Radar window: July 11, 2026, 04:20-06:30 UTC. NVD published another high-severity WordPress plugin batch after the prior Fix I.T. Phill July 11 plugin update. This one matters for sites using login/JWT flows, ecommerce customer accounts, booking forms, upload helpers, reservation plugins, and form-entry databases.
CISA KEV did not change during this pass. The active change came from NVD records sourced through Wordfence, plus current WordPress.org plugin metadata for fixed or current releases.
New High-Priority Plugin Checks
| Plugin | CVE | Affected versions | Current safe action |
|---|---|---|---|
| Simple JWT Login | CVE-2026-14262 | Through 3.6.6 | Update to 3.6.7 or later. Review administrator sessions, user accounts, and any sites with public registration or API login workflows. |
| SureCart | CVE-2026-7655 | Through 4.2.3 | Update to the current 4.4.x release. Review customer-linked administrator accounts and recent account email changes. |
| Swiss Toolkit For WP | CVE-2026-2354 | Through 1.4.6 | If present, disable the risky upload-related feature or remove the plugin until a trusted fixed package is confirmed. |
| Booking Package | CVE-2026-15335 | Through 1.7.20 | Update to 1.7.21 or later. Review booking form activity and database-sensitive workflows. |
| Planyo Online Reservation System | CVE-2026-3576 | Through 3.0 | Update to 3.1 or later. Review reservation integrations and server file-exposure risk. |
| Form Vibes | CVE-2026-13378 | Through 1.5.2 | Update to 1.5.3 or later. Review submitted form entries and cached public pages. |
Why This Batch Matters
This is not one isolated plugin warning. The batch touches several common site-owner workflows: login tokens, ecommerce customer records, booking forms, upload helpers, reservation integrations, and saved form submissions. Those are exactly the plugin categories that show up on small business WordPress sites and agency-managed customer sites.
The highest-priority checks are Simple JWT Login and SureCart because both involve account or privilege risk. Swiss Toolkit For WP also deserves quick attention because the risk class involves uploads when a related feature is enabled. Booking Package, Planyo, and Form Vibes are still high-priority because they touch public-facing forms, reservation flows, and stored site output.
Backup-First Admin Checklist
- Take a current backup before touching login, ecommerce, booking, upload, or form database plugins.
- Search the plugin inventory for Simple JWT Login, SureCart, Swiss Toolkit For WP, Booking Package, Planyo Online Reservation System, and Form Vibes.
- Update affected plugins to the fixed/current versions listed above, or disable the plugin if a fixed release is not clearly available.
- Review administrator users, recent email changes, recent password resets, active sessions, and new privileged accounts.
- Review booking and reservation submissions, ecommerce customer records, saved form entries, and unexpected public content.
- Clear page cache, CDN cache, object cache, and plugin-generated cache after patching.
- Retest login, checkout, booking, reservation, upload, and contact-form workflows after the update.
Hosting Fleet Notes
For cPanel, Plesk, aaPanel, and managed WordPress fleets, treat this as a plugin-inventory sweep. The useful first question is not whether every customer is affected. It is whether any account has the plugin installed below the fixed version, especially on sites with public registration, ecommerce, bookings, or form submissions.
If a site cannot be updated immediately, put the risk into maintenance notes: what plugin is installed, what version is present, what feature is exposed, what temporary restriction is in place, and who approved the delay.
What Not To Do
Do not test these issues against production sites. Do not paste public proof steps into tickets. Keep the work defensive: inventory, backup, patch, disable where needed, review accounts and content, clear caches, and verify customer-facing workflows.
Sources
- NVD: CVE-2026-14262
- WordPress.org: Simple JWT Login
- NVD: CVE-2026-7655
- WordPress.org: SureCart
- NVD: CVE-2026-2354
- WordPress.org: Swiss Toolkit For WP
- NVD: CVE-2026-15335
- WordPress.org: Booking Package
- NVD: CVE-2026-3576
- WordPress.org: Planyo Online Reservation System
- NVD: CVE-2026-13378
- WordPress.org: Form Vibes
- CISA Known Exploited Vulnerabilities catalog JSON
