Mitigation steps: Update to Customer Reviews for WooCommerce version 5.111.0 or greater.


GetGenie – Unauthenticated Information Exposure

Security Risk: TBC
Vulnerability: Unauthenticated Information Exposure
CVE: CVE-2026-54197
Number of Installations: 80,000+
Affected Software: GetGenie ≤ 4.4.1
Patched Versions: 4.4.2

Mitigation steps: Update to GetGenie – AI Content Writer with Keyword Research & SEO Tracking version 4.4.2 or greater.


wpDataTables – Unauthenticated SQL Injection

Security Risk: Critical
Vulnerability: Unauthenticated SQL Injection
CVE: CVE-2026-54825
Number of Installations: 70,000+
Affected Software: wpDataTables ≤ 7.4
Patched Versions: 7.4.1

Mitigation steps: Update to wpDataTables version 7.4.1 or greater.


wpDataTables – Unauthenticated SQL Injection

Security Risk: Critical
Vulnerability: Unauthenticated SQL Injection
CVE: CVE-2026-49080
Number of Installations: 70,000+
Affected Software: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin ≤ 7.3.6
Patched Versions: 7.4

Mitigation steps: Update to wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin version 7.4 or greater.


Bookly – Unauthenticated Stored Cross-Site Scripting via ‘bookly-customer-full-name’ Cookie

Security Risk: Medium
Vulnerability: Unauthenticated Stored Cross-Site Scripting via 'bookly-customer-full-name' Cookie
CVE: CVE-2026-5513
Number of Installations: 70,000+
Affected Software: Bookly ≤ 27.2
Patched Versions: 27.3

Mitigation steps: Update to Bookly version 27.3 or greater.


Media Library Assistant – Authenticated (Contributor+) SQL Injection

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) SQL Injection
CVE: CVE-2026-56012
Number of Installations: 70,000+
Affected Software: Media Library Assistant ≤ 3.35
Patched Versions: 3.36

Mitigation steps: Update to Media Library Assistant version 3.36 or greater.


SlimStat Analytics – Authenticated (Subscriber+) SQL Injection

Security Risk: Medium
Vulnerability: Authenticated (Subscriber+) SQL Injection
CVE: CVE-2026-54818
Number of Installations: 70,000+
Affected Software: SlimStat Analytics ≤ 5.4.11
Patched Versions: 5.4.12

Mitigation steps: Update to SlimStat Analytics version 5.4.12 or greater.


StatCounter – Authenticated (Contributor+) Stored Cross-Site Scripting

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
CVE: CVE-2026-57629
Number of Installations: 70,000+
Affected Software: StatCounter ≤ 2.1.1
Patched Versions: 2.1.2

Mitigation steps: Update to StatCounter version 2.1.2 or greater.


MaxButtons – Reflected Cross-Site Scripting via ‘view’ Parameter

Security Risk: Medium
Vulnerability: Reflected Cross-Site Scripting via 'view' Parameter
CVE: CVE-2026-13245
Number of Installations: 70,000+
Affected Software: MaxButtons ≤ 9.8.5
Patched Versions: 9.8.6

Mitigation steps: Update to MaxButtons version 9.8.6 or greater.


Media Library Assistant – Reflected Cross-Site Scripting

Security Risk: TBC
Vulnerability: Reflected Cross-Site Scripting
CVE: CVE-2026-54198
Number of Installations: 70,000+
Affected Software: Media Library Assistant ≤ 3.35
Patched Versions: 3.36

Mitigation steps: Update to Media Library Assistant version 3.36 or greater.


LearnPress – Reflected Cross-Site Scripting

Security Risk: Medium
Vulnerability: Reflected Cross-Site Scripting
CVE: CVE-2026-48865
Number of Installations: 70,000+
Affected Software: LearnPress ≤ 4.3.6
Patched Versions: 4.3.7

Mitigation steps: Update to LearnPress version 4.3.7 or greater.


LearnPress – Unauthenticated Sensitive Information Exposure via ‘c_status’ and ‘return_type’ Parameters

Security Risk: High
Vulnerability: Unauthenticated Sensitive Information Exposure via 'c_status' and 'return_type' Parameters
CVE: CVE-2026-8502
Number of Installations: 70,000+
Affected Software: LearnPress ≤ 4.3.6
Patched Versions: 4.3.7

Mitigation steps: Update to LearnPress version 4.3.7 or greater.


Database for Contact Form 7, WPforms, Elementor forms – Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value

Security Risk: High
Vulnerability: Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value
CVE: CVE-2026-9843
Number of Installations: 60,000+
Affected Software: Database for Contact Form 7, WPforms, Elementor forms ≤ 1.5.1
Patched Versions: 1.5.2

Mitigation steps: Update to Database for Contact Form 7, WPforms, Elementor forms version 1.5.2 or greater.


WP Maps – Authenticated (Subscriber+) Local File Inclusion

Security Risk: High
Vulnerability: Authenticated (Subscriber+) Local File Inclusion
CVE: CVE-2026-6381
Number of Installations: 60,000+
Affected Software: WP Maps < 4.9.3
Patched Versions: 4.9.3

Mitigation steps: Update to WP Maps version 4.9.3 or greater.


Appointment Booking Calendar – Unauthenticated Stored Cross-Site Scripting

Security Risk: High
Vulnerability: Unauthenticated Stored Cross-Site Scripting
CVE: CVE-2026-57317
Number of Installations: 60,000+
Affected Software: Appointment Booking Calendar ≤ 1.6.12.2
Patched Versions: 1.6.12.4

Mitigation steps: Update to Appointment Booking Calendar version 1.6.12.4 or greater.


Master Slider – Unauthenticated Stored Cross-Site Scripting

Security Risk: High
Vulnerability: Unauthenticated Stored Cross-Site Scripting
CVE: CVE-2026-56014
Number of Installations: 60,000+
Affected Software: Master Slider ≤ 3.11.2
Patched Versions: N/A

Mitigation steps: Update to Master Slider version N/A or greater.


Drag and Drop Multiple File Upload for Contact Form 7 – Unauthenticated Stored Cross-Site Scripting

Security Risk: High
Vulnerability: Unauthenticated Stored Cross-Site Scripting
CVE: CVE-2026-49055
Number of Installations: 60,000+
Affected Software: Drag and Drop Multiple File Upload for Contact Form 7 ≤ 1.3.9.7
Patched Versions: 1.3.9.8

Mitigation steps: Update to Drag and Drop Multiple File Upload for Contact Form 7 version 1.3.9.8 or greater.


User Registration & Membership – Missing Authorization to Unauthenticated Payment Bypass

Security Risk: High
Vulnerability: Missing Authorization to Unauthenticated Payment Bypass
CVE: CVE-2026-1869
Number of Installations: 60,000+
Affected Software: User Registration & Membership ≤ 5.2.0
Patched Versions: 5.2.1

Mitigation steps: Update to User Registration & Membership version 5.2.1 or greater.


WP Maps – Authenticated (Admin+) Stored Cross-Site Scripting via ‘location_messages’ Parameter

Security Risk: Low
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via 'location_messages' Parameter
CVE: CVE-2026-9594
Number of Installations: 60,000+
Affected Software: WP Maps ≤ 4.9.4
Patched Versions: 4.9.5

Mitigation steps: Update to WP Maps version 4.9.5 or greater.


Drag and Drop Multiple File Upload for Contact Form 7 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘drag_n_drop_text’ and ‘drag_n_drop_browse_text’ Settings

Security Risk: Low
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings
CVE: CVE-2026-8991
Number of Installations: 60,000+
Affected Software: Drag and Drop Multiple File Upload for Contact Form 7 ≤ 1.3.9.7
Patched Versions: 1.3.9.8

Mitigation steps: Update to Drag and Drop Multiple File Upload for Contact Form 7 version 1.3.9.8 or greater.


Slim SEO – Missing Authorization

Security Risk: Medium
Vulnerability: Missing Authorization
CVE: CVE-2026-57429
Number of Installations: 60,000+
Affected Software: Slim SEO ≤ 4.6.2
Patched Versions: 4.7.0

Mitigation steps: Update to Slim SEO version 4.7.0 or greater.


FOX – Unauthenticated Stored Cross-Site Scripting

Security Risk: High
Vulnerability: Unauthenticated Stored Cross-Site Scripting
CVE: CVE-2026-57319
Number of Installations: 50,000+
Affected Software: FOX ≤ 1.4.8
Patched Versions: 1.4.9

Mitigation steps: Update to FOX version 1.4.9 or greater.


Blog2Social – Unauthenticated Stored Cross-Site Scripting

Security Risk: High
Vulnerability: Unauthenticated Stored Cross-Site Scripting
CVE: CVE-2026-56044
Number of Installations: 50,000+
Affected Software: Blog2Social ≤ 8.9.2
Patched Versions: 8.9.3

Mitigation steps: Update to Blog2Social version 8.9.3 or greater.


RTMKit – Authenticated (Contributor+) Missing Authorization to Arbitrary Form Submission Access via ‘entries_id’ Parameter

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) Missing Authorization to Arbitrary Form Submission Access via 'entries_id' Parameter
CVE: CVE-2026-5149
Number of Installations: 50,000+
Affected Software: RTMKit ≤ 2.0.7
Patched Versions: 2.0.8

Mitigation steps: Update to RTMKit version 2.0.8 or greater.


Exclusive Addons for Elementor – Authenticated (Contributor+) Stored Cross-Site Scripting

Security Risk: Medium
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
CVE: CVE-2026-57620
Number of Installations: 50,000+
Affected Software: Exclusive Addons for Elementor ≤ 2.7.9.8
Patched Versions: 2.7.9.9

Mitigation steps: Update to Exclusive Addons for Elementor version 2.7.9.9 or greater.


Popup Box – Reflected Cross-Site Scripting

Security Risk: TBC
Vulnerability: Reflected Cross-Site Scripting
CVE: CVE-2026-54192
Number of Installations: 50,000+
Affected Software: Popup Box ≤ 6.2.9
Patched Versions: 6.3.0

Mitigation steps: Update to Popup Box version 6.3.0 or greater.


User Registration & Membership – Missing Authorization

Security Risk: Medium
Vulnerability: Missing Authorization
CVE: CVE-2026-52701
Number of Installations: 50,000+
Affected Software: User Registration & Membership ≤ 5.2.2
Patched Versions: 5.2.3

Mitigation steps: Update to User Registration & Membership version 5.2.3 or greater.


WebToffee – Unauthenticated Information Exposure

Security Risk: TBC
Vulnerability: Unauthenticated Information Exposure
CVE: CVE-2026-49056
Number of Installations: 50,000+
Affected Software: WebToffee ≤ 4.9.4
Patched Versions: 4.9.5

Mitigation steps: Update to WebToffee version 4.9.5 or greater.


Popup Box – Authenticated (Administrator+) SQL Injection

Security Risk: Low
Vulnerability: Authenticated (Administrator+) SQL Injection
CVE: CVE-2026-57631
Number of Installations: 50,000+
Affected Software: Popup Box ≤ 6.0.1
Patched Versions: 6.0.2

Mitigation steps: Update to Popup Box version 6.0.2 or greater.


Email Marketing for WooCommerce by Omnisend – Missing Authorization

Security Risk: Medium
Vulnerability: Missing Authorization
CVE: CVE-2026-57632
Number of Installations: 50,000+
Affected Software: Email Marketing for WooCommerce by Omnisend ≤ 1.19.0
Patched Versions: 1.19.1

Mitigation steps: Update to Email Marketing for WooCommerce by Omnisend version 1.19.1 or greater.


Themes


Blocksy – Authenticated (Contributor+) PHP Object Injection via Deserialization of Untrusted Data via ‘blocksy_meta’ REST API Field

Security Risk: High
Vulnerability: Authenticated (Contributor+) PHP Object Injection via Deserialization of Untrusted Data via 'blocksy_meta' REST API Field
CVE: CVE-2026-8365
Number of Installations: 300,000+
Affected Software: Blocksy ≤ 2.1.41
Patched Versions: 2.1.42

Mitigation steps: Update to Blocksy version 2.1.42 or greater.


Update your website software to reduce risk. If you cannot update to the latest version, consider using a web application firewall to patch known vulnerabilities and safeguard your site.

Chat with Sucuri


文章来源: https://blog.sucuri.net/2026/07/vulnerability-patch-roundup-june-2026.html
如有侵权请联系:admin#unsafe.sh