VYPR
Published Jun 19, 2026· 1 source

25 WordPress Plugin CVEs Drop in Two Days: Critical File Deletion, SSRF, and XSS Lead the Batch

Key findings • 25 CVEs across 23 WordPress plugins disclosed on June 18–19, 2026 • Critical unauthenticated file deletion in Avada Builder (CVE-2026-8713) affects ~1M sites • Three SSRF…

Key findings

  • 25 CVEs across 23 WordPress plugins disclosed on June 18–19, 2026
  • Critical unauthenticated file deletion in Avada Builder (CVE-2026-8713) affects ~1M sites
  • Three SSRF flaws found in Bit integrations, CF7 to Webhook, and Advanced Import
  • Stored XSS bugs present in eight plugins, most requiring Contributor+ access
  • Missing authorization flaws expose customer data in 2Download Connector and WP DSGVO Tools
  • Patches available for Avada Builder, BetterDocs, WP Hotel Booking, and others

On June 18–19, 2026, a batch of 25 distinct security flaws across 23 WordPress plugins was disclosed, spanning unauthenticated file deletion, server-side request forgery (SSRF), local file inclusion (LFI), stored and reflected cross-site scripting (XSS), missing authorization, and information exposure. The cluster, published by Wordfence and Patchstack, affects plugins with combined active installations in the millions, making it one of the larger coordinated WordPress disclosure events of the year.

Critical and High-Severity Bugs

The most severe vulnerability in the batch is **CVE-2026-8713 (CVSS 9.8), an unauthenticated arbitrary file deletion flaw in the Avada (Fusion) Builder** plugin (versions ≤ 3.15.3). Wordfence, which awarded a $3,600 bug bounty to researcher daroo, reported that exploitation requires a published Avada form configured to save entries to the database. An attacker can delete critical files such as wp-config.php, potentially leading to remote code execution. The plugin has an estimated 1,000,000 active installations Wordfence.

**CVE-2026-7515 is an unauthenticated local file inclusion (LFI) vulnerability in BetterDocs Pro** (≤ 3.8.0) via the doc_style parameter, allowing attackers to include and execute arbitrary .php files on the server. **CVE-2026-6798 exposes sensitive customer subscription data in the 2Download Connector for 2DL Hosted Checkout** plugin (≤ 0.1.5) due to missing authorization checks, enabling unauthenticated access to arbitrary customer records.

Server-Side Request Forgery (SSRF) Cluster

Three plugins were found vulnerable to SSRF, allowing unauthenticated or low-privilege attackers to make web requests to internal or external resources:

  • **CVE-2026-11989 in Bit integrations** (≤ 2.8.7) — unauthenticated SSRF via the upload_attachment function.
  • **CVE-2026-11395 in CF7 to Webhook** (≤ 5.0.0) — unauthenticated SSRF via a Contact Form 7 field placeholder in the webhook URL host.
  • **CVE-2026-4328 in Advanced Import** (≤ 1.4.6) — authenticated (Author+) SSRF via the demo_file parameter.

Stored and Reflected Cross-Site Scripting

Stored XSS vulnerabilities were found in multiple plugins, most requiring authenticated access at Contributor level or above:

  • **CVE-2026-12157BetterDocs** (≤ 4.5.3), via the blockId Gutenberg block attribute.
  • **CVE-2026-1856Appointment Booking Calendar** (≤ 1.4.4), via custom booking field labels.
  • **CVE-2026-2021Slideshow Gallery LITE** (≤ 1.8.5), via the alwaysauto shortcode attribute.
  • **CVE-2026-8039Fancy Testimonials** (≤ 1.0), via the author shortcode attribute.
  • **CVE-2026-12098PowerPress Podcasting by Blubrry** (≤ 11.16.8), via the embed episode meta field.
  • **CVE-2026-12430Blocksy Companion** (≤ 2.1.45), via admin settings (Editor+).
  • **CVE-2026-56009Bricksable for Bricks Builder** (≤ 1.6.83).
  • **CVE-2026-56007Ocean Product Sharing** (≤ 2.2.2).

A reflected XSS flaw, **CVE-2026-12137, affects SysBasics Customize My Account for WooCommerce** (≤ 4.3.6) via the tab parameter.

Missing Authorization and Information Exposure

Several plugins failed to enforce proper capability or ownership checks:

  • **CVE-2026-3640STRABL** (≤ 4.5) registers a REST API webhook endpoint with __return_true as the permission callback, allowing unauthenticated arbitrary webhook creation.
  • **CVE-2026-10034WP DSGVO Tools (GDPR)** (≤ 3.1.39) lets unauthenticated attackers supply an arbitrary victim email address to trigger subject-access requests, exposing personal data.
  • **CVE-2026-9822WP Hotel Booking** (< 2.3.1) lacks capability checks in AJAX handlers, allowing Subscriber-level users to read other users' booking data and coupons.
  • **CVE-2026-9013Bogo** (≤ 3.9.1) exposes raw post titles, content, excerpts, and passwords via a REST API endpoint to Subscriber+ users.
  • **CVE-2026-10779Classified Listing** (≤ 5.4.2) allows Subscriber+ users to modify gallery features via missing ownership checks.
  • **CVE-2026-12102UsersWP** (≤ 1.2.63) has an Insecure Direct Object Reference (IDOR) allowing Editor+ users to reset arbitrary user avatars and banners.
  • **CVE-2026-12111Appointment Booking Calendar** (≤ 1.4.01) exposes sensitive booking information to Contributor+ users due to missing ownership checks.

File Read, CSRF, and Other Flaws

  • **CVE-2026-8118Royal Addons for Elementor** (1.7.1058–1.7.1059) allows authenticated (Contributor+) arbitrary file read via a CSV file source in the Data Table widget. This was introduced as a side effect of a patch for an earlier vulnerability, CVE-2026-6229.
  • **CVE-2026-7547Woosa** (≤ 2.0.5) allows Administrator+ arbitrary file read via path traversal in the log_file parameter.
  • **CVE-2026-11775User Admin Simplifier** (≤ 3.0.0) is vulnerable to Cross-Site Request Forgery (CSRF), enabling unauthenticated attackers to reset and permanently delete plugin settings.

Patch Status and Mitigations

At the time of disclosure, patched versions were available for several plugins: WP Hotel Booking (fixed in 2.3.1), Avada (Fusion) Builder (fixed in 3.15.4), BetterDocs (fixed in 4.5.4), BetterDocs Pro (fixed in 3.8.1), Blocksy Companion (fixed in 2.1.46), and Royal Addons for Elementor (fixed in 1.7.1060). Administrators of all affected plugins should update to the latest available versions immediately. For plugins where no patch is yet listed, users should disable the plugin or apply virtual patching via a web application firewall (WAF) until an update is released.

Bottom Line

This 25-CVE disclosure event underscores the persistent challenge of securing the WordPress plugin ecosystem, where a single missing capability check or unsanitized input can expose millions of sites to takeover, data theft, or defacement. The inclusion of critical unauthenticated file deletion and SSRF flaws — both of which can lead to remote code execution — makes this batch particularly urgent for site owners running any of the affected plugins.

Synthesized by Vypr AI