Skip to content
jproxx
← Back to the blog

Security Bulletin — July 17, 2026: Two Critical Unauthenticated Takeover Flaws in Bricksforge and AI Copilot — Plus Privilege Escalation and Shop Payment Fraud

17 July 2026 · jproxx Security

This is our daily security overview, in which we review the published vulnerabilities and highlight those that are actually relevant for the operation of WordPress websites, online shops, and PHP applications. Every statement in this bulletin has been verified against the underlying primary source and linked at the end of the respective section. July 17 stood out for an unusually dense run of new entries in the National Vulnerability Database — from which we have selected the four that weigh most heavily for our audience. At the top sit two critical flaws, each exploitable without any authentication to fully take over a website: one in the builder companion Bricksforge, one in the AI assistant AI Copilot. Alongside them are a privilege escalation in a widely deployed registration and membership plugin and a forged payment callback in the PhonePe gateway for WooCommerce. For all four cases a corrected version is already available — so the most urgent action of the day is simply installing the updates. There was no new Shopware advisory and no new PHP core vulnerability on this day.

CVE-2026-14956 — Unauthenticated Admin Takeover in Bricksforge (critical)

The plugin Bricksforge, a popular extension for the Bricks theme builder, exhibits a serious vulnerability in its Pro Forms module across all versions up to and including 3.1.8.6. The user-registration action does not adequately validate the fieldIds parameter submitted by the form. Because attacker-supplied field identifiers are taken into the trusted list of permitted form fields without checking, additional fields can be slipped into the registration request — among them the field for the WordPress user role. In practice this means: an attacker without any account submits a crafted registration request to a publicly reachable Pro Forms element configured for user registration and, in doing so, creates a new account directly with administrator privileges. This grants full control of the WordPress instance. The only prerequisite for exploitation is that such a publicly accessible registration form with the User Registration action exists on the site. The National Vulnerability Database assigns a CVSS score of 9.8 (vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), rates the flaw as critical, and classifies it under the vulnerability class CWE-269 (Improper Privilege Management). The vendor fixed the issue in version 3.1.8.7; operators should update to that or a later version without delay. Until the update is installed, it is advisable to disable affected public registration forms.

Sources: National Vulnerability Database — CVE-2026-14956 · CVE Threat Intelligence — CVE-2026-14956

CVE-2026-9810 — Authentication Bypass in the AI Copilot Plugin (critical)

The WordPress plugin AI Copilot contains a serious weakness in its OAuth integration across all versions before 1.5.4. The plugin issues access tokens through a publicly reachable OAuth flow but then never binds the issued token to a specific WordPress user identity. The code that validates incoming tokens accepts any structurally valid token as a fully privileged administrator session instead of mapping it to the account that actually authenticated. As a result, no per-user authorization check takes place before the administrator-scoped Model Context Protocol (MCP) tools the plugin exposes are invoked. An attacker who merely walks through the public OAuth flow thus obtains a token the plugin treats as an administrator session and can drive the exposed MCP tools with administrator privileges — including creating arbitrary users and escalating roles. The upshot is a full site takeover, with confidentiality, integrity, and availability all affected. The National Vulnerability Database assigns a CVSS score of 9.8 (vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), rates the vulnerability as critical, and classifies it under CWE-269. The vendor closed the flaw in version 1.5.4; an update to that or a later version is strongly advised.

Sources: National Vulnerability Database — CVE-2026-9810 · INCIBE-CERT — CVE-2026-9810

CVE-2026-11961 — Privilege Escalation in User Registration & Membership (high)

The plugin User Registration & Membership by WPEverest — deployed, according to the vendor’s listing, on a six-figure number of installations — processes the membership tier chosen by the visitor during registration without verifying server-side that the tier is one the form actually offers. Because the chosen tier maps directly to a WordPress role and is trusted from client input, an attacker can register while specifying any published tier — including one bound to a high-privilege role such as administrator, provided such a tier exists on the site. The underlying cause is a missing allowlist check of the tier or role parameter in the unauthenticated registration flow (CWE-269, Improper Privilege Management). Where a published tier coupled to a privileged role exists on the site, the attacker gains that role directly and with it full control — from installing plugins and themes through executing code to accessing all data. The National Vulnerability Database assigns a CVSS score of 8.1 (vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and rates the vulnerability as high; the elevated attack complexity (AC:H) reflects the precondition that a suitably privileged tier must be published. The vendor fixed the issue in version 5.2.3; an update should be installed promptly.

Sources: National Vulnerability Database — CVE-2026-11961

CVE-2026-11575 — Forged Payment Callback in the PhonePe Gateway for WooCommerce (high)

The payment plugin PhonePe Payment Solutions for WooCommerce validates incoming payment notifications by computing a signature over the request body using a shared secret. On sites configured through the plugin’s current setup flow, however, that signing secret is stored empty. As a result, the supposedly expected signature collapses to an unkeyed hash of the request body — a value any external party can compute without knowing any secret. The callback endpoint consequently accepts forged notifications, because in effect no keyed verification of authenticity remains. An unauthenticated attacker can therefore craft a fabricated “payment successful” callback and send it to the shop, which the plugin accepts as genuine — whereupon WooCommerce marks an unpaid order as paid and completed. This enables the fulfillment of goods or services without any real payment, i.e. direct financial fraud against the shop operator. The National Vulnerability Database assigns a CVSS score of 7.5 (vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), rates the vulnerability as high, and classifies it under CWE-862 (Missing Authorization). The vendor corrected the check in version 3.1.0; shop operators should update promptly and, after the update, confirm that the integration’s signing secret is properly configured.

Sources: National Vulnerability Database — CVE-2026-11575 · INCIBE-CERT — CVE-2026-11575

Unsure whether you are affected? Get in touch.


This notice serves security-awareness purposes. The official advisories of the respective vendor and the primary sources linked above are always authoritative.