Security Advisory - Published 2026-06-11 - WordPress

WordPress plugin CVEs: admin takeover, SQL injection, and backup RPC checks

This batch is mainly for WordPress site owners and agencies. The urgent checks are Doctreat Core registrations, the Newsletters subscriber parameter, and UpdraftPlus sites that were connected to UpdraftCentral. The XSS items matter too, but the first three can turn into account takeover or database exposure if they are left unpatched.

Defensive scope: this page covers plugin inventory, version checks, admin-account review, database exposure indicators, and cleanup. It does not include request samples, bypass strings, or instructions for testing sites you do not own.

What to check first

CVEPluginAffected versionsWhy it matters
CVE-2025-6254Doctreat CoreUp to 1.6.8Unauthenticated registration may create administrator-level accounts.
CVE-2026-3018NewslettersUp to 4.13Unauthenticated SQL injection can expose database content.
CVE-2026-10795UpdraftPlusUp to 1.26.4Authentication bypass affects sites previously connected to UpdraftCentral.
CVE-2026-49069WPZOOM PortfolioUp to 1.4.21Reflected XSS. Patch and review editor/admin sessions.
CVE-2023-33999WP Mail LogUp to 1.0.2DOM-based XSS in a mail-log plugin can expose admin session context.

10-minute self-check

Find installed versions

wp plugin list --fields=name,version,status | egrep 'doctreat|newsletters|updraftplus|wpzoom|wp-mail-log'

find wp-content/plugins -maxdepth 2 -iname '*.php' -print | egrep 'doctreat|newsletters|updraft|wpzoom|mail-log'

If WP-CLI is not available, check the WordPress admin plugin screen and confirm the plugin folder names on disk. A disabled plugin can still matter if the vulnerable code remains reachable through old files or custom includes.

Review administrator accounts

wp user list --role=administrator --fields=ID,user_login,user_email,user_registered
wp user list --fields=ID,user_login,user_email,roles,user_registered | sort

For Doctreat Core and UpdraftPlus, the first sign may be a new admin account, a changed email address, or an unexpected login around the disclosure window. Check real staff names against the list before deleting anything.

Check plugin-specific risk areas

  • Doctreat Core: review recent registrations, role changes, and any "subscriber" or "doctor" account that suddenly gained administrator capability.
  • Newsletters: check access logs around subscriber actions and database error logs around suspicious slow queries.
  • UpdraftPlus: confirm whether the site was connected to UpdraftCentral, then review backup, restore, plugin upload, and remote communication logs.
  • WPZOOM Portfolio / WP Mail Log: patch, clear cached admin pages, and review whether admin users opened untrusted links while logged in.

Safe fix path

  1. Back up the database and files before changing production plugins.
  2. Update the affected plugin or remove it if no fixed build is available.
  3. Force password resets for admins after any account-takeover signal.
  4. Rotate application passwords, backup-service tokens, and UpdraftCentral connections if UpdraftPlus was exposed.
  5. Review admin users, recently installed plugins, theme files, and uploads for persistence.
  6. Keep firewall rules and logs, but do not rely on a WAF as the only fix.

When this becomes a repair job

Ask for Ping7 CVE Repair if you find an unknown admin, unexpected plugin activation, database errors tied to Newsletters, or UpdraftPlus remote actions you cannot explain. Ping7 repair work is limited to sites you own or client-approved environments.

References