Skip to content
jproxx
← Back to the blog

Security Bulletin for 3 July 2026: Unauthenticated Stored Cross-Site Scripting in wpDiscuz, File Read in AR for WooCommerce and Cross-Site Scripting in NEX-Forms

3 July 2026 · jproxx Security

This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. 3 July 2026 is a comparatively quiet day: the reports consist mostly of stored cross-site scripting, with no critical flaws among them. We highlight the three most impactful — all exploitable without a login.

CVE-2026-9148 — Unauthenticated Stored Cross-Site Scripting in wpDiscuz (high)

The Comments – wpDiscuz plugin, one of the most widely used comment systems for WordPress, contains a login-free stored cross-site scripting flaw in all versions up to and including 7.6.56. The website field supplied by a guest comment is not adequately sanitized when the comment author is determined (getCommentAuthor), so an attacker without any account can plant malicious code via a plain comment. That code is then executed in the browsers of other users as soon as they open the affected page or the comment moderation area — which can lead to the takeover of a moderator or administrator session. The National Vulnerability Database assigns a CVSS score of 7.2, classifies the flaw as high and assigns it to weakness class CWE-79 (cross-site scripting). The vulnerability is fixed in version 7.6.57, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-9148 · CVE Record — CVE-2026-9148

CVE-2026-14352 — Unauthenticated File Read in AR for WooCommerce (high)

The AR for WooCommerce plugin by webandprint contains a path traversal vulnerability in all versions up to and including 8.40 that can be exploited without a login. Via the file parameter a file path is not adequately constrained, so an attacker can read arbitrary files from the server — including sensitive configuration files from which, for example, database credentials can be obtained. The National Vulnerability Database assigns a CVSS score of 7.5, classifies the flaw as high and assigns it to weakness class CWE-22 (improper limitation of a pathname to a restricted directory). The vulnerability is fixed in version 8.41, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-14352 · Wordfence — AR for WooCommerce CVE-2026-14352

CVE-2026-13040 — Unauthenticated Stored Cross-Site Scripting in NEX-Forms (high)

The NEX-Forms – Ultimate Forms Plugin contains a login-free stored cross-site scripting flaw in all versions up to and including 9.2.2. The cause is inadequate sanitization of the value supplied via the real_val__ parameter, so an attacker without a login can plant malicious code that is later executed in the browsers of other users — in particular in the admin area when reviewing form submissions. The National Vulnerability Database assigns a CVSS score of 7.2, classifies the flaw as high and assigns it to weakness class CWE-79 (cross-site scripting). At the time of writing no corrected version is listed; operators should update the plugin to the latest available version and, while no fix is available, deactivate it.

Sources: National Vulnerability Database — CVE-2026-13040 · Wordfence — NEX-Forms CVE-2026-13040

Not sure whether you’re affected? Get in touch.


This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.