Top/Articles/28 Takeover Flaws Hit WordPress Add-ons at Once, Two of Them a Perfect 10.0 — Full Plugin List and Fixes (July 13, 2026)
wordpress-plugins-2026-07-13-critical-vulnerabilities-roundup-cover-en

28 Takeover Flaws Hit WordPress Add-ons at Once, Two of Them a Perfect 10.0 — Full Plugin List and Fixes (July 13, 2026)

On the night of July 13, 2026, 28 dangerous flaws were disclosed at once in WordPress add-ons (plugins and themes). Sixteen are rated 9.0 or higher, two of them a worst-case 10.0, and many allow site takeover or member-data theft with no login. Affected products include the booking plugins Amelia and LatePoint and the widely bundled Kirki. Check the list for what you use and see what to do now.

NewsPublished July 13, 2026 Updated today
Table of contents
Key takeaways

On the night of July 13, 2026, 28 dangerous flaws were disclosed at once in WordPress add-ons (plugins and themes). Sixteen are rated 9.0 or higher, two of them a worst-case 10.0, and many allow site takeover or member-data theft with no login. Affected products include the booking plugins Amelia and LatePoint and the widely bundled Kirki. Check the list for what you use and see what to do now.

On the evening of July 13, 2026, 28 dangerous flaws were disclosed at once in WordPress add-ons (plugins and themes). Sixteen of them are rated severity 9.0 or higher (out of 10), and two of those are a perfect, worst-case 10.0. Many can take over a site or steal member data with no login at all, and the affected list includes the well-known booking plugins "Amelia" and "LatePoint," as well as "Kirki," a foundation component bundled into many themes. Check the list in this article for anything you use on your own site.

This article organizes the 28 items registered together the same day in the global vulnerability database (NVD) by severity and by whether an attack requires a login. It is mainly for people who run a WordPress site themselves; ordinary users who only browse WordPress sites are not directly at risk. That said, sites that let anyone sign up, or that hand posting rights to outside writers, need to take note, as explained below. Non-WordPress flaws from the same day are covered in our July 13 security vulnerability roundup. A similar mass disclosure also happened in June 2026, and it recurs regularly.

What happened: 28 in one day, two of them a perfect score

All 28 are flaws in WordPress plugins or in themes that set a site's appearance. They are different products, but the attacker's goal falls into roughly four types.

  • ・Planting a dangerous file: get a file carrying a program placed on the server and take over the site (the two 10.0 items are close to this type).
  • ・Stealing member data: send commands that trick the database into handing over stored information (a technique called "SQL injection").
  • ・Unsafe data restoration: abuse the process that reconstructs saved data to trigger malicious behavior (a technique called "object injection").
  • ・Privilege escalation: upgrade a low-privilege account into an administrator.

The key question is whether an attack requires a login. No-login items are an immediate threat because anyone can abuse them right away. Login-required items look one notch lighter, but on sites that let anyone sign up, or that hand posting rights to outsiders, an attacker can obtain that account legitimately, so do not relax. Below we list the sixteen items at 9.0 or higher, then the twelve in the 8-point range. Severity is out of 10.

Top priority: the sixteen items at 9.0 or higher (most need no login)

First, the sixteen most dangerous. Twelve of the sixteen require no login, so anyone can attack once the conditions are met. If you use any of them, prioritize checking for the latest version.

CVEPlugin / ThemeWhat happensSeverityLoginStatus
CVE-2026-57719Aimogen ProDangerous file upload
→ takeover
10.0NoneNo known abuse
CVE-2026-57811Realtyna Organic IDXCode injection
→ takeover
10.0NoneNo known abuse
CVE-2026-57401SureDashUnauthorized
file read
9.9RequiredNo known abuse
CVE-2026-57710WoowBot Pro MaxDangerous file upload9.9RequiredNo known abuse
CVE-2026-57724KirkiUnsafe data restore
→ takeover
9.8NoneNo known abuse
CVE-2026-57738777 triple-seven
(theme)
Unsafe data restore9.8NoneNo known abuse
CVE-2026-57744rt18-extensionsUnsafe data restore9.8NoneNo known abuse
CVE-2026-57770Grand Photography
(theme)
Unsafe data restore9.8NoneNo known abuse
CVE-2026-57813MailOptinPrivilege escalation
(to admin)
9.8NoneNo known abuse
CVE-2026-59518DirectoristUnsafe data restore9.8NoneFixed in 8.8.3
CVE-2026-57702Amelia
(booking)
Data theft9.3NoneNo known abuse
CVE-2026-57707Simple Business
Directory Pro
Data theft9.3NoneFixed in 15.9.5
CVE-2026-57714LatePoint
(booking)
Data theft9.3NoneNo known abuse
CVE-2026-57726KirkiData theft9.3NoneNo known abuse
CVE-2026-57739AcyMailingData theft9.3NoneNo known abuse
CVE-2026-59515AI Copilot
Content Generator
Data theft9.3NoneNo known abuse

The two perfect 10.0s: full site takeover with no login

The most dangerous of the 28 are the two rated a perfect 10.0. Aimogen Pro (an AI text/image generation add-on, up to 2.8.3, CVE-2026-57719) does not adequately check file types, letting an attacker plant a dangerous file carrying a program with no login (unrestricted upload of a dangerous file type). Realtyna Organic IDX (an add-on that displays real-estate listings, up to 5.2.0, CVE-2026-57811) runs externally supplied strings directly as a program (code injection). Both let an attacker seize control of the site with no login, so if you use either plugin, consider disabling it temporarily until you can update.

No-login takeover and data theft: many well-known plugins included

The severity-9.8 group are all "unsafe data restoration" (object injection) or privilege escalation, allowing a no-login site takeover. Notably, Kirki (CVE-2026-57724 and more) is a foundation tool embedded as a component in many themes, so you may not even realize you are running it. The group also includes the directory builder Directorist (CVE-2026-59518, fixed in 8.8.3) and the email tool MailOptin (CVE-2026-57813). The severity-9.3 group are SQL injection flaws that steal member data, and they line up widely used plugins: the booking staples Amelia (CVE-2026-57702) and LatePoint (CVE-2026-57714), and the email tool AcyMailing (CVE-2026-57739). Booking and membership plugins handle names, contact details, and reservation histories, so a theft has a large impact — check for updates first.

The two 9.9s that need a login: conditional, but high severity

The severity-9.9 SureDash (an add-on for member dashboards, up to 1.8.0, CVE-2026-57401) and WoowBot Pro Max (a shopping-chat add-on, up to 14.1.7, CVE-2026-57710) require a low-privilege login to exploit. The numbers are high, but these are not out-of-the-blue remote takeovers. Still, on sites open to public sign-up, an attacker can obtain that privilege legitimately, so update promptly if affected.

The twelve items in the 8-point range (mostly login-based)

The twelve items at severity 8.5–8.8 mostly require a login to exploit. Even so, a few can be abused with no login, so check for updates the same way if you use any of them.

CVEPluginWhat happensSeverityLogin
CVE-2026-57371WPJAM BasicUnsafe data restore8.8Required
CVE-2026-57386aBlocksPrivilege escalation8.8Required
CVE-2026-57410MailerPressPrivilege escalation8.8Required
CVE-2026-57713Events ManagerUnsafe data restore8.8None
(link lure)
CVE-2026-57786WorkScout CoreCSRF auth bypass8.8None
(link lure)
CVE-2026-57389GroundhoggUnauthorized file read8.6None
CVE-2026-57709Membership for
WooCommerce
Unauthorized file read8.6None
CVE-2026-57385ViteposData theft8.5Required
CVE-2026-57787CWS SVGiconsData theft8.5Required
CVE-2026-57810Square for
WooCommerce
Data theft8.5Required
CVE-2026-57771GD Rating SystemData theft8.5Required
CVE-2026-57772WP Inventory ManagerData theft8.5Required

Among these, the CRM plugin Groundhogg (CVE-2026-57389) and the subscription plugin Membership for WooCommerce (CVE-2026-57709) can be abused with no login to read server files, so they deserve extra attention within the 8-point group. Given the data they handle, the online-shop plugins Square for WooCommerce (CVE-2026-57810) and Vitepos (CVE-2026-57385) are also best not left unpatched. Note that the same July 13 also brought non-WordPress flaws such as router-device issues, covered in our July 13 security vulnerability roundup.

Why does WordPress see mass disclosures like this over and over?

Twenty-eight in a day sounds like a lot, but "disclosed together" is not unusual for WordPress. As our June 2026 mass disclosure shows, it happens several times a month. In this writer's view, a few factors are behind it.

First, WordPress runs on more than 40% of the world's websites, and the number of plugins reaches the tens of thousands. Their makers and scale vary widely, so security quality is uneven. Second, when similar flaw types (SQL injection, object injection) line up on the same day, as here, it is because a security firm scanned many plugins side by side and published them together once fixes were ready. In other words, a mass disclosure is less "danger suddenly rose" and more evidence that auditing is working. Third, when a foundation tool like Kirki — embedded as a component into other plugins and themes — is targeted, the impact spreads at once to the many sites that use it indirectly. That structure is exactly why users get caught out by flaws in "a component they never knew they installed."

The defensive mindset is simple. Plugins and themes also widen the "surface an attacker can hit," so delete what you do not use, and enable auto-updates for what you keep. Then, regularly take stock of which components your site carries. We explain how to inventory the flaws in your open-source components in our guide to auditing open-source (supply-chain) component vulnerabilities.

Bottom line: what WordPress operators should do now

These 28 items are for people who operate a WordPress site; ordinary users who only browse are not directly at risk. Operators should do the following.

  • 1.Open "Updates" in the admin panel and update the plugins and themes in the lists above to their latest versions. Prioritize the perfect-10.0 Aimogen Pro and Realtyna Organic IDX, plus each no-login item from 9.8 down to 9.3.
  • 2.For anything you cannot update immediately, disable it temporarily. Delete plugins and themes you do not use.
  • 3.Keep public sign-up and posting rights for outsiders limited to what you actually need. For login-required flaws, this review removes the precondition for abuse.

Vulnerabilities seen under active attack can be tracked in the U.S. CISA alert list (KEV dashboard, Japanese edition). None of these 28 is on that list yet, and no real attacks have been confirmed. Still, once a flaw's details are public, attackers study them too, so the sooner you update, the safer. Non-WordPress flaws from this day are in the July 13 security vulnerability roundup, and the previous mass disclosure is in the June 2026 WordPress plugin roundup.

References

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django