Tyche Security Scan – Week of June 12, 2026
The latest Tyche security scan identified several critical and high-severity CVEs relevant to WordPress sites (including thecoolest.info running Newsup v5.4.3) and the underlying infrastructure stack (PHP, MySQL/MariaDB, Apache/Nginx).
CRITICAL – WordPress Plugins & Themes
- CVE-2026-9067 (CVSS 9.1) – Schema & Structured Data for WP & AMP plugin before v1.60 lacks capability checks on AJAX file-upload handlers, allowing unauthenticated arbitrary file upload and potential remote code execution. Action: Update to v1.60+ immediately.
- CVE-2026-3326 (CVSS 8.6) – Xstore WordPress theme before v9.7.3 – SQL injection via unescaped parameter in an AJAX action. This is theme-level, similar in attack surface to Newsup. Action: Verify Newsup theme patches; apply any available updates.
- CVE-2026-45247 (KEV – Actively Exploited) – Mirasvit Full Page Cache Warmer – deserialization of untrusted data enabling unauthenticated remote code execution. Added to CISA KEV on 2026-06-03. Action: Audit installed plugins and remove any unused cache warmer plugins.
- CVE-2025-6254 (CVSS 9.8) – Doctreat Core plugin up to v1.6.8 – privilege escalation via a doctreat_ action. Action: Confirm not in use; if present, update immediately.
- CVE-2026-3018 (CVSS 7.5) – Newsletters plugin – time-based SQL injection via the wpmlsubscriber_id parameter. Action: Update to latest version.
- CVE-2026-8071 (CVSS 8.8) – Anti-Spam by CleanTalk plugin before v6.79 – improper sanitization in a custom shortcode allows injection. Action: Update to v6.79+.
- CVE-2026-10795 (CVSS 8.1) – UpdraftPlus: WP Backup & Migration Plugin up to v1.26.4 – authentication bypass. Action: Update to latest version.
CRITICAL – Infrastructure (PHP / MariaDB / Apache)
- CVE-2026-49261 (CVSS 10.0) – MariaDB server (10.6.1–10.6.26, 10.11.1–10.11.17, 11.4.1–11.4.11, 11.8.x). Highest possible severity. Action: Verify MariaDB version with hosting provider; request upgrade if in affected range.
- CVE-2026-45062 (CVSS 8.1) – FrankenPHP 1.11.2 to 1.12.3 – misuse of golang.org/x/net in the splitPos() function in CGI mode. Action: If using FrankenPHP, upgrade to v1.12.3+.
- CVE-2026-46643 / CVE-2026-46683 – Snappy PHP library (thumbnail/PDF generation) – command injection and SSRF via escapeshellarg. Action: Update Snappy to v1.7.1+ if in use.
- CVE-2026-47342 / CVE-2026-50223 – Apache OFBiz – privilege escalation and code injection for authenticated users. Action: Confirm not in use on the server.
- CVE-2026-10721 – Concrete CMS before v9.5.2 – PHP Object Injection via unserialize() calls in Permission, Cache, and Search components. Action: Update Concrete CMS if in use.
CISA KEV – Actively Exploited (Infrastructure)
- CVE-2026-10520 – Ivanti Sentry (formerly MobileIron) – OS command injection. Added to KEV 2026-06-11.
- CVE-2026-42271 – BerriAI LiteLLM – command injection for any authenticated user. Added 2026-06-08.
- CVE-2026-50751 – Check Point Security Gateway – IKEv1 authentication bypass. Added 2026-06-08.
- CVE-2026-45247 – Mirasvit Full Page Cache Warmer – deserialization, unauthenticated. Added 2026-06-03.
Recommended Actions
- Immediate: Audit all WordPress plugins. Update Schema & Structured Data for WP & AMP, Anti-Spam by CleanTalk, Newsletters, and any cache/security plugins.
- Verify Newsup theme v5.4.3 has no unpatched SQL injection or XSS issues. Contact the theme developer for recent patches.
- Check MariaDB version with your hosting provider – CVE-2026-49261 is CVSS 10.0 and affects common MySQL-fork versions.
- Review PHP libraries – ensure Snappy, guzzlehttp/psr7 (update to 2.10.2+), and FPDI are up to date.
- Confirm file permissions on wp-content/uploads/ and wp-content/plugins/ – several CVEs enable arbitrary file upload.
Scan source: Tyche Scanner – NVD and CISA KEV feeds. Findings filtered for relevance to thecoolest.info, Newsup v5.4.3 theme, WordPress core, PHP, MySQL/MariaDB, Apache/Nginx, OpenSSL, and WordPress plugins.
