Skip to content
jproxx
de en
← Back to the blog

Security Bulletin for 22 June 2026: Privilege Escalation in Vitepos, a Critical Flaw in PhpSpreadsheet, and Cross-Site Scripting in WooCommerce Auction Pro

22 June 2026 · jproxx Security

This is our daily security overview. We review the vulnerabilities published each day and pick out the ones that genuinely matter for running WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. Three reports are relevant for 22 June 2026.

CVE-2026-8157 — Privilege Escalation in the Vitepos WordPress Plugin (high)

The Vitepos WordPress plugin, a point-of-sale system for WooCommerce shops, contains a privilege escalation vulnerability in all versions before 3.4.2. A call that creates new users through a REST programming interface fails to properly restrict the roles that can be assigned in the process. As a result, an already authenticated user holding a custom Vitepos role can elevate their own account to the administrator role and then take full control of the website. The National Vulnerability Database rates the flaw at a CVSS score of 8.8, which is high. Affected sites should update the plugin to version 3.4.2 or newer without delay.

Sources: National Vulnerability Database — CVE-2026-8157 · WPScan advisory

CVE-2026-45034 — Critical Flaw in the PhpSpreadsheet Library (critical)

PhpSpreadsheet is a widely used PHP library for reading and writing spreadsheet documents and is embedded in many shop and management systems, for example to import or export Excel files. An earlier safeguard against dangerous file wrappers, added with CVE-2026-34084, can be bypassed: the check fails to recognise a path of the form phar:///… with three or more slashes as a wrapper, because in that case the underlying PHP function does not return a valid scheme name and the check is therefore skipped. On PHP 7.x, merely touching this wrapper is enough for the data stored inside the archive to be unpacked automatically, which allows remote code execution. On PHP 8.x the immediate impact is reduced to a file read, and code execution is only possible in certain follow-on situations. The National Vulnerability Database classifies the vulnerability as critical with a CVSS score of 9.2. Operators should update to version 1.30.5.

Sources: National Vulnerability Database — CVE-2026-45034 · GitHub Security Advisory GHSA-87m4-826x-3crx

CVE-2026-4259 — Cross-Site Scripting in Ultimate WooCommerce Auction Pro (high, no fix yet)

The Ultimate WooCommerce Auction Pro plugin, which adds auction features to WooCommerce shops, outputs a parameter without filtering it in all versions up to and including 2.4.5. This results in a reflected cross-site scripting vulnerability that lets an attacker run malicious code in a victim’s browser as soon as the victim follows a crafted link. It is particularly sensitive because the attack can be aimed specifically at highly privileged users such as administrators. At the time of this publication, according to WPScan no corrected version is available. Until an update is released, operators should deactivate the plugin when it is not in use, restrict access, and filter suspicious requests through a web application firewall. The National Vulnerability Database rates the vulnerability at a CVSS score of 7.1, which is high.

Sources: National Vulnerability Database — CVE-2026-4259 · WPScan advisory

Not sure whether you’re affected? Get in touch.

This bulletin is provided for security awareness. The official notices from the respective vendors and the sources linked above always take precedence.