Security Bulletin for 14 July 2026: Critical RCE in Newsletters, Stored XSS in News Kit Addons and WP Customer Area
14 July 2026 · jproxx Security
This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. July 14 brought a disproportionately large number of WordPress-related entries into the National Vulnerability Database in a single day — including a critical RCE and two Stored XSS entries that both stem from the same underlying weakness category (insufficient input validation).
CVE-2026-12583 — PHP Object Injection in Newsletters Leading to Remote Code Execution (high)
The Newsletters plugin by Tribulant Software contains an unauthenticated deserialization of
unsanitized user input in all versions before 4.15. The plugin reads data from public forms
and passes it to a PHP deserialization routine without sufficient validation. An attacker can
submit a malicious serialized PHP object through a public form that, via a property-oriented
programming chain bundled with the Newsletters plugin, is redirected into arbitrary file
operations and ultimately into execution of arbitrary PHP code on the web server. The attack
requires neither authentication nor user interaction — a network-reachable attacker can
exploit the flaw entirely remotely. The National Vulnerability Database assigns a CVSS score
of 8.1 (vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), classifies the flaw as high and
assigns it to weakness class CWE-502 (Deserialization of Untrusted Data). A corrected
version is available from version 4.15 onwards; operators should update the plugin to 4.15
or higher without delay. Until a patch is applied, the public form functionality of the
plugin should be disabled or restricted via an access rule.
Sources: National Vulnerability Database — CVE-2026-12583 · GitHub Advisory — GHSA-cxqr-jhpf-63mm
CVE-2026-11390 — Stored XSS in News Kit Addons for Elementor (medium)
The Elementor add-on News Kit Addons for Elementor contains a Stored Cross-Site-Scripting
vulnerability in all versions up to and including 1.4.6 in the “Site Logo Title” and “Single
Author Box” widgets. The insufficient sanitization and escaping of user inputs in these
widgets allows an authenticated attacker with Contributor privileges or higher to inject
arbitrary JavaScript code into WordPress pages by crafting manipulated
elementor_ajax AJAX requests that bypass the client-side SELECT control restrictions. The
stored payload executes in the browser of every visitor who views the affected page. The
National Vulnerability Database assigns a CVSS score of 6.4 (vector
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), classifies the flaw as medium and assigns it to
weakness class CWE-79 (Stored XSS). No corrected version was named as of writing; operators
should update the plugin to a newer version once available and restrict Contributor access
to trusted users only.
Sources: National Vulnerability Database — CVE-2026-11390 · CVE Record — CVE-2026-11390
CVE-2026-7640 — Stored XSS in WP Customer Area (medium)
The WP Customer Area plugin also contains a Stored Cross-Site-Scripting vulnerability in all
versions up to and including 8.3.5. The type attribute parameter of the
customer-area-protected-content shortcode is not sufficiently sanitized or escaped, enabling
an authenticated attacker with Contributor privileges or higher to embed JavaScript code into
protected customer-area pages. Unlike CVE-2026-11390, this vulnerability does not require
intercepting and modifying AJAX requests — the malicious value can be entered directly through
the normal shortcode attribute. The National Vulnerability Database assigns a CVSS score of
6.4 (vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), classifies the flaw as medium and
assigns it to weakness class CWE-79 (Stored XSS). A corrected version is available from
version 8.3.6 onwards; operators should update the plugin without delay and restrict
Contributor access to trusted users only.
Sources: National Vulnerability Database — CVE-2026-7640 · CVE Record — CVE-2026-7640
Not sure whether you’re affected? Get in touch.
This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.