Security Bulletin for 11 July 2026: File Read in W3 Total Cache, Account Takeover in Essential Addons for Elementor, Payment-Key Leak in Cost Calculator Builder and File Upload in RSFiles!
11 July 2026 · jproxx Security
This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. 11 July 2026 again brings numerous plugin flaws. We pick out four — among them two of the most widely used WordPress plugins of all, and, for the PHP side, a Joomla flaw rated at the maximum score.
CVE-2026-9282 — Unauthenticated File Read in W3 Total Cache (high)
The extremely widely deployed W3 Total Cache caching plugin, in use on more than 1,000,000
websites, contains a login-free file read via path traversal in all versions up to and including
2.9.4. In the plugin’s minify component, with manual minify mode enabled, a filename can be crafted
so that the internal path restriction is bypassed and the file-read logic processes an
attacker-determined path. An attacker without an account can thereby read arbitrary files from the
server — such as the central configuration file wp-config.php with database credentials and secret
keys, from which further attacks can be built. The National Vulnerability Database assigns a CVSS
score of 7.5, classifies the flaw as high and assigns it to weakness class CWE-22 (improper
limitation of a pathname). At the time of writing no corrected version is listed; operators should
disable manual minify mode while no fix is available and follow the vendor’s notices.
Sources: National Vulnerability Database — CVE-2026-9282 · Wordfence — W3 Total Cache
CVE-2026-15155 — Account Takeover in Essential Addons for Elementor (high)
The very widely deployed Essential Addons for Elementor extension plugin, running on more than 2,000,000 websites, contains a route to account takeover via an email header injection in all versions up to and including 6.6.10. The email logic of the login and registration widget enforces its restriction of allowed values only in the browser editor, not server-side, and does not strip line breaks from the supplied value. This makes it possible to inject an additional header — for example a blind-copy recipient (Bcc) — into an administrator’s outgoing password-reset email. A logged-in user with mere Contributor privileges can thereby divert a copy of the valid reset link to an address of their own, set a new administrator password with it and take full control of the site. The National Vulnerability Database assigns a CVSS score of 8.8, classifies the flaw as high and assigns it to weakness class CWE-640 (weak password recovery mechanism). The vulnerability is fixed in version 6.6.11, to which operators should update without delay.
Sources: National Vulnerability Database — CVE-2026-15155 · Essential Addons for Elementor — plugin directory
CVE-2026-10865 — Payment-Key Leak in Cost Calculator Builder (medium)
The Cost Calculator Builder plugin, in use on more than 30,000 websites, contains an exposure of
confidential data in all versions up to and including 4.0.11. When a payment provider’s “use in all
calculators” option is enabled, the plugin writes the configured credentials in cleartext into the
source of every page that embeds a calculator — including the Stripe secret key, the Razorpay secret
key and the PayPal client_secret. Because no authorization check applies, these keys are simply
readable via the page source by any unauthenticated visitor. Anyone who reads them can impersonate
the merchant against the payment services and take over their payment account — that is, initiate
charges, issue refunds and view transaction and customer data. Although the National Vulnerability
Database rates the flaw as medium with a CVSS score of 5.3 and assigns it to weakness class CWE-200
(exposure of sensitive information), the actual impact is considerable given the payment keys
involved. The vulnerability is fixed in version 4.0.12; operators should update without delay and
subsequently reissue the affected payment keys with the respective provider.
Sources: National Vulnerability Database — CVE-2026-10865 · Cost Calculator Builder — plugin directory
CVE-2026-57827 — File Upload With Code Execution in RSFiles! (critical)
The RSFiles! Joomla extension contains a login-free file upload in versions 1.0 up to and including 1.17.11. The frontend upload handler accepts files without a login and without a security token, and the routine that writes the file into the publicly reachable downloads directory does not check the file type. Because the security check and the actual file write reside in separate code paths and only one of them is guarded, the write path can be reached unguarded. An attacker can thereby upload an executable file — for example a PHP script — then request it directly and execute arbitrary code, leading to full takeover of the Joomla site and the underlying hosting account. The National Vulnerability Database assigns the maximum score of 10.0 (CVSS 4.0), classifies the flaw as critical and assigns it to weakness class CWE-434 (unrestricted upload of dangerous file types). The vulnerability is fixed in version 1.17.12, to which operators should update without delay.
Sources: National Vulnerability Database — CVE-2026-57827
Not sure whether you’re affected? Get in touch.
This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.