Security Bulletin — July 17, 2026: Two Critical Unauthenticated Takeover Flaws in Bricksforge and AI Copilot — Plus Privilege Escalation and Shop Payment Fraud
17 July 2026 · jproxx Security
This is our daily security overview, in which we review the published vulnerabilities and highlight those that are actually relevant for the operation of WordPress websites, online shops, and PHP applications. Every statement in this bulletin has been verified against the underlying primary source and linked at the end of the respective section. July 17 stood out for an unusually dense run of new entries in the National Vulnerability Database — from which we have selected the four that weigh most heavily for our audience. At the top sit two critical flaws, each exploitable without any authentication to fully take over a website: one in the builder companion Bricksforge, one in the AI assistant AI Copilot. Alongside them are a privilege escalation in a widely deployed registration and membership plugin and a forged payment callback in the PhonePe gateway for WooCommerce. For all four cases a corrected version is already available — so the most urgent action of the day is simply installing the updates. There was no new Shopware advisory and no new PHP core vulnerability on this day.
CVE-2026-14956 — Unauthenticated Admin Takeover in Bricksforge (critical)
The plugin Bricksforge, a popular extension for the Bricks theme builder, exhibits a
serious vulnerability in its Pro Forms module across all versions up to and including
3.1.8.6. The user-registration action does not adequately validate the fieldIds
parameter submitted by the form. Because attacker-supplied field identifiers are taken
into the trusted list of permitted form fields without checking, additional fields can be
slipped into the registration request — among them the field for the WordPress user role.
In practice this means: an attacker without any account submits a crafted registration
request to a publicly reachable Pro Forms element configured for user registration and,
in doing so, creates a new account directly with administrator privileges. This grants
full control of the WordPress instance. The only prerequisite for exploitation is that
such a publicly accessible registration form with the User Registration action exists on
the site. The National Vulnerability Database assigns a CVSS score of 9.8
(vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), rates the flaw as critical, and classifies
it under the vulnerability class CWE-269 (Improper Privilege Management). The vendor fixed
the issue in version 3.1.8.7; operators should update to that or a later version without
delay. Until the update is installed, it is advisable to disable affected public
registration forms.
Sources: National Vulnerability Database — CVE-2026-14956 · CVE Threat Intelligence — CVE-2026-14956
CVE-2026-9810 — Authentication Bypass in the AI Copilot Plugin (critical)
The WordPress plugin AI Copilot contains a serious weakness in its OAuth integration
across all versions before 1.5.4. The plugin issues access tokens through a publicly
reachable OAuth flow but then never binds the issued token to a specific WordPress user
identity. The code that validates incoming tokens accepts any structurally valid token as
a fully privileged administrator session instead of mapping it to the account that
actually authenticated. As a result, no per-user authorization check takes place before
the administrator-scoped Model Context Protocol (MCP) tools the plugin exposes are invoked.
An attacker who merely walks through the public OAuth flow thus obtains a token the plugin
treats as an administrator session and can drive the exposed MCP tools with administrator
privileges — including creating arbitrary users and escalating roles. The upshot is a full
site takeover, with confidentiality, integrity, and availability all affected. The National
Vulnerability Database assigns a CVSS score of 9.8
(vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), rates the vulnerability as critical, and
classifies it under CWE-269. The vendor closed the flaw in version 1.5.4; an update to that
or a later version is strongly advised.
Sources: National Vulnerability Database — CVE-2026-9810 · INCIBE-CERT — CVE-2026-9810
CVE-2026-11961 — Privilege Escalation in User Registration & Membership (high)
The plugin User Registration & Membership by WPEverest — deployed, according to the
vendor’s listing, on a six-figure number of installations — processes the membership tier
chosen by the visitor during registration without verifying server-side that the tier is
one the form actually offers. Because the chosen tier maps directly to a WordPress role and
is trusted from client input, an attacker can register while specifying any published tier
— including one bound to a high-privilege role such as administrator, provided such a tier
exists on the site. The underlying cause is a missing allowlist check of the tier or role
parameter in the unauthenticated registration flow (CWE-269, Improper Privilege Management).
Where a published tier coupled to a privileged role exists on the site, the attacker gains
that role directly and with it full control — from installing plugins and themes through
executing code to accessing all data. The National Vulnerability Database assigns a CVSS
score of 8.1 (vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and rates the vulnerability as
high; the elevated attack complexity (AC:H) reflects the precondition that a suitably
privileged tier must be published. The vendor fixed the issue in version 5.2.3; an update
should be installed promptly.
Sources: National Vulnerability Database — CVE-2026-11961
CVE-2026-11575 — Forged Payment Callback in the PhonePe Gateway for WooCommerce (high)
The payment plugin PhonePe Payment Solutions for WooCommerce validates incoming payment
notifications by computing a signature over the request body using a shared secret. On
sites configured through the plugin’s current setup flow, however, that signing secret is
stored empty. As a result, the supposedly expected signature collapses to an unkeyed hash
of the request body — a value any external party can compute without knowing any secret.
The callback endpoint consequently accepts forged notifications, because in effect no keyed
verification of authenticity remains. An unauthenticated attacker can therefore craft a
fabricated “payment successful” callback and send it to the shop, which the plugin accepts
as genuine — whereupon WooCommerce marks an unpaid order as paid and completed. This enables
the fulfillment of goods or services without any real payment, i.e. direct financial fraud
against the shop operator. The National Vulnerability Database assigns a CVSS score of 7.5
(vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), rates the vulnerability as high, and
classifies it under CWE-862 (Missing Authorization). The vendor corrected the check in
version 3.1.0; shop operators should update promptly and, after the update, confirm that
the integration’s signing secret is properly configured.
Sources: National Vulnerability Database — CVE-2026-11575 · INCIBE-CERT — CVE-2026-11575
Unsure whether you are affected? Get in touch.
This notice serves security-awareness purposes. The official advisories of the respective vendor and the primary sources linked above are always authoritative.