Skip to content
jproxx
← Back to the blog

Security Bulletin for 12 July 2026: Code Execution in WP Ultimate CSV Importer, File Inclusion in LA-Studio Element Kit, Cross-Site Scripting in Motors and Email Manipulation in NEX-Forms

12 July 2026 · jproxx Security

This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. Over the weekend, publications are quieter for our audience; the entries genuinely reported on 12 July mostly concern small, little-used projects. We therefore pick out the four most consequential WordPress plugin flaws of the past few days — a fix is already available for all of them.

CVE-2026-13353 — Code Execution in WP Ultimate CSV Importer (high)

The WP Ultimate CSV Importer plugin contains a route to code execution by a logged-in user with the lowest privileges in all versions up to and including 8.0.1. The plugin registers several AJAX actions (install_addon, saveMappedFields, StartImport) without a capability check, and the security token intended for the admin area is readable by any logged-in user who can open an admin page. A user with the lowest role (Subscriber) can thereby install the bundled WooCommerce import add-on, then persist attacker-defined PHP expressions via the MappedFields parameter and have them executed on the next import via the internal meta-value routine using eval(). This runs arbitrary PHP on the server, leading to full takeover of the site and hosting account. The National Vulnerability Database assigns a CVSS score of 8.8, classifies the flaw as high and assigns it to weakness class CWE-94 (improper control of code generation). The vulnerability is fixed in version 8.0.2, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-13353 · WP Ultimate CSV Importer — plugin directory

CVE-2026-15338 — Local File Inclusion in LA-Studio Element Kit (high)

The LA-Studio Element Kit for Elementor extension plugin, in use on more than 10,000 websites, contains a local file inclusion in all versions up to and including 1.6.1. The template-loading routine builds an include path from a user-supplied template “type” and passes it through a function that merely unifies directory separators but neither resolves nor rejects ”../” sequences. The intended extension check is ineffective because the calling code appends the .php extension itself — so a traversal value without an extension passes the check. A logged-in user with mere Contributor privileges can thereby make the plugin include and execute any .php file already on the server; if the attacker can also drop a file of their own, this can be escalated to remote code execution. The National Vulnerability Database assigns a CVSS score of 7.5, classifies the flaw as high and assigns it to weakness class CWE-98 (improper control of a filename in an include statement); attack complexity is rated high. The vulnerability is fixed in version 1.6.2, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-15338 · CVE Record — CVE-2026-15338

CVE-2026-13114 — Unauthenticated Cross-Site Scripting in Motors (high)

The widely used Motors – Car Dealership & Classified Listings plugin contains a login-free stored cross-site scripting flaw in all versions up to and including 1.4.112. Two user-controlled fields — the comment content and the profile bio field — are neither sanitized on input nor escaped on output, so arbitrary HTML and JavaScript can be persisted. Because submitting requires no login, an attacker without an account can plant a payload that is then executed in the browser of anyone who views the affected page, including a logged-in administrator. Because the scope is changed, the code can act beyond the plugin’s own context: from theft of a session and actions in the victim’s name to redirection to attacker-controlled sites. The National Vulnerability Database assigns a CVSS score of 7.2, classifies the flaw as high and assigns it to weakness class CWE-79 (cross-site scripting). The vulnerability is fixed in version 1.4.113, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-13114 · Wordfence — Motors

CVE-2026-9017 — Unauthenticated Email Manipulation in NEX-Forms (medium)

The NEX-Forms – Ultimate Forms Plugin contains a login-free missing authorization check in all versions up to and including 9.2.2. The AJAX action nf_send_nf_email is registered without a capability or ownership check and is therefore reachable by unauthenticated requests as well. An attacker can thereby overwrite the stored email addresses of any saved form entry — including someone else’s — and then trigger a send with those attacker-chosen values. This makes it possible to redirect notifications to attacker-controlled addresses or to abuse the plugin’s send routine to dispatch attacker-defined messages. The National Vulnerability Database assigns a CVSS score of 5.3, classifies the flaw as medium and assigns it to weakness class CWE-862 (missing authorization). The vulnerability is fixed in version 9.2.3, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-9017

Not sure whether you’re affected? Get in touch.


This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.