Skip to content
jproxx
← Back to the blog

Security Bulletin for 9 July 2026: Authentication Bypass in miniOrange OTP, File Upload in Blocksy Companion Pro, Plugin Installation via CSRF in Divi Torque and Account Takeover in Divi Form Builder

9 July 2026 · jproxx Security

This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. 9 July 2026 brings a large number of plugin flaws. We pick out four particularly impactful ones — a fix is already available for all of them.

CVE-2026-14245 — Authentication Bypass in miniOrange OTP (critical)

Of all things, the miniOrange OTP Login, Verification and SMS Notifications login and verification plugin contains a login-free authentication bypass in all versions up to and including 5.5.1. The handler for password resets via Ultimate Member does not check server-side whether the OTP step was actually completed: it trusts a security token that the plugin also serves to unauthenticated visitors, and it accepts an attacker-chosen username from the username_b parameter. Because neither the one-time password nor the target identity is bound to a verified challenge, the flow can be triggered for any account. An attacker without an account can thereby generate a valid reset link for an arbitrary user — including an administrator — set a new password and take over the account and thus the entire site. The flaw is only exploitable when the Ultimate Member password-reset add-on is active and not configured for phone-only reset. The National Vulnerability Database assigns a CVSS score of 9.8, classifies the flaw as critical and assigns it to weakness class CWE-862 (missing authorization). The vulnerability is fixed in version 5.5.2, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-14245 · miniOrange OTP — plugin directory

CVE-2026-15158 — File Upload With Code Execution in Blocksy Companion Pro (critical)

The paid Blocksy Companion Pro extension plugin contains a login-free file upload flaw in all versions up to and including 2.1.46. The custom-fonts add-on decides whether an uploaded file is permitted merely by checking whether the filename contains the strings “.woff2” or “.ttf”, instead of determining the actual extension. Because this is only a substring check, a name with a double extension such as shell.woff2.php passes the font check while the real extension remains .php — and the file is stored. An attacker can thereby place an executable PHP file without a login, then request it and execute arbitrary code, leading to full takeover of the site and server. The vulnerable path is only reachable when the Pro plugin runs with the fonts module and the WooCommerce “Advanced Reviews” extension enabled; the free base version, Blocksy Companion (more than 200,000 installations), is not affected. The National Vulnerability Database assigns a CVSS score of 9.8, classifies the flaw as critical and assigns it to weakness class CWE-434 (unrestricted upload of dangerous file types). The vulnerability is fixed in version 2.1.47, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-15158

CVE-2026-4275 — Plugin Installation via CSRF in Divi Torque Lite (high)

The Divi Torque Lite extension plugin for the Divi Builder contains a cross-site request forgery (CSRF) flaw in all versions up to and including 4.2.3. The plugin registers its endpoints for installing and activating plugins with a permission check that always returns “true” (__return_true), so the endpoints perform neither a capability check nor any protection against forged requests. An attacker can therefore prepare a request that a logged-in administrator’s browser will send along with their session cookie as soon as they open a crafted page. In this way an arbitrary plugin from the WordPress.org repository can be installed and activated — and via a plugin of the attacker’s choice their own PHP code can be run directly, which amounts to full takeover of the site. The National Vulnerability Database assigns a CVSS score of 8.8, classifies the flaw as high and assigns it to weakness class CWE-352 (cross-site request forgery). The vulnerability is fixed in version 4.2.4, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-4275 · Divi Torque — plugin directory

CVE-2026-5523 — Account Takeover in Divi Form Builder (high)

The Divi Form Builder plugin contains a missing ownership check in its user-registration flow in all versions up to and including 5.1.8. The account-update routine (update_user()) accepts a caller-supplied target user ID from the form data instead of restricting the change to the current session’s own account; the enclosing check merely establishes whether any user is logged in at all, not whether that user is allowed to modify the referenced account. Because the target account is selected by a user-controlled key, the request can name any existing account — including an administrator’s. A logged-in user with only subscriber-level privileges can thereby overwrite the email address and password of any other account; resetting an administrator’s credentials hands the attacker a full administrator login, which amounts to complete takeover of the site. The National Vulnerability Database assigns a CVSS score of 8.8, classifies the flaw as high and assigns it to weakness class CWE-639 (authorization bypass through a user-controlled key). The vulnerability is fixed in version 5.1.9, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-5523

Not sure whether you’re affected? Get in touch.


This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.