Skip to content
jproxx
← Back to the blog

Security Bulletin for 4 July 2026: Privilege Escalation in HestiaCP, Heap Overflow in PHP Core, Stored Cross-Site Scripting in Ultimate Member and PII Tampering in LatePoint

4 July 2026 · jproxx Security

This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. 4 July 2026 brings two reports from the hosting infrastructure — a privilege escalation in the HestiaCP control panel and a security release of PHP core — alongside two widely deployed WordPress extensions.

CVE-2026-12196 — Privilege Escalation to Server Takeover in HestiaCP (high)

The cron jobs feature of the open-source hosting control panel HestiaCP contains a broken access control check. The test for whether an action is reserved for the administrator compares the session context against a variable that is undefined in the script and therefore evaluates to an empty string — the administrative condition never holds and the restriction has no effect. The same endpoint also lacks CSRF token validation. A low-privileged panel user can therefore create a privileged cron job that invokes HestiaCP management scripts via passwordless sudo — for example to reset the administrator account’s password. A low-privileged account thus turns into full control of the panel and the underlying server within a minute, amounting to remote code execution. The National Vulnerability Database assigns a CVSS score of 8.3 (CVSS 4.0), classifies the flaw as high and assigns it to weakness class CWE-287 (improper authentication). The flaw is fixed by the corrective commit from pull request #5440; operators should update to a HestiaCP version that includes this fix.

Sources: National Vulnerability Database — CVE-2026-12196 · HestiaCP — Pull Request #5440

CVE-2026-14355 — Heap Overflow in PHP Core During AES Key Wrapping (medium)

PHP core has closed a heap-based buffer overflow in the openssl_encrypt() function with the security releases 8.2.32, 8.3.32, 8.4.23 and 8.5.8. For the key-wrapping-with-padding schemes (AES-WRAP-PAD), the ext/openssl extension sizes the output buffer solely from the length of the plaintext. The scheme, however, rounds the input up to the next multiple of eight bytes and prepends a further eight bytes, so the actual ciphertext is longer than the reserved memory — OpenSSL writes past its end and corrupts adjacent management structures of the PHP memory manager. The National Vulnerability Database assigns a CVSS score of 5.6, classifies the flaw as medium and assigns it to weakness class CWE-122 (heap-based buffer overflow). An attacker who can influence the length and content of the wrapped data can thereby crash the PHP process; attack complexity is high, and only applications that actually use this rarely employed mode are affected. Operators should update to the corrected PHP versions listed above.

Sources: PHP — Security Advisory GHSA-7jrw-539f-x6vr · National Vulnerability Database — CVE-2026-14355

CVE-2026-8489 — Stored Cross-Site Scripting in Ultimate Member (medium)

The widely deployed membership plugin Ultimate Member, in use on more than 200,000 websites, contains a stored cross-site scripting flaw in all versions up to and including 2.11.4. The value of the “about me” profile field (about_me) is stored without adequate sanitization and rendered without escaping, so a payload planted there persists in the profile. Any logged-in user from the lowest role (Subscriber) upward can embed a JavaScript fragment in their own profile that is then executed in the browser of every visitor or administrator who opens the affected profile page — up to the theft of a session. Because Ultimate Member sites commonly allow open self-registration, the Subscriber prerequisite is often trivial to obtain in practice. The National Vulnerability Database assigns a CVSS score of 6.4, classifies the flaw as medium and assigns it to weakness class CWE-79 (cross-site scripting). The vulnerability is fixed in version 2.12.0, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-8489 · Ultimate Member — plugin directory

CVE-2026-11398 — Unauthenticated Tampering with Customer Data in LatePoint (medium)

The booking plugin LatePoint, running on more than 100,000 websites, contains a missing authorization check in all versions up to and including 5.6.1 — effective, however, only when guest bookings are enabled. The customer step of the booking form (process_step_customer) resolves an existing customer record from the submitted email address and overwrites its first name, last name, phone number and notes without verifying that the requester is authorized to make that change. Because the step sits on the login-free booking path, an attacker who knows a valid customer email can falsify the stored personal data of arbitrary customers — including those linked to an administrator profile. No data is read and no outage results; the affected property is the integrity of the customer data, which makes the matter relevant under data protection law. The National Vulnerability Database assigns a CVSS score of 5.3, classifies the flaw as medium and assigns it to weakness class CWE-862 (missing authorization). The vulnerability is fixed in version 5.6.2, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-11398 · CVE Record — CVE-2026-11398

Not sure whether you’re affected? Get in touch.


This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.