July 11, 2026 Security Vulnerability Roundup: Seven WordPress Plugins Enable Admin Takeover — Does It Affect You?
A one-day roundup of the July 11, 2026 vulnerabilities we did not cover individually. Seven WordPress plugins let a single member or contributor account take over the admin, and a 2M-site Elementor add-on is among them. Judge relevance by whether a login is required, and see what ordinary users must act on now.
Table of contents
A one-day roundup of the July 11, 2026 vulnerabilities we did not cover individually. Seven WordPress plugins let a single member or contributor account take over the admin, and a 2M-site Elementor add-on is among them. Judge relevance by whether a login is required, and see what ordinary users must act on now.
This article rounds up, in one place, the vulnerabilities disclosed on July 11, 2026 in the global vulnerability database (NVD) and Japan's JVN that we chose not to cover as standalone breaking news. The clear theme of the day was WordPress: seven separate flaws in plugins (add-ons that extend a WordPress site) all let an attacker use a single low-privilege account — a site member or a post contributor — to impersonate an administrator. One of the affected plugins is used on more than 2 million sites. Check here whether your own site, or a product you use, is on the list.
Note that the broadly impactful, "patch now" flaws found on the same day each got their own article: the login-integration plugins "miniOrange" (CVE-2026-12761 and more / severity 9.8), which allow admin takeover with no login at all; the two popular Joomla extensions under active attack; and the "IntelliJ IDEA" developer tool flaw (CVE-2026-59792) that fires simply by opening a crafted project. Below are the rest — the "dangerous under certain conditions" flaws, ordered by how much they stood out. The previous day's list is in our July 10 security vulnerability roundup.
Today's "check now" critical items we covered individually
First, here are the higher-impact items we covered as standalone articles during the day. If you use any of them, check the fix in each article.
- ・miniOrange login-integration plugins (CVE-2026-12761 / CVE-2026-57807 / severity 9.8): admin account takeover with no login required. Affects many WordPress sites.
- ・Joomla's popular "Balbooa Forms" and "iCagenda" extensions: no-login site takeover, already seen under active attack.
- ・"IntelliJ IDEA" developer tool (CVE-2026-59792): opening a crafted project can silently run code.
- ・AI-development networking tool "9Router" (CVE-2026-55500 and more): stored API keys and tokens can be stolen wholesale.
- ・AI integration tool "mcp-server-kubernetes" (CVE-2026-61459): credentials that manage server clusters can be stolen.
- ・Trend Micro "Apex One" flaw now under active attack: updated to the latest information on this day. It is enterprise antivirus software widely used by companies in Japan.
The day's headline: seven WordPress plugins let a member account take over the admin
On July 11, seven severity-8.8 flaws in WordPress plugins (add-ons that extend a site) were disclosed together. The seven are different products, but the target is strikingly similar. In every case, a low-privilege user's single account — a site member (subscriber), or a post author/contributor — is used as a foothold to impersonate the site's administrator, or to run programs on the server. Having this many similar flaws land on the same day is unusual, and because the attack prerequisites are shared, we are flagging them together.
One prerequisite matters up front. All seven require that the attacker already holds some kind of login account on the site. That makes them different in kind from the no-login miniOrange flaw we covered separately (unauthenticated = instant kill). However, on sites that let anyone sign up as a member, or that hand author/contributor accounts to outside writers, an attacker can obtain that account legitimately. Read this with a two-layer mindset: "no-login is instant death, but login-required is no excuse to relax." Severity is out of 10.
| CVE | Plugin | What happens | Severity | Account needed | Status |
|---|---|---|---|---|---|
| CVE-2026-15155 | Essential Addons for Elementor | Admin takeover | 8.8 | Contributor+ | No exploit seen |
| CVE-2026-13353 | WP Ultimate CSV Importer | Code execution | 8.8 | Subscriber+ | No exploit seen |
| CVE-2026-13756 | WP Grid Builder | Privilege escalation | 8.8 | Subscriber+ | No exploit seen |
| CVE-2026-14262 | Simple JWT Login | Privilege escalation | 8.8 | Subscriber+ | No exploit seen |
| CVE-2026-2354 | Swiss Toolkit For WP | Dangerous file upload | 8.8 | Author+ | No exploit seen |
| CVE-2025-6784 | Code Engine | Command injection → code execution | 8.8 | Contributor+ | No exploit seen |
| CVE-2026-1359 | Genolve | Privilege escalation | 8.8 | Contributor+ | No exploit seen |
CVE-2026-15155: admin takeover in "Essential Addons for Elementor," used on 2 million sites
This is the widest-reaching of the seven. Essential Addons for Elementor is an add-on that provides extra building blocks for the site builder "Elementor," and it is a huge plugin — used on more than 2 million sites according to the official WordPress directory. The flaw (versions up to and including 6.6.10) stems from weak input checking on outgoing mail that failed to strip line-break characters (CR/LF). Abusing it, an attacker can quietly inject a hidden "Bcc" recipient into the administrator's password-reset email, so the reset link also reaches the attacker, letting them seize the admin account (a technique called email header injection). Severity is 8.8. Exploitation requires a contributor-level or higher account, and no real-world attacks have been reported yet. Given the multi-million-site scale, the impact is large; if you use it, make updating to the latest version a top priority.
The remaining six: from "member/author accounts" to admin rights or code execution
The other six take different routes but arrive at the same place: full control of the site. WP Ultimate CSV Importer (a tool to import data from CSV and Excel, up to 8.0.1, CVE-2026-13353) lets a user run malicious PHP code due to a missing capability check. WP Grid Builder (a tool for lists and filtering, up to 2.3.3, CVE-2026-13756), Simple JWT Login (login for external integrations, up to 3.6.6, CVE-2026-14262), and Genolve (an AI image/video generation add-on, up to 5.0.5, CVE-2026-1359) all miss the permission check on settings changes, so a low-privilege user can promote themselves to administrator. Swiss Toolkit For WP (a bundle of utilities, up to 1.4.6, CVE-2026-2354) has an incomplete filename-extension check that lets a dangerous file (CWE-434) be uploaded disguised as an image. Code Engine (an add-on that runs code inside posts, up to 0.3.5, CVE-2025-6784) allows arbitrary commands to run via a shortcode. All are fixed in each plugin's latest version. If you use any of them, update, or disable the plugin for now.
Takeovers that use a handy add-on as the entry point keep happening, as this day showed. Adding a plugin also enlarges a site's "attack surface," so remove any you do not use, and consider a way to continuously check the open-source components you rely on for vulnerabilities. Sites that let anyone register, or that hand posting rights to outside writers, are especially likely to fit the prerequisite for these seven — keep that in mind.
Non-WordPress items that are dangerous under conditions
The day also brought high-severity flaws outside WordPress. But each affects "people who self-host that product" or a specific region or industry, not the phones and web services ordinary consumers use directly. The numbers are high, yet these are not the kind that hit indiscriminately.
| CVE | Product | Type | Severity | Prerequisite | Status |
|---|---|---|---|---|---|
| CVE-2026-14480 | OpenPLC Runtime v3 | File write → code execution | 9.9 | Login required | No exploit seen |
| CVE-2026-20744 | Le Circuit Électrique (EV charging network) | Privilege escalation | 9.8 | No login | No exploit seen |
| CVE-2026-55879 | OpenReplay | Stored script injection | 9.3 | Login + admin viewing | No exploit seen |
| CVE-2026-44795 | Spinnaker | Unsafe deserialization → code execution | 8.8 | Login required | No exploit seen |
| CVE-2026-52747 | ModSecurity | Inspection bypass | 8.6 | Chained with another flaw | No exploit seen |
| CVE-2026-55789 | Logto | Injection into a document → privilege escalation | 8.5 | Login required | No exploit seen |
The highest number, OpenPLC Runtime v3 (CVE-2026-14480 / severity 9.9), is industrial software that controls machinery in factories and plants. A logged-in user can write arbitrary files and run programs, but the audience is limited to engineers who operate control systems — no contact point for ordinary users. Le Circuit Électrique (CVE-2026-20744 / severity 9.8) is the back-end of an EV charging network in Quebec, Canada, with no direct relevance to users in Japan. OpenReplay (CVE-2026-55879 / severity 9.3) is a self-hosted platform for recording and analyzing your own site's usage, and the attack requires an administrator to open malicious data on screen. None of these are on CISA's list of actively exploited vulnerabilities (KEV dashboard, Japanese edition), and no real-world attacks have been confirmed. Check the vendor's update information only if you operate the affected product.
Bottom line: what ordinary users must act on today
Although the severity numbers above are high, most of these vulnerabilities affect people who self-host a particular product, not the phones and web services ordinary consumers use. For everyday users, there is generally nothing you need to do right now because of this list.
It is a different story if you run a WordPress site yourself. This day lined up seven plugin-based takeovers. In particular, the no-login miniOrange flaws (severity 9.8) should be your top priority to patch. The seven summarized here do require the attacker to have a login account, but on sites where anyone can register, or where posting rights are handed to outside writers, that prerequisite is met easily. In particular, Essential Addons for Elementor (CVE-2026-15155), used on more than 2 million sites, has a wide reach; if you use it, update early. The basics — delete plugins you do not use, and grant membership or posting rights only where truly needed — are the best defense against these "account-as-foothold" takeovers.
You can track actively exploited vulnerabilities on the U.S. CISA warning list (KEV dashboard, Japanese edition). The more broadly impactful items from this day — the Joomla extension takeovers and the miniOrange case — are worth reading in their own articles. For the previous day's list, see the July 10 roundup.
Sources
- â–¸NVD - CVE-2026-15155 (Essential Addons for Elementor)
- â–¸NVD - CVE-2026-13353 (WP Ultimate CSV Importer)
- â–¸NVD - CVE-2026-13756 (WP Grid Builder)
- â–¸NVD - CVE-2026-14262 (Simple JWT Login)
- â–¸NVD - CVE-2026-2354 (Swiss Toolkit For WP)
- â–¸NVD - CVE-2025-6784 (Code Engine)
- â–¸NVD - CVE-2026-1359 (Genolve)
- â–¸NVD - CVE-2026-14480 (OpenPLC Runtime v3)
- ▸NVD - CVE-2026-20744 (Le Circuit Électrique)
- â–¸NVD - CVE-2026-55879 (OpenReplay)
- â–¸NVD - CVE-2026-44795 (Spinnaker)
- â–¸NVD - CVE-2026-52747 (ModSecurity)
- â–¸NVD - CVE-2026-55789 (Logto)

Makoto Horikawa
Backend Engineer / AWS / Django