Top/Articles/July 11, 2026 Security Vulnerability Roundup: Seven WordPress Plugins Enable Admin Takeover — Does It Affect You?
cve-digest-2026-07-11-cover-en

July 11, 2026 Security Vulnerability Roundup: Seven WordPress Plugins Enable Admin Takeover — Does It Affect You?

A one-day roundup of the July 11, 2026 vulnerabilities we did not cover individually. Seven WordPress plugins let a single member or contributor account take over the admin, and a 2M-site Elementor add-on is among them. Judge relevance by whether a login is required, and see what ordinary users must act on now.

NewsPublished July 11, 2026 Updated today
Table of contents
Key takeaways

A one-day roundup of the July 11, 2026 vulnerabilities we did not cover individually. Seven WordPress plugins let a single member or contributor account take over the admin, and a 2M-site Elementor add-on is among them. Judge relevance by whether a login is required, and see what ordinary users must act on now.

This article rounds up, in one place, the vulnerabilities disclosed on July 11, 2026 in the global vulnerability database (NVD) and Japan's JVN that we chose not to cover as standalone breaking news. The clear theme of the day was WordPress: seven separate flaws in plugins (add-ons that extend a WordPress site) all let an attacker use a single low-privilege account — a site member or a post contributor — to impersonate an administrator. One of the affected plugins is used on more than 2 million sites. Check here whether your own site, or a product you use, is on the list.

Note that the broadly impactful, "patch now" flaws found on the same day each got their own article: the login-integration plugins "miniOrange" (CVE-2026-12761 and more / severity 9.8), which allow admin takeover with no login at all; the two popular Joomla extensions under active attack; and the "IntelliJ IDEA" developer tool flaw (CVE-2026-59792) that fires simply by opening a crafted project. Below are the rest — the "dangerous under certain conditions" flaws, ordered by how much they stood out. The previous day's list is in our July 10 security vulnerability roundup.

Today's "check now" critical items we covered individually

First, here are the higher-impact items we covered as standalone articles during the day. If you use any of them, check the fix in each article.

The day's headline: seven WordPress plugins let a member account take over the admin

On July 11, seven severity-8.8 flaws in WordPress plugins (add-ons that extend a site) were disclosed together. The seven are different products, but the target is strikingly similar. In every case, a low-privilege user's single account — a site member (subscriber), or a post author/contributor — is used as a foothold to impersonate the site's administrator, or to run programs on the server. Having this many similar flaws land on the same day is unusual, and because the attack prerequisites are shared, we are flagging them together.

One prerequisite matters up front. All seven require that the attacker already holds some kind of login account on the site. That makes them different in kind from the no-login miniOrange flaw we covered separately (unauthenticated = instant kill). However, on sites that let anyone sign up as a member, or that hand author/contributor accounts to outside writers, an attacker can obtain that account legitimately. Read this with a two-layer mindset: "no-login is instant death, but login-required is no excuse to relax." Severity is out of 10.

CVEPluginWhat happensSeverityAccount neededStatus
CVE-2026-15155Essential Addons
for Elementor
Admin
takeover
8.8Contributor+No exploit seen
CVE-2026-13353WP Ultimate
CSV Importer
Code
execution
8.8Subscriber+No exploit seen
CVE-2026-13756WP Grid BuilderPrivilege
escalation
8.8Subscriber+No exploit seen
CVE-2026-14262Simple JWT LoginPrivilege
escalation
8.8Subscriber+No exploit seen
CVE-2026-2354Swiss Toolkit
For WP
Dangerous file
upload
8.8Author+No exploit seen
CVE-2025-6784Code EngineCommand injection
→ code execution
8.8Contributor+No exploit seen
CVE-2026-1359GenolvePrivilege
escalation
8.8Contributor+No exploit seen

CVE-2026-15155: admin takeover in "Essential Addons for Elementor," used on 2 million sites

This is the widest-reaching of the seven. Essential Addons for Elementor is an add-on that provides extra building blocks for the site builder "Elementor," and it is a huge plugin — used on more than 2 million sites according to the official WordPress directory. The flaw (versions up to and including 6.6.10) stems from weak input checking on outgoing mail that failed to strip line-break characters (CR/LF). Abusing it, an attacker can quietly inject a hidden "Bcc" recipient into the administrator's password-reset email, so the reset link also reaches the attacker, letting them seize the admin account (a technique called email header injection). Severity is 8.8. Exploitation requires a contributor-level or higher account, and no real-world attacks have been reported yet. Given the multi-million-site scale, the impact is large; if you use it, make updating to the latest version a top priority.

The remaining six: from "member/author accounts" to admin rights or code execution

The other six take different routes but arrive at the same place: full control of the site. WP Ultimate CSV Importer (a tool to import data from CSV and Excel, up to 8.0.1, CVE-2026-13353) lets a user run malicious PHP code due to a missing capability check. WP Grid Builder (a tool for lists and filtering, up to 2.3.3, CVE-2026-13756), Simple JWT Login (login for external integrations, up to 3.6.6, CVE-2026-14262), and Genolve (an AI image/video generation add-on, up to 5.0.5, CVE-2026-1359) all miss the permission check on settings changes, so a low-privilege user can promote themselves to administrator. Swiss Toolkit For WP (a bundle of utilities, up to 1.4.6, CVE-2026-2354) has an incomplete filename-extension check that lets a dangerous file (CWE-434) be uploaded disguised as an image. Code Engine (an add-on that runs code inside posts, up to 0.3.5, CVE-2025-6784) allows arbitrary commands to run via a shortcode. All are fixed in each plugin's latest version. If you use any of them, update, or disable the plugin for now.

Takeovers that use a handy add-on as the entry point keep happening, as this day showed. Adding a plugin also enlarges a site's "attack surface," so remove any you do not use, and consider a way to continuously check the open-source components you rely on for vulnerabilities. Sites that let anyone register, or that hand posting rights to outside writers, are especially likely to fit the prerequisite for these seven — keep that in mind.

Non-WordPress items that are dangerous under conditions

The day also brought high-severity flaws outside WordPress. But each affects "people who self-host that product" or a specific region or industry, not the phones and web services ordinary consumers use directly. The numbers are high, yet these are not the kind that hit indiscriminately.

CVEProductTypeSeverityPrerequisiteStatus
CVE-2026-14480OpenPLC
Runtime v3
File write
→ code execution
9.9Login requiredNo exploit seen
CVE-2026-20744Le Circuit Électrique
(EV charging network)
Privilege
escalation
9.8No loginNo exploit seen
CVE-2026-55879OpenReplayStored
script injection
9.3Login + admin
viewing
No exploit seen
CVE-2026-44795SpinnakerUnsafe deserialization
→ code execution
8.8Login requiredNo exploit seen
CVE-2026-52747ModSecurityInspection
bypass
8.6Chained with
another flaw
No exploit seen
CVE-2026-55789LogtoInjection into a document
→ privilege escalation
8.5Login requiredNo exploit seen

The highest number, OpenPLC Runtime v3 (CVE-2026-14480 / severity 9.9), is industrial software that controls machinery in factories and plants. A logged-in user can write arbitrary files and run programs, but the audience is limited to engineers who operate control systems — no contact point for ordinary users. Le Circuit Électrique (CVE-2026-20744 / severity 9.8) is the back-end of an EV charging network in Quebec, Canada, with no direct relevance to users in Japan. OpenReplay (CVE-2026-55879 / severity 9.3) is a self-hosted platform for recording and analyzing your own site's usage, and the attack requires an administrator to open malicious data on screen. None of these are on CISA's list of actively exploited vulnerabilities (KEV dashboard, Japanese edition), and no real-world attacks have been confirmed. Check the vendor's update information only if you operate the affected product.

Bottom line: what ordinary users must act on today

Although the severity numbers above are high, most of these vulnerabilities affect people who self-host a particular product, not the phones and web services ordinary consumers use. For everyday users, there is generally nothing you need to do right now because of this list.

It is a different story if you run a WordPress site yourself. This day lined up seven plugin-based takeovers. In particular, the no-login miniOrange flaws (severity 9.8) should be your top priority to patch. The seven summarized here do require the attacker to have a login account, but on sites where anyone can register, or where posting rights are handed to outside writers, that prerequisite is met easily. In particular, Essential Addons for Elementor (CVE-2026-15155), used on more than 2 million sites, has a wide reach; if you use it, update early. The basics — delete plugins you do not use, and grant membership or posting rights only where truly needed — are the best defense against these "account-as-foothold" takeovers.

You can track actively exploited vulnerabilities on the U.S. CISA warning list (KEV dashboard, Japanese edition). The more broadly impactful items from this day — the Joomla extension takeovers and the miniOrange case — are worth reading in their own articles. For the previous day's list, see the July 10 roundup.

Sources

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django