Security Bulletin for 4 July 2026: Privilege Escalation in HestiaCP, Heap Overflow in PHP Core, Stored Cross-Site Scripting in Ultimate Member and PII Tampering in LatePoint
4 July 2026 · jproxx Security
This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. 4 July 2026 brings two reports from the hosting infrastructure — a privilege escalation in the HestiaCP control panel and a security release of PHP core — alongside two widely deployed WordPress extensions.
CVE-2026-12196 — Privilege Escalation to Server Takeover in HestiaCP (high)
The cron jobs feature of the open-source hosting control panel HestiaCP contains a broken
access control check. The test for whether an action is reserved for the administrator compares
the session context against a variable that is undefined in the script and therefore evaluates
to an empty string — the administrative condition never holds and the restriction has no
effect. The same endpoint also lacks CSRF token validation. A low-privileged panel user can
therefore create a privileged cron job that invokes HestiaCP management scripts via passwordless
sudo — for example to reset the administrator account’s password. A low-privileged account
thus turns into full control of the panel and the underlying server within a minute, amounting
to remote code execution. The National Vulnerability Database assigns a CVSS score of 8.3
(CVSS 4.0), classifies the flaw as high and assigns it to weakness class CWE-287 (improper
authentication). The flaw is fixed by the corrective commit from pull request #5440; operators
should update to a HestiaCP version that includes this fix.
Sources: National Vulnerability Database — CVE-2026-12196 · HestiaCP — Pull Request #5440
CVE-2026-14355 — Heap Overflow in PHP Core During AES Key Wrapping (medium)
PHP core has closed a heap-based buffer overflow in the openssl_encrypt() function with the
security releases 8.2.32, 8.3.32, 8.4.23 and 8.5.8. For the key-wrapping-with-padding schemes
(AES-WRAP-PAD), the ext/openssl extension sizes the output buffer solely from the length of
the plaintext. The scheme, however, rounds the input up to the next multiple of eight bytes and
prepends a further eight bytes, so the actual ciphertext is longer than the reserved memory —
OpenSSL writes past its end and corrupts adjacent management structures of the PHP memory
manager. The National Vulnerability Database assigns a CVSS score of 5.6, classifies the flaw
as medium and assigns it to weakness class CWE-122 (heap-based buffer overflow). An attacker
who can influence the length and content of the wrapped data can thereby crash the PHP process;
attack complexity is high, and only applications that actually use this rarely employed mode are
affected. Operators should update to the corrected PHP versions listed above.
Sources: PHP — Security Advisory GHSA-7jrw-539f-x6vr · National Vulnerability Database — CVE-2026-14355
CVE-2026-8489 — Stored Cross-Site Scripting in Ultimate Member (medium)
The widely deployed membership plugin Ultimate Member, in use on more than 200,000 websites,
contains a stored cross-site scripting flaw in all versions up to and including 2.11.4. The
value of the “about me” profile field (about_me) is stored without adequate sanitization and
rendered without escaping, so a payload planted there persists in the profile. Any logged-in
user from the lowest role (Subscriber) upward can embed a JavaScript fragment in their own
profile that is then executed in the browser of every visitor or administrator who opens the
affected profile page — up to the theft of a session. Because Ultimate Member sites commonly
allow open self-registration, the Subscriber prerequisite is often trivial to obtain in
practice. The National Vulnerability Database assigns a CVSS score of 6.4, classifies the flaw
as medium and assigns it to weakness class CWE-79 (cross-site scripting). The vulnerability is
fixed in version 2.12.0, to which operators should update without delay.
Sources: National Vulnerability Database — CVE-2026-8489 · Ultimate Member — plugin directory
CVE-2026-11398 — Unauthenticated Tampering with Customer Data in LatePoint (medium)
The booking plugin LatePoint, running on more than 100,000 websites, contains a missing
authorization check in all versions up to and including 5.6.1 — effective, however, only when
guest bookings are enabled. The customer step of the booking form (process_step_customer)
resolves an existing customer record from the submitted email address and overwrites its first
name, last name, phone number and notes without verifying that the requester is authorized to
make that change. Because the step sits on the login-free booking path, an attacker who knows a
valid customer email can falsify the stored personal data of arbitrary customers — including
those linked to an administrator profile. No data is read and no outage results; the affected
property is the integrity of the customer data, which makes the matter relevant under data
protection law. The National Vulnerability Database assigns a CVSS score of 5.3, classifies the
flaw as medium and assigns it to weakness class CWE-862 (missing authorization). The
vulnerability is fixed in version 5.6.2, to which operators should update without delay.
Sources: National Vulnerability Database — CVE-2026-11398 · CVE Record — CVE-2026-11398
Not sure whether you’re affected? Get in touch.
This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.