Skip to content
jproxx
← Back to the blog

Security Bulletin for 1 July 2026: Critical Unauthenticated Privilege Escalation in PrivateContent, File Deletion in Business Directory, an SQL Injection in BookingPress and Cross-Site Scripting in Enable Media Replace

1 July 2026 · jproxx Security

This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. For 1 July 2026 we highlight four vulnerabilities disclosed today: two critical flaws that can be exploited without a login, plus two further flaws in widely used plugins for which a corrected version is already available.

CVE-2026-57692 — Unauthenticated Privilege Escalation in PrivateContent (critical)

PrivateContent, which hides content behind a protected members’ or access area, contains a critical privilege escalation vulnerability in all versions up to and including 9.9.2 that can be exploited without a login. Because privileges are assigned incorrectly, an attacker without a valid account can obtain higher rights within the installation than they are entitled to. The rating assigned by the issuing authority Patchstack and carried over by the National Vulnerability Database is 9.8, classifying the flaw as critical; it is assigned to weakness class CWE-266 (incorrect privilege assignment). At the time of writing no official fix is available; operators who use the plugin should therefore deactivate and remove it immediately until a corrected version is released.

Sources: Patchstack — PrivateContent CVE-2026-57692 · National Vulnerability Database — CVE-2026-57692

CVE-2026-6070 — Unauthenticated File Deletion in the Business Directory Plugin (critical)

The Business Directory Plugin, which manages directory and listing entries in WordPress, contains a critical vulnerability in all versions up to and including 4.0.1 that can be exploited without a login and allows arbitrary files to be deleted. The cause is inadequate validation of the file path in the routine responsible for removing uploaded files: through path manipulation (path traversal) an attacker can lead the deletion out of the intended directory and remove files elsewhere — for example the central configuration file wp-config.php, whose removal can pave the way to a full takeover of the site. The National Vulnerability Database assigns a CVSS score of 9.1, classifies the flaw as critical and assigns it to weakness class CWE-73 (external control of file name or path). At the time of writing no corrected version is listed; operators should deactivate the plugin immediately until a fix is available.

Sources: National Vulnerability Database — CVE-2026-6070 · CVE Record — CVE-2026-6070

CVE-2026-11823 — Unauthenticated SQL Injection in BookingPress (high)

The BookingPress Appointment Booking Pro plugin by Repute Infosystems contains an SQL injection vulnerability in all versions up to and including 5.7.1 that can be exploited without a login. The value supplied via the store_service_date parameter is incorporated into a database query without adequate protection, allowing an attacker to inject their own SQL statements and, in the worst case, read out the database contents — including user accounts and password hashes. The National Vulnerability Database assigns a CVSS score of 7.5, classifies the flaw as high and assigns it to weakness class CWE-89 (SQL injection). The vulnerability is fixed in version 5.7.2, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-11823 · Wordfence — BookingPress CVE-2026-11823

CVE-2026-57722 — Cross-Site Scripting in Enable Media Replace (medium)

The widely used Enable Media Replace plugin, which lets you swap out already-uploaded media files while keeping the existing file address, contains a cross-site scripting flaw in all versions up to and including 4.2.1. Exploitation requires a logged-in account with at least the Editor role plus a user interaction; such a user can plant malicious code that is subsequently executed in the browsers of other users. Because the Editor role already carries extensive rights, the flaw weighs most heavily on multi-author sites where not every editor can be fully trusted. The rating assigned by the issuing authority Patchstack is 5.9, classifying the flaw as medium; it is assigned to weakness class CWE-79 (cross-site scripting). The vulnerability is fixed in version 4.2.2, to which operators should update.

Sources: Patchstack — Enable Media Replace CVE-2026-57722 · National Vulnerability Database — CVE-2026-57722

Not sure whether you’re affected? Get in touch.


This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.