VYPR
Vypr IntelligenceAI-generatedJun 13, 2026· 25 CVEs

WordPress Plugin Ecosystem: 25 CVEs Disclosed in Two-Day Wave, Three Critical

A coordinated disclosure wave of 25 WordPress plugin CVEs lands over two days, including three critical-severity bugs in Amasty Order Attributes, Hippoo WooCommerce, and JoomSport.

Key findings

  • 25 CVEs disclosed across WordPress plugins and themes in a 48-hour window
  • Three critical-severity flaws: Amasty Order Attributes (9.8), Hippoo WooCommerce (9.8), JoomSport SQLi (9.3)
  • Stored XSS is the most common bug class, affecting Bookly, GPTranslate, Pagelayer, and others
  • Two unauthenticated SSRF bugs in Fediverse Embeds plugin (CVE-2026-46697, CVE-2026-46698)
  • Older CVEs from 2022–2023 included in the batch, suggesting a coordinated disclosure cleanup
  • Patches available for all 25 CVEs; Bookly and GPTranslate updates critical for unauthenticated XSS

On June 11–13, 2026, a wave of 25 security advisories landed for the WordPress ecosystem, covering plugins and themes spanning e-commerce, page building, caching, and multimedia. The batch, disclosed primarily through Patchstack and Wordfence, includes three critical-severity flaws and a cluster of stored cross-site scripting (XSS) bugs that together affect hundreds of thousands of active installations.

Critical Flaws: File Upload, SQL Injection, and Privilege Escalation

Three CVEs in this batch carry a CVSS score of 9.0 or higher. CVE-2026-53787 (CVSS 9.8) affects Amasty Order Attributes for Magento 2 (versions before 4.0.0) and allows unauthenticated attackers to upload arbitrary files to the store's media directory — a classic path to remote code execution on a Magento storefront. CVE-2026-49060 (CVSS 9.8) targets the Hippoo Mobile App for WooCommerce (up to 1.9.4) with an incorrect privilege assignment that enables privilege escalation. Two blind SQL injection bugs round out the critical tier: CVE-2026-42647 (CVSS 9.3) in Beardev JoomSport (up to 5.7.7) and CVE-2026-39494 (CVSS 9.3) in Product Filter by WBW (up to 3.1.2) — both can leak database contents through unauthenticated or low-privilege queries.

Stored XSS Dominates the Medium-to-High Range

Stored cross-site scripting is the most common vulnerability class in this batch, appearing in at least eight advisories. CVE-2026-5513 (CVSS 7.2) in Bookly (up to 27.2) allows unauthenticated attackers to inject malicious scripts via the bookly-customer-full-name cookie. CVE-2026-9109 (CVSS 7.2) in GPTranslate (up to 2.31) stores unsanitized translation data through REST API endpoints. Other XSS bugs affect Canvas (CVE-2026-9629), Pagelayer (CVE-2026-3297), FooGallery (CVE-2026-9134), Presto Player (CVE-2026-9125), SliceWP (CVE-2026-42653), and the Store Locator plugin (CVE-2026-9061). Most require contributor-level or higher access, but the Bookly and GPTranslate flaws are exploitable by unauthenticated users, making them particularly dangerous for sites with public-facing forms or translation widgets.

SQL Injection and File Disclosure

Beyond the two critical SQLi bugs, CVE-2026-9848 (CVSS 7.5) in WP Ticket (up to 6.0.4) exposes a SQL injection vector through the WordPress search query parameter (s). The plugin hooks into posts_request without proper sanitization, allowing unauthenticated attackers to inject SQL commands. On the file-disclosure front, CVE-2026-9062 in Store Locator (fixed in 1.6.9) lets administrators read arbitrary .php files, including wp-config.php, while CVE-2026-12089 in LWS Optimize (up to 3.3.19) enables arbitrary file read by harvesting <link> tags from page HTML.

Authorization and CSRF Gaps

Several older CVEs — some dating back to 2022 and 2023 — were published in this batch, likely as part of a coordinated disclosure cleanup. CVE-2023-32959 (MetroStore), CVE-2023-25969 (Contact Form & Lead Form Elementor Builder), and CVE-2022-45813 (Advanced AJAX Product Filters) all involve missing authorization checks. CVE-2022-47150 in WooCommerce Conversion Tracking (up to 2.0.10) is a cross-site request forgery (CSRF) flaw. CVE-2026-24618 in Hash Elements (up to 1.5.4) exposes sensitive system information. CVE-2026-2470 in Pagelayer (up to 2.0.9) allows incorrect authorization via the pagelayer_save_content AJAX handler.

Fediverse Embeds: SSRF and Server-Side Request Forgery

The Fediverse Embeds plugin (versions prior to 1.5.9) received two advisories: CVE-2026-46698 (CVSS 5.3) for an unauthenticated AJAX action that fetches attacker-supplied URLs, and CVE-2026-46697 (CVSS 7.5) for an unauthenticated REST route that proxies base64-encoded URLs without validation — both enabling server-side request forgery (SSRF) attacks.

Patch Status and Recommendations

Vendor patches are available for all 25 CVEs. Site administrators should prioritize the three critical-severity flaws — Amasty Order Attributes (update to 4.0.0+), Hippoo Mobile App for WooCommerce (update beyond 1.9.4), and the SQLi bugs in JoomSport (5.7.8+) and Product Filter by WBW (3.1.3+). The unauthenticated XSS in Bookly (27.3+) and GPTranslate (2.32+) also warrant immediate attention. For plugins without version bumps listed (e.g., Fediverse Embeds, Presto Player), updating to the latest available release is advised.

This batch underscores the ongoing challenge of securing the WordPress plugin ecosystem, where a single plugin — especially one handling e-commerce, forms, or media — can introduce critical vulnerabilities. Administrators should audit their active plugin list against the affected versions and apply patches promptly.

AI-written article. Grounded in 25 CVE records listed below.