VYPR
Vypr IntelligenceAI-generatedJun 22, 2026· 25 CVEs

25 WordPress Plugin CVEs Drop in Three Days: File Deletion, SSRF, and XSS Dominate the Batch

A batch of 25 security flaws across 23 WordPress plugins was disclosed, led by a critical unauthenticated file-deletion bug in Avada Builder affecting 1 million sites.

Key findings

  • 25 CVEs across 23 WordPress plugins disclosed June 19–22, 2026
  • Critical unauthenticated file deletion in Avada Builder (CVE-2026-8713, CVSS 9.1) affects ~1M sites
  • Three SSRF flaws found in Bit integrations, Advanced Import, and STRABL plugins
  • Eight XSS bugs disclosed, including stored XSS in Transbank Webpay and BetterDocs
  • Authentication bypass and privilege escalation bugs in Branda, WP Go Maps, and older plugins
  • Patches available for Avada Builder, Simple File List, BetterDocs, WP Hotel Booking, and others

A batch of 25 security flaws across 23 WordPress plugins was disclosed between June 19–22, 2026, dominated by unauthenticated file-deletion bugs, server-side request forgery (SSRF) flaws, and a cluster of cross-site scripting (XSS) vulnerabilities that together expose millions of sites to takeover, data theft, and denial-of-service attacks.

Critical File Deletion and LFI

The most severe vulnerability in the batch is **CVE-2026-8713** in the Avada (Fusion) Builder plugin, which affects an estimated 1,000,000 active installations. The flaw, carrying a CVSS score of 9.1, allows unauthenticated attackers to delete arbitrary files on the server via insufficient path validation in the maybe_delete_files() function. Security researcher "daroo" reported the bug through the Wordfence Bug Bounty Program and received a $3,600 reward Wordfence Blog. Exploitation requires a published Avada form configured to save entries, but once triggered, an attacker can delete critical files such as wp-config.php, leading to full remote code execution. The bug was patched in version 3.15.4. Cyber Security News also reported that over 1 million sites are at risk.

Three additional file-deletion vulnerabilities were disclosed in the Simple File List plugin. **CVE-2026-11911** enables unauthenticated arbitrary file deletion via a path-traversal flaw in the eeSubFolder parameter, while **CVE-2026-11912** allows unauthenticated file modification through a missing authorization check on the simplefilelist_edit_job AJAX action. **CVE-2026-12119** is a missing-authorization bug that lets authenticated attackers (Contributor+) perform arbitrary file operations including deletion, move, folder creation, and download via the frontmanage shortcode attribute. All three affect Simple File List versions up to 6.3.7.

**CVE-2026-9843 in the Database for Contact Form 7, WPforms, Elementor forms plugin (versions ≤ 1.5.1) permits unauthenticated arbitrary file deletion via a crafted CF7 file-field POST value. Similarly, CVE-2026-7515** in BetterDocs Pro (≤ 3.8.0) is an unauthenticated local file inclusion (LFI) vulnerability via the doc_style parameter, allowing attackers to include and execute arbitrary .php files on the server.

Server-Side Request Forgery (SSRF) Cluster

Three SSRF vulnerabilities were disclosed together. **CVE-2026-11989** in Bit integrations (≤ 2.8.7) allows unauthenticated attackers to make arbitrary web requests via the upload_attachment function. **CVE-2026-4328** in Advanced Import (≤ 1.4.6) requires Author+ authentication but lets attackers use wp_remote_get() to fetch user-supplied URLs without internal-network validation. **CVE-2026-3640** in the STRABL checkout plugin (≤ 4.5) registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permission_callback of __return_true, allowing any unauthenticated request to create arbitrary webhooks.

Cross-Site Scripting (XSS) and Information Disclosure

Eight stored and reflected XSS bugs were disclosed. **CVE-2026-6858 in Transbank Webpay (pre-1.14.0) allows unauthenticated stored XSS against administrators via unsanitized log output. Two reflected XSS flaws in Ultimate WooCommerce Auction Pro (≤ 2.4.5) — CVE-2026-4259 and CVE-2026-4110** — target high-privilege users via the uwa_manage_auctions and uwa_auctions_bids_list parameters. **CVE-2026-12430** in Blocksy Companion (≤ 2.1.45) is a stored XSS exploitable by Editor+ users via the product_description parameter. **CVE-2026-12157** in BetterDocs (≤ 4.5.3) is a stored XSS via the blockId attribute of a Gutenberg block, requiring Contributor+ access.

**CVE-2026-10034 in WP DSGVO Tools (GDPR) (≤ 3.1.39) is a missing-authorization flaw that lets unauthenticated attackers supply an arbitrary victim email address to the subject-access-request AJAX endpoint, exposing sensitive personal data. CVE-2026-6798** in 2Download Connector (≤ 0.1.5) exposes customer subscription data to unauthenticated users via the ToDownload_email parameter. **CVE-2026-9013** in Bogo (≤ 3.9.1) allows Subscriber+ users to extract raw post titles, content, excerpts, and passwords via a REST API endpoint.

Authentication Bypass and Privilege Escalation

**CVE-2026-11551 in Branda – White Label & Branding (≤ 3.4.29) is a critical unauthenticated privilege-escalation bug that allows account takeover by changing arbitrary user passwords without proper identity validation. CVE-2026-12238 in WP Go Maps (≤ 10.1.01) lets unauthenticated attackers bypass authorization to create arbitrary records. Two older CVEs were also included in the batch: CVE-2020-37255 (WordPress Time Capsule Plugin 1.21.16) and CVE-2019-25763** (Ultimate Addons for Beaver Builder 1.2.4.1), both authentication-bypass flaws that grant administrative access to unauthenticated attackers.

Other Notable Flaws

**CVE-2026-8118 in Royal Addons for Elementor (versions 1.7.1058–1.7.1059) allows Contributor+ users to read arbitrary files via a CSV file-source flaw in the Data Table widget. CVE-2026-9822 in WP Hotel Booking (pre-2.3.1) lets Subscriber+ users read other users' booking line items, enumerate coupons, and view pricing data through missing capability checks in AJAX handlers. CVE-2022-50972** in WooCommerce 7.1.0 is a remote code execution vulnerability via unsanitized product-type parameter injection in class-wc-meta-box-product-images.php. **CVE-2019-25759** in the Joomla! component vBizz 1.0.7 is an SQL injection flaw.

Patch Status and Recommendations

Patches are available for the majority of the affected plugins. Avada Builder was fixed in version 3.15.4, Simple File List in 6.3.8, BetterDocs Pro in 3.8.1, BetterDocs in 4.5.4, WP Hotel Booking in 2.3.1, Transbank Webpay in 1.14.0, and WP Go Maps in 10.1.02. Administrators should update all affected plugins immediately, paying special attention to the file-deletion and SSRF bugs that require no authentication to exploit. The batch underscores the persistent risk of missing authorization checks and insufficient input validation in the WordPress ecosystem, where a single unpatched plugin can compromise an entire site.

AI-written article. Grounded in 25 CVE records listed below.