Security Bulletin for 12 July 2026: Code Execution in WP Ultimate CSV Importer, File Inclusion in LA-Studio Element Kit, Cross-Site Scripting in Motors and Email Manipulation in NEX-Forms
12 July 2026 · jproxx Security
This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. Over the weekend, publications are quieter for our audience; the entries genuinely reported on 12 July mostly concern small, little-used projects. We therefore pick out the four most consequential WordPress plugin flaws of the past few days — a fix is already available for all of them.
CVE-2026-13353 — Code Execution in WP Ultimate CSV Importer (high)
The WP Ultimate CSV Importer plugin contains a route to code execution by a logged-in user with the
lowest privileges in all versions up to and including 8.0.1. The plugin registers several AJAX
actions (install_addon, saveMappedFields, StartImport) without a capability check, and the
security token intended for the admin area is readable by any logged-in user who can open an admin
page. A user with the lowest role (Subscriber) can thereby install the bundled WooCommerce import
add-on, then persist attacker-defined PHP expressions via the MappedFields parameter and have them
executed on the next import via the internal meta-value routine using eval(). This runs arbitrary
PHP on the server, leading to full takeover of the site and hosting account. The National
Vulnerability Database assigns a CVSS score of 8.8, classifies the flaw as high and assigns it to
weakness class CWE-94 (improper control of code generation). The vulnerability is fixed in version
8.0.2, to which operators should update without delay.
Sources: National Vulnerability Database — CVE-2026-13353 · WP Ultimate CSV Importer — plugin directory
CVE-2026-15338 — Local File Inclusion in LA-Studio Element Kit (high)
The LA-Studio Element Kit for Elementor extension plugin, in use on more than 10,000 websites,
contains a local file inclusion in all versions up to and including 1.6.1. The template-loading
routine builds an include path from a user-supplied template “type” and passes it through a function
that merely unifies directory separators but neither resolves nor rejects ”../” sequences. The
intended extension check is ineffective because the calling code appends the .php extension
itself — so a traversal value without an extension passes the check. A logged-in user with mere
Contributor privileges can thereby make the plugin include and execute any .php file already on
the server; if the attacker can also drop a file of their own, this can be escalated to remote code
execution. The National Vulnerability Database assigns a CVSS score of 7.5, classifies the flaw as
high and assigns it to weakness class CWE-98 (improper control of a filename in an include
statement); attack complexity is rated high. The vulnerability is fixed in version 1.6.2, to which
operators should update without delay.
Sources: National Vulnerability Database — CVE-2026-15338 · CVE Record — CVE-2026-15338
CVE-2026-13114 — Unauthenticated Cross-Site Scripting in Motors (high)
The widely used Motors – Car Dealership & Classified Listings plugin contains a login-free stored cross-site scripting flaw in all versions up to and including 1.4.112. Two user-controlled fields — the comment content and the profile bio field — are neither sanitized on input nor escaped on output, so arbitrary HTML and JavaScript can be persisted. Because submitting requires no login, an attacker without an account can plant a payload that is then executed in the browser of anyone who views the affected page, including a logged-in administrator. Because the scope is changed, the code can act beyond the plugin’s own context: from theft of a session and actions in the victim’s name to redirection to attacker-controlled sites. The National Vulnerability Database assigns a CVSS score of 7.2, classifies the flaw as high and assigns it to weakness class CWE-79 (cross-site scripting). The vulnerability is fixed in version 1.4.113, to which operators should update without delay.
Sources: National Vulnerability Database — CVE-2026-13114 · Wordfence — Motors
CVE-2026-9017 — Unauthenticated Email Manipulation in NEX-Forms (medium)
The NEX-Forms – Ultimate Forms Plugin contains a login-free missing authorization check in all
versions up to and including 9.2.2. The AJAX action nf_send_nf_email is registered without a
capability or ownership check and is therefore reachable by unauthenticated requests as well. An
attacker can thereby overwrite the stored email addresses of any saved form entry — including
someone else’s — and then trigger a send with those attacker-chosen values. This makes it possible to
redirect notifications to attacker-controlled addresses or to abuse the plugin’s send routine to
dispatch attacker-defined messages. The National Vulnerability Database assigns a CVSS score of 5.3,
classifies the flaw as medium and assigns it to weakness class CWE-862 (missing authorization). The
vulnerability is fixed in version 9.2.3, to which operators should update without delay.
Sources: National Vulnerability Database — CVE-2026-9017
Not sure whether you’re affected? Get in touch.
This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.