Radar window: July 10-11, 2026. The earlier July 10 WordPress CVE radar already covered the first critical plugin batch, including Instant Appointment. This update covers later NVD and Wordfence-backed records that were not already matched by an existing Fix I.T. Phill post.
The main action item is simple: check for these plugins before the next normal maintenance window. Two of the items below can matter even when the attacker only has a low-privilege WordPress account, and the rest are still high-priority cleanup for membership, import/export, SEO, and classified-listing sites.
Highest Priority Checks
| Plugin | CVE | Affected versions | Current safe action |
|---|---|---|---|
| WP Grid Builder | CVE-2026-13756 | Through 2.3.3 | Update to 2.3.4 or later. Review user roles after the update. |
| WP Ultimate CSV Importer | CVE-2026-13353 | Through 8.0.1 | Update to 8.1 or later. Review recent import jobs and unexpected file or content changes. |
| GEO Plugin by Squirrly SEO | CVE-2026-1667 | Through 14.0.0 | Update to 14.1.0 or later. Review newly created posts and pages. |
| Motors – Car Dealership and Classified Listings Plugin | CVE-2026-13114 | Through 1.4.112 | Update to 1.4.113 or later. Review comments, profile fields, listing pages, and cached output. |
Why WP Grid Builder Leads This Update
WP Grid Builder is the most important item in this pass because the NVD record rates CVE-2026-13756 as high severity and describes a subscriber-level privilege escalation risk. The vendor changelog says version 2.3.4 fixed the CVE and also fixed several other security classes in the same release.
If you run WP Grid Builder on a site with customer accounts, memberships, WooCommerce accounts, contributors, subscribers, or any public registration path, do not wait for a monthly plugin sweep. Update it, confirm the fixed version, and review administrator accounts and recent role changes.
Hosting Admin Checklist
- Take a backup first, especially before updating import/export, listing, SEO, and grid-builder plugins.
- Search the plugin inventory for WP Grid Builder, WP Ultimate CSV Importer, Squirrly SEO, and Motors.
- If one is present and below the fixed version listed above, update it or disable it until the owner approves the update.
- Review administrator users, recent role changes, unexpected posts or pages, suspicious import activity, and recent media uploads.
- Clear page cache, CDN cache, object cache, and any plugin-generated static cache after patching.
- Retest the front-end flows the plugin controls: grids, imports, SEO panels, listing pages, search filters, forms, and logged-in account pages.
- If this is a managed hosting fleet, tag affected accounts and send a short customer note that the work was a WordPress plugin security update, not a site redesign.
What Not To Do
Do not test these vulnerabilities against production sites. Do not copy public proof steps into customer tickets. The useful defensive work is version inventory, backup, patching, role review, content review, cache purge, and customer communication.
Duplicate Coverage Note
Instant Appointment CVE-2026-15282 and miniOrange Social Login CVE-2026-12761 were already handled in prior Fix I.T. Phill coverage. This article is intentionally focused on the later uncovered WordPress plugin records so the site does not publish the same warning twice.
