WordPress (Multi-Plugin) Vulnerability Rollup (2026-06-25)
Four CVEs landed in the 2026-06-25 plugin rollup, including a privilege escalation (CVE-2026-8157, CVSS 8.8) and an account-takeover chain in Ultimate Member affecting up to 200,000 installations.
CVE Breakdown
CVE-2026-8157 targets Vitepos with a privilege escalation to WordPress administrator, rated 8.8. The vector is viable on any instance where external user registration is open or where third-party roles exist. Patching closes the gap; access control reduces the blast radius until the patch lands.
CVE-2026-4259 covers Ultimate WooCommerce Auction Pro at CVSS 7.1, classified as reflected XSS. Reflected XSS requires a victim to follow a crafted link; mitigation depends on input sanitization at the application layer and Content Security Policy headers at the web server.
CVE-2026-6858 hits Transbank Webpay at CVSS 7.1, stored XSS with no authentication required at the injection stage. Stored payloads execute on every page render that surfaces the affected field, making this the highest-probability vector for automated exploitation in the batch.
Ultimate Member: The 200k-Site Chain
The Ultimate Member disclosure carries an 8.8 rating and affects all versions up to and including 2.11.4. Three logic flaws chain into account takeover:
1. Directory validation accepts attacker-controlled post IDs, redirecting member-directory rendering to attacker-supplied content.
2. Protected metadata restrictions are bypassable through the same request flow.
3. Field-name validation on user card rendering fails, exposing internal fields including live password reset URLs.
An attacker holding contributor-level access can request these reset links for any account in the directory, including administrators. Reset links function as short-lived login credentials; disclosure equals full account compromise.
Patched in 2.12.0 with stricter directory and field validation.
Minimum Verification on Every Site
1. `wp plugin list --allow-root` — confirm running versions: Vitepos (latest), Ultimate WooCommerce Auction Pro (latest), Transbank Webpay (latest), Ultimate Member ≥ 2.12.0.
2. Audit user roles. Open contributor or author registration widens the Ultimate Member exploit window; prioritize that patch.
3. Scan Transbank Webpay transaction logs and order notes for injected markup in user-supplied fields.
4. Confirm CSP headers on the web server. `Content-Security-Policy: default-src 'self'` is the minimum baseline.
5. Review password reset issuance logs for anomalous token requests against Ultimate Member directory endpoints.
Baseline post-patch: zero Vitepos admin-role grants from non-admin sessions, no exposed reset URLs in directory response payloads, no stored payloads in Transbank Webpay fields, CSP headers present on all front-end routes.