Skip to content
jproxx
← Back to the blog

Security Bulletin for 10 July 2026: File Upload in Super Forms, Authentication Bypass in miniOrange Social Login, SQL Injection in Ultimate Member and Payment Manipulation in SureForms

10 July 2026 · jproxx Security

This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. 10 July 2026 again brings numerous plugin flaws. We pick out four — two critical flaws exploitable without a login, plus two more in plugins with over 200,000 installations each.

CVE-2026-14894 — File Upload With Code Execution in Super Forms (critical)

The Super Forms – Drag & Drop Form Builder plugin contains a login-free file upload flaw in all versions up to and including 6.3.313. The form-submission handler reachable by unauthenticated users checks neither file type and extension nor the caller’s privileges. Its only hurdle is a session-based security token — but any unauthenticated visitor can have that token, together with a session cookie, issued to themselves via a separate, likewise open endpoint, so it does not constitute a real access barrier. With two requests — one to obtain the token, one to submit a form with an attached PHP file — an attacker can write an executable file into the site’s upload directory, then request it and execute arbitrary code. This means full takeover of the site and the underlying hosting account. The National Vulnerability Database assigns a CVSS score of 9.8, classifies the flaw as critical and assigns it to weakness class CWE-434 (unrestricted upload of dangerous file types). At the time of writing no corrected version is listed; operators should take the plugin out of service while no fix is available.

Sources: National Vulnerability Database — CVE-2026-14894

CVE-2026-12761 — Authentication Bypass in miniOrange Social Login (critical)

The miniOrange Social Login and Register plugin contains a login-free authentication bypass in all versions up to and including 7.7.0. The affected part is the profile-completion step, in which a user signed in via a social service is asked to confirm a one-time password before an account is created or linked. This check is not adequately enforced, so an unauthenticated request can pass the one-time-password hurdle without a valid code and drive the flow to log in as an arbitrary existing account — including an administrator. An attacker without any prior privileges thereby gains full access to the admin area, which amounts to complete takeover of the site. The National Vulnerability Database assigns a CVSS score of 9.8 and thus classifies the flaw as critical. The vulnerability is fixed in version 7.8.0, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-12761 · WPScan — miniOrange Social Login

CVE-2026-15290 — Unauthenticated SQL Injection in Ultimate Member (high)

The widely used Ultimate Member membership plugin, in use on more than 200,000 websites, contains a login-free blind SQL injection in all versions up to and including 2.10.1. The member directory’s search feature folds the input passed via the search parameter into a SQL query without escaping it or routing it through a prepared statement. An attacker without an account can thereby inject additional SQL commands and read arbitrary data from the WordPress database — user records, password hashes and session-related material. Notably, this is a follow-up to an only partially fixed earlier flaw (CVE-2025-0308): the fix in version 2.9.2 closed the entry path only partly, so it remained exploitable up to and including 2.10.1. The National Vulnerability Database assigns a CVSS score of 7.5, classifies the flaw as high and assigns it to weakness class CWE-89 (SQL injection). The fix was pushed after version 2.10.1; since a specific corrected version number is not yet listed, operators should update to the latest available version without delay.

Sources: National Vulnerability Database — CVE-2026-15290

CVE-2026-15288 — Unauthenticated Payment Manipulation in SureForms (high)

The SureForms – Drag and Drop Form Builder plugin, running on more than 200,000 websites, contains a login-free manipulation of the payment amount in all versions up to and including 2.2.1. The handlers that create Stripe payments read the amount to be charged directly from the data submitted with the form and do not reconcile it against the form’s server-side configured price. Because these endpoints are reachable without a login, an attacker can substitute an arbitrary — for example near-zero — amount from which the Stripe payment is then built, and so complete a paid submission without correct payment. The National Vulnerability Database assigns a CVSS score of 7.5, classifies the flaw as high and assigns it to weakness class CWE-20 (improper input validation). The vulnerability is fixed in version 2.2.2, which reconciles the amount server-side against the form configuration; operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-15288

Not sure whether you’re affected? Get in touch.


This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.