Security Advisory - Published 2026-06-11 - WordPress
WordPress plugin CVEs: admin takeover, SQL injection, and backup RPC checks
This batch is mainly for WordPress site owners and agencies. The urgent checks are Doctreat Core registrations, the Newsletters subscriber parameter, and UpdraftPlus sites that were connected to UpdraftCentral. The XSS items matter too, but the first three can turn into account takeover or database exposure if they are left unpatched.
What to check first
| CVE | Plugin | Affected versions | Why it matters |
|---|---|---|---|
| CVE-2025-6254 | Doctreat Core | Up to 1.6.8 | Unauthenticated registration may create administrator-level accounts. |
| CVE-2026-3018 | Newsletters | Up to 4.13 | Unauthenticated SQL injection can expose database content. |
| CVE-2026-10795 | UpdraftPlus | Up to 1.26.4 | Authentication bypass affects sites previously connected to UpdraftCentral. |
| CVE-2026-49069 | WPZOOM Portfolio | Up to 1.4.21 | Reflected XSS. Patch and review editor/admin sessions. |
| CVE-2023-33999 | WP Mail Log | Up to 1.0.2 | DOM-based XSS in a mail-log plugin can expose admin session context. |
10-minute self-check
Find installed versions
wp plugin list --fields=name,version,status | egrep 'doctreat|newsletters|updraftplus|wpzoom|wp-mail-log'
find wp-content/plugins -maxdepth 2 -iname '*.php' -print | egrep 'doctreat|newsletters|updraft|wpzoom|mail-log' If WP-CLI is not available, check the WordPress admin plugin screen and confirm the plugin folder names on disk. A disabled plugin can still matter if the vulnerable code remains reachable through old files or custom includes.
Review administrator accounts
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered
wp user list --fields=ID,user_login,user_email,roles,user_registered | sort For Doctreat Core and UpdraftPlus, the first sign may be a new admin account, a changed email address, or an unexpected login around the disclosure window. Check real staff names against the list before deleting anything.
Check plugin-specific risk areas
- Doctreat Core: review recent registrations, role changes, and any "subscriber" or "doctor" account that suddenly gained administrator capability.
- Newsletters: check access logs around subscriber actions and database error logs around suspicious slow queries.
- UpdraftPlus: confirm whether the site was connected to UpdraftCentral, then review backup, restore, plugin upload, and remote communication logs.
- WPZOOM Portfolio / WP Mail Log: patch, clear cached admin pages, and review whether admin users opened untrusted links while logged in.
Safe fix path
- Back up the database and files before changing production plugins.
- Update the affected plugin or remove it if no fixed build is available.
- Force password resets for admins after any account-takeover signal.
- Rotate application passwords, backup-service tokens, and UpdraftCentral connections if UpdraftPlus was exposed.
- Review admin users, recently installed plugins, theme files, and uploads for persistence.
- Keep firewall rules and logs, but do not rely on a WAF as the only fix.
When this becomes a repair job
Ask for Ping7 CVE Repair if you find an unknown admin, unexpected plugin activation, database errors tied to Newsletters, or UpdraftPlus remote actions you cannot explain. Ping7 repair work is limited to sites you own or client-approved environments.