Security Bulletin for 3 July 2026: Unauthenticated Stored Cross-Site Scripting in wpDiscuz, File Read in AR for WooCommerce and Cross-Site Scripting in NEX-Forms
3 July 2026 · jproxx Security
This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. 3 July 2026 is a comparatively quiet day: the reports consist mostly of stored cross-site scripting, with no critical flaws among them. We highlight the three most impactful — all exploitable without a login.
CVE-2026-9148 — Unauthenticated Stored Cross-Site Scripting in wpDiscuz (high)
The Comments – wpDiscuz plugin, one of the most widely used comment systems for WordPress,
contains a login-free stored cross-site scripting flaw in all versions up to and including
7.6.56. The website field supplied by a guest comment is not adequately sanitized when the
comment author is determined (getCommentAuthor), so an attacker without any account can
plant malicious code via a plain comment. That code is then executed in the browsers of other
users as soon as they open the affected page or the comment moderation area — which can lead
to the takeover of a moderator or administrator session. The National Vulnerability Database
assigns a CVSS score of 7.2, classifies the flaw as high and assigns it to weakness class
CWE-79 (cross-site scripting). The vulnerability is fixed in version 7.6.57, to which
operators should update without delay.
Sources: National Vulnerability Database — CVE-2026-9148 · CVE Record — CVE-2026-9148
CVE-2026-14352 — Unauthenticated File Read in AR for WooCommerce (high)
The AR for WooCommerce plugin by webandprint contains a path traversal vulnerability in all
versions up to and including 8.40 that can be exploited without a login. Via the file
parameter a file path is not adequately constrained, so an attacker can read arbitrary files
from the server — including sensitive configuration files from which, for example, database
credentials can be obtained. The National Vulnerability Database assigns a CVSS score of 7.5,
classifies the flaw as high and assigns it to weakness class CWE-22 (improper limitation of a
pathname to a restricted directory). The vulnerability is fixed in version 8.41, to which
operators should update without delay.
Sources: National Vulnerability Database — CVE-2026-14352 · Wordfence — AR for WooCommerce CVE-2026-14352
CVE-2026-13040 — Unauthenticated Stored Cross-Site Scripting in NEX-Forms (high)
The NEX-Forms – Ultimate Forms Plugin contains a login-free stored cross-site scripting flaw
in all versions up to and including 9.2.2. The cause is inadequate sanitization of the value
supplied via the real_val__ parameter, so an attacker without a login can plant malicious
code that is later executed in the browsers of other users — in particular in the admin area
when reviewing form submissions. The National Vulnerability Database assigns a CVSS score of
7.2, classifies the flaw as high and assigns it to weakness class CWE-79 (cross-site
scripting). At the time of writing no corrected version is listed; operators should update the
plugin to the latest available version and, while no fix is available, deactivate it.
Sources: National Vulnerability Database — CVE-2026-13040 · Wordfence — NEX-Forms CVE-2026-13040
Not sure whether you’re affected? Get in touch.
This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.