Skip to content
jproxx
← Back to the blog

Security Bulletin for 8 July 2026: Login-Free Plugin Installation in WP Learn Manager, Payment Bypass in LatePoint, Account Takeover in Eventer and SQL Injection in My Calendar

8 July 2026 · jproxx Security

This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. 8 July 2026 brings a whole series of serious plugin flaws. We pick out four that are exploitable with no privileges or only low ones — three of which have no fix available yet.

CVE-2026-12153 — Login-Free Plugin Installation in WP Learn Manager (critical)

The WP Learn Manager learning-management plugin contains a missing authorization check in all versions up to and including 1.1.8. The routine that downloads, installs and activates plugins from the WordPress.org repository does not verify the caller’s privileges, so the action is reachable by any request — including an unauthenticated one. An attacker without any account can thereby make the site install and activate arbitrary plugins; by activating a plugin that itself carries a known exploitable flaw, the chain can be carried on to code execution and full takeover of the site. The National Vulnerability Database assigns a CVSS score of 9.8, classifies the flaw as critical and assigns it to weakness class CWE-862 (missing authorization). At the time of writing no corrected version is listed; operators should take the plugin out of service while no fix is available.

Sources: National Vulnerability Database — CVE-2026-12153

CVE-2026-5356 — Unauthenticated Payment Bypass in LatePoint (high)

The LatePoint booking plugin, running on more than 100,000 websites, contains a login-free payment bypass in its Stripe Connect integration in all versions up to and including 5.4.0. When confirming that a booking has been paid, the plugin trusts a client-supplied identifier of the payment operation (PaymentIntent) and only checks that this operation carries the “succeeded” status — not whether the charged amount matches the booking price or whether the operation belongs to the current transaction at all. An attacker can therefore resubmit the identifier of an earlier, successful payment for a lower amount; the site then treats the booking as paid without collecting the correct amount. The National Vulnerability Database assigns a CVSS score of 7.5, classifies the flaw as high and assigns it to weakness class CWE-862 (missing authorization). At the time of writing no corrected version is listed; operators using LatePoint with Stripe Connect should follow the vendor’s notices and, until a fix is available, reconcile bookings against actual payment receipts.

Sources: National Vulnerability Database — CVE-2026-5356

CVE-2026-9701 and CVE-2026-9700 — Account Takeover in Eventer (critical)

In the Eventer event and booking plugin, two flaws in all versions up to and including 4.4.2 interlock to allow takeover of arbitrary accounts. First, the plugin’s own password-reset flow stores the reset code in cleartext in the database (wp_usermeta) rather than encrypting it (CVE-2026-9701, CWE-289) — anyone able to read that entry obtains a usable reset code. Second, a login-free time-based blind SQL injection via the code parameter (CVE-2026-9700, CWE-89) allows exactly that reading of arbitrary database contents. An attacker without an account can thereby read the cleartext code of any account — including an administrator’s — and then set a new password via the reset function, enabling full takeover of the site (according to the National Vulnerability Database the flow only works under PHP 7.4 and earlier). The National Vulnerability Database assigns the reset flaw a CVSS score of 9.8 (critical) and the SQL injection a score of 7.5 (high). At the time of writing no corrected version is listed; operators should take the plugin out of service while no fix is available.

Sources: National Vulnerability Database — CVE-2026-9701 · National Vulnerability Database — CVE-2026-9700

CVE-2026-6854 — Unauthenticated SQL Injection in My Calendar (high)

The My Calendar – Accessible Event Manager plugin, in use on more than 20,000 websites, contains a login-free time-based blind SQL injection in all versions up to and including 3.7.8. Attacker- controlled input flows into a database query without adequate escaping and without a prepared statement; because the plugin returns no direct output, the reading is time-based, injecting targeted delays and inferring the data character by character. An attacker without an account can thereby read arbitrary data from the WordPress database, including user records, password hashes and session-related material. The National Vulnerability Database assigns a CVSS score of 7.5, classifies the flaw as high and assigns it to weakness class CWE-89 (SQL injection). The vulnerability is fixed in version 3.7.9, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-6854 · My Calendar — plugin directory

Not sure whether you’re affected? Get in touch.


This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.