Security Bulletin for 6 July 2026: Command Injection in File Manager Plugins, File Upload in FileOrganizer, Privilege Escalation in Admin and Site Enhancements and Cross-Site Scripting in Simple Membership
6 July 2026 · jproxx Security
This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. 6 July 2026 is a considerably more productive day for WordPress: we pick out four high-to-critical flaws in widely used plugins for file management, admin enhancement and membership management.
CVE-2026-6382 — Command Injection in Several File Manager Plugins (critical)
Several file-management plugins with a combined install base in the millions — FileOrganizer,
Advanced File Manager, File Manager Pro and File Manager — contain an OS command injection flaw.
During image-processing operations the plugins assemble a command line for the ImageMagick tool
convert without adequately escaping a user-influenced parameter, so additional operating-system
commands can be injected via special characters. The vulnerable path is only reached, however,
when the ImageMagick command-line program is present on the server while the PHP extensions
imagick and GD are absent — only then does PHP fall back to invoking convert. An authenticated
user with file-manager access can thereby run arbitrary commands with the web server’s
privileges, extending as far as full takeover of the server. The National Vulnerability Database
assigns a CVSS score of 9.1, classifies the flaw as critical and assigns it to weakness class
CWE-78 (OS command injection). The vulnerability is fixed in FileOrganizer 1.1.9, Advanced File
Manager 5.4.12, File Manager Pro 2.1.1 and File Manager 8.0.4, to which operators should update
without delay.
Sources: National Vulnerability Database — CVE-2026-6382
CVE-2026-11962 — File Upload With Code Execution in FileOrganizer (high)
The FileOrganizer plugin additionally contains an unrestricted file upload flaw in all versions before 1.2.0. The original fix for an earlier flaw (CVE-2024-7985) applied file-type validation only to the primary upload path of the file-management handler; several other file operations of the same handler still write files without checking type or extension. An authenticated user with file-manager access — a role that can sit well below administrator and, with paid add-ons, is open to further roles — can thereby place a PHP file into a web-accessible directory and have it executed, leading to remote code execution and full compromise of the site. The National Vulnerability Database assigns a CVSS score of 8.8, classifies the flaw as high and assigns it to weakness class CWE-434 (unrestricted upload of dangerous file types). The vulnerability is fixed in version 1.2.0, which also covers the command injection described above; FileOrganizer operators should update to 1.2.0 immediately.
Sources: National Vulnerability Database — CVE-2026-11962
CVE-2026-12083 — Unauthenticated Privilege Escalation in Admin and Site Enhancements (high)
The Admin and Site Enhancements (ASE) plugin and its Pro variant, in use on roughly 90,000 to 100,000 websites, contain an unauthenticated privilege escalation in versions 7.6.3 up to and including 8.8.3. The role-restoration handler, part of the “View Admin as Role” feature, accepts a request without any check of authentication, authorization or security token. Because the feature persists an account’s original role when it is temporarily downgraded, an unauthenticated request to this handler can trigger the restoration of a previously demoted administrator account and return full administrator privileges to it. The precondition is that such a demoted administrator account already exists on the site; this is an incomplete fix of earlier flaws (CVE-2024-43333 and CVE-2025-24648) that closed only one of the demotion paths. The National Vulnerability Database assigns a CVSS score of 8.1, classifies the flaw as high and assigns it to weakness class CWE-269 (improper privilege management). The vulnerability is fixed in version 8.8.4, to which operators should update without delay.
Sources: National Vulnerability Database — CVE-2026-12083 · CVE Record — CVE-2026-12083
CVE-2026-11855 — Unauthenticated Cross-Site Scripting in Simple Membership (high)
The Simple Membership plugin, running on more than 40,000 websites, contains a login-free stored cross-site scripting flaw via the Stripe webhook in all versions before 4.7.5. The Stripe webhook handler validates the signature of an incoming request only when a signing secret is configured — and that field is empty by default. With no secret set, the endpoint accepts forged webhook requests, and a value from the webhook payload is written into an admin-area notice without escaping. An attacker sends a crafted webhook request without a login; as soon as a logged-in administrator opens the resulting notice, the injected JavaScript runs in their session — enabling, for example, the creation of further administrator accounts or takeover of the site. The National Vulnerability Database assigns a CVSS score of 8.8, classifies the flaw as high and assigns it to weakness class CWE-79 (cross-site scripting). The vulnerability is fixed in version 4.7.5, to which operators should update without delay.
Sources: National Vulnerability Database — CVE-2026-11855 · CVE Record — CVE-2026-11855
Not sure whether you’re affected? Get in touch.
This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.