Skip to content
jproxx
← Back to the blog

Security Bulletin for 14 July 2026: Critical RCE in Newsletters, Stored XSS in News Kit Addons and WP Customer Area

14 July 2026 · jproxx Security

This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. July 14 brought a disproportionately large number of WordPress-related entries into the National Vulnerability Database in a single day — including a critical RCE and two Stored XSS entries that both stem from the same underlying weakness category (insufficient input validation).

CVE-2026-12583 — PHP Object Injection in Newsletters Leading to Remote Code Execution (high)

The Newsletters plugin by Tribulant Software contains an unauthenticated deserialization of unsanitized user input in all versions before 4.15. The plugin reads data from public forms and passes it to a PHP deserialization routine without sufficient validation. An attacker can submit a malicious serialized PHP object through a public form that, via a property-oriented programming chain bundled with the Newsletters plugin, is redirected into arbitrary file operations and ultimately into execution of arbitrary PHP code on the web server. The attack requires neither authentication nor user interaction — a network-reachable attacker can exploit the flaw entirely remotely. The National Vulnerability Database assigns a CVSS score of 8.1 (vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), classifies the flaw as high and assigns it to weakness class CWE-502 (Deserialization of Untrusted Data). A corrected version is available from version 4.15 onwards; operators should update the plugin to 4.15 or higher without delay. Until a patch is applied, the public form functionality of the plugin should be disabled or restricted via an access rule.

Sources: National Vulnerability Database — CVE-2026-12583 · GitHub Advisory — GHSA-cxqr-jhpf-63mm

CVE-2026-11390 — Stored XSS in News Kit Addons for Elementor (medium)

The Elementor add-on News Kit Addons for Elementor contains a Stored Cross-Site-Scripting vulnerability in all versions up to and including 1.4.6 in the “Site Logo Title” and “Single Author Box” widgets. The insufficient sanitization and escaping of user inputs in these widgets allows an authenticated attacker with Contributor privileges or higher to inject arbitrary JavaScript code into WordPress pages by crafting manipulated elementor_ajax AJAX requests that bypass the client-side SELECT control restrictions. The stored payload executes in the browser of every visitor who views the affected page. The National Vulnerability Database assigns a CVSS score of 6.4 (vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), classifies the flaw as medium and assigns it to weakness class CWE-79 (Stored XSS). No corrected version was named as of writing; operators should update the plugin to a newer version once available and restrict Contributor access to trusted users only.

Sources: National Vulnerability Database — CVE-2026-11390 · CVE Record — CVE-2026-11390

CVE-2026-7640 — Stored XSS in WP Customer Area (medium)

The WP Customer Area plugin also contains a Stored Cross-Site-Scripting vulnerability in all versions up to and including 8.3.5. The type attribute parameter of the customer-area-protected-content shortcode is not sufficiently sanitized or escaped, enabling an authenticated attacker with Contributor privileges or higher to embed JavaScript code into protected customer-area pages. Unlike CVE-2026-11390, this vulnerability does not require intercepting and modifying AJAX requests — the malicious value can be entered directly through the normal shortcode attribute. The National Vulnerability Database assigns a CVSS score of 6.4 (vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), classifies the flaw as medium and assigns it to weakness class CWE-79 (Stored XSS). A corrected version is available from version 8.3.6 onwards; operators should update the plugin without delay and restrict Contributor access to trusted users only.

Sources: National Vulnerability Database — CVE-2026-7640 · CVE Record — CVE-2026-7640

Not sure whether you’re affected? Get in touch.


This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.