25 WordPress Plugin CVEs Drop in Two Days: Critical File Deletion, SSRF, and XSS Lead the Batch
A batch of 25 vulnerabilities across 23 WordPress plugins was disclosed June 18–19, including critical unauthenticated file deletion in Avada Builder and SSRF flaws in three plugins.
Key findings
- 25 CVEs across 23 WordPress plugins disclosed on June 18–19, 2026
- Critical unauthenticated file deletion in Avada Builder (CVE-2026-8713) affects ~1M sites
- Three SSRF flaws found in Bit integrations, CF7 to Webhook, and Advanced Import
- Stored XSS bugs present in eight plugins, most requiring Contributor+ access
- Missing authorization flaws expose customer data in 2Download Connector and WP DSGVO Tools
- Patches available for Avada Builder, BetterDocs, WP Hotel Booking, and others
On June 18–19, 2026, a batch of 25 distinct security flaws across 23 WordPress plugins was disclosed, spanning unauthenticated file deletion, server-side request forgery (SSRF), local file inclusion (LFI), stored and reflected cross-site scripting (XSS), missing authorization, and information exposure. The cluster, published by Wordfence and Patchstack, affects plugins with combined active installations in the millions, making it one of the larger coordinated WordPress disclosure events of the year.
Critical and High-Severity Bugs
The most severe vulnerability in the batch is **CVE-2026-8713 (CVSS 9.8), an unauthenticated arbitrary file deletion flaw in the Avada (Fusion) Builder** plugin (versions ≤ 3.15.3). Wordfence, which awarded a $3,600 bug bounty to researcher daroo, reported that exploitation requires a published Avada form configured to save entries to the database. An attacker can delete critical files such as wp-config.php, potentially leading to remote code execution. The plugin has an estimated 1,000,000 active installations Wordfence.
**CVE-2026-7515 is an unauthenticated local file inclusion (LFI) vulnerability in BetterDocs Pro** (≤ 3.8.0) via the doc_style parameter, allowing attackers to include and execute arbitrary .php files on the server. **CVE-2026-6798 exposes sensitive customer subscription data in the 2Download Connector for 2DL Hosted Checkout** plugin (≤ 0.1.5) due to missing authorization checks, enabling unauthenticated access to arbitrary customer records.
Server-Side Request Forgery (SSRF) Cluster
Three plugins were found vulnerable to SSRF, allowing unauthenticated or low-privilege attackers to make web requests to internal or external resources:
- **CVE-2026-11989 in Bit integrations** (≤ 2.8.7) — unauthenticated SSRF via the
upload_attachmentfunction. - **CVE-2026-11395 in CF7 to Webhook** (≤ 5.0.0) — unauthenticated SSRF via a Contact Form 7 field placeholder in the webhook URL host.
- **CVE-2026-4328 in Advanced Import** (≤ 1.4.6) — authenticated (Author+) SSRF via the
demo_fileparameter.
Stored and Reflected Cross-Site Scripting
Stored XSS vulnerabilities were found in multiple plugins, most requiring authenticated access at Contributor level or above:
- **CVE-2026-12157 — BetterDocs** (≤ 4.5.3), via the
blockIdGutenberg block attribute. - **CVE-2026-1856 — Appointment Booking Calendar** (≤ 1.4.4), via custom booking field labels.
- **CVE-2026-2021 — Slideshow Gallery LITE** (≤ 1.8.5), via the
alwaysautoshortcode attribute. - **CVE-2026-8039 — Fancy Testimonials** (≤ 1.0), via the
authorshortcode attribute. - **CVE-2026-12098 — PowerPress Podcasting by Blubrry** (≤ 11.16.8), via the
embedepisode meta field. - **CVE-2026-12430 — Blocksy Companion** (≤ 2.1.45), via admin settings (Editor+).
- **CVE-2026-56009 — Bricksable for Bricks Builder** (≤ 1.6.83).
- **CVE-2026-56007 — Ocean Product Sharing** (≤ 2.2.2).
A reflected XSS flaw, **CVE-2026-12137, affects SysBasics Customize My Account for WooCommerce** (≤ 4.3.6) via the tab parameter.
Missing Authorization and Information Exposure
Several plugins failed to enforce proper capability or ownership checks:
- **CVE-2026-3640 — STRABL** (≤ 4.5) registers a REST API webhook endpoint with
__return_trueas the permission callback, allowing unauthenticated arbitrary webhook creation. - **CVE-2026-10034 — WP DSGVO Tools (GDPR)** (≤ 3.1.39) lets unauthenticated attackers supply an arbitrary victim email address to trigger subject-access requests, exposing personal data.
- **CVE-2026-9822 — WP Hotel Booking** (< 2.3.1) lacks capability checks in AJAX handlers, allowing Subscriber-level users to read other users' booking data and coupons.
- **CVE-2026-9013 — Bogo** (≤ 3.9.1) exposes raw post titles, content, excerpts, and passwords via a REST API endpoint to Subscriber+ users.
- **CVE-2026-10779 — Classified Listing** (≤ 5.4.2) allows Subscriber+ users to modify gallery features via missing ownership checks.
- **CVE-2026-12102 — UsersWP** (≤ 1.2.63) has an Insecure Direct Object Reference (IDOR) allowing Editor+ users to reset arbitrary user avatars and banners.
- **CVE-2026-12111 — Appointment Booking Calendar** (≤ 1.4.01) exposes sensitive booking information to Contributor+ users due to missing ownership checks.
File Read, CSRF, and Other Flaws
- **CVE-2026-8118 — Royal Addons for Elementor** (1.7.1058–1.7.1059) allows authenticated (Contributor+) arbitrary file read via a CSV file source in the Data Table widget. This was introduced as a side effect of a patch for an earlier vulnerability, CVE-2026-6229.
- **CVE-2026-7547 — Woosa** (≤ 2.0.5) allows Administrator+ arbitrary file read via path traversal in the
log_fileparameter. - **CVE-2026-11775 — User Admin Simplifier** (≤ 3.0.0) is vulnerable to Cross-Site Request Forgery (CSRF), enabling unauthenticated attackers to reset and permanently delete plugin settings.
Patch Status and Mitigations
At the time of disclosure, patched versions were available for several plugins: WP Hotel Booking (fixed in 2.3.1), Avada (Fusion) Builder (fixed in 3.15.4), BetterDocs (fixed in 4.5.4), BetterDocs Pro (fixed in 3.8.1), Blocksy Companion (fixed in 2.1.46), and Royal Addons for Elementor (fixed in 1.7.1060). Administrators of all affected plugins should update to the latest available versions immediately. For plugins where no patch is yet listed, users should disable the plugin or apply virtual patching via a web application firewall (WAF) until an update is released.
Bottom Line
This 25-CVE disclosure event underscores the persistent challenge of securing the WordPress plugin ecosystem, where a single missing capability check or unsanitized input can expose millions of sites to takeover, data theft, or defacement. The inclusion of critical unauthenticated file deletion and SSRF flaws — both of which can lead to remote code execution — makes this batch particularly urgent for site owners running any of the affected plugins.