Security Advisory - Published 2026-06-15 - WordPress

WordPress June 15 CVEs: invoices, headless auth, LMS roles, payments, backups, and old media plugins

This batch deserves more than a plugin update click. It includes active ecommerce components, headless WordPress authentication, LMS role handling, payment data, and old plugins that can expose files or backup archives on forgotten sites.

Defensive scope: this checklist is for owned WordPress sites and client-approved environments. It does not include exploit payloads, request samples, unauthorized scanning, or attack-chain instructions.

Affected software to inventory

CVEComponentAffected versionOwner check
CVE-2026-52704WooCommerce PDF Invoice BuilderThrough 2.0.8Disable or update, then review invoice templates, generated files, and admin changes.
CVE-2026-49062Faust.JsThrough 1.8.7Patch headless WordPress auth and review password recovery emails, reset tokens, and sessions.
CVE-2026-49111Masteriyo - LMSThrough 2.2.0Review student, instructor, course manager, and administrator role changes.
CVE-2026-49064GetPaidThrough 2.8.49Patch, clear caches, and review invoice, customer, and payment data exposure.
CVE-2016-20071404 Redirection Manager1.0Remove the legacy plugin and review redirect records and database errors.
CVE-2016-20076Simple-Backup2.7.11Remove the plugin and review backup files, deleted files, and web access logs.
CVE-2016-20081HB Audio Gallery Lite1.0.0Remove the plugin and inspect media download activity for file reads outside the gallery.
CVE-2018-25437CherryFramework Themes3.1.4Remove exposed theme backups and review archive downloads.
CVE-2016-20078IMDb Profile Widget1.0.8Remove the plugin and review local file inclusion indicators.
CVE-2016-20080BrandfolderThrough 3.0Remove the plugin and check for unexpected includes, file reads, and PHP file changes.

Site check

wp plugin list --fields=name,version,status | egrep 'woo-pdf-invoice-builder|faustwp|learning-management-system|invoicing|404-redirection-manager|simple-backup|hb-audio-gallery-lite|imdb-widget|brandfolder'
wp theme list --fields=name,version,status | egrep 'cherry|cherryframework'
find wp-content -maxdepth 3 -type d | egrep 'woo-pdf-invoice-builder|faustwp|learning-management-system|invoicing|404-redirection-manager|simple-backup|hb-audio-gallery-lite|imdb-widget|brandfolder|cherry'
find wp-content -type f -mtime -3 | egrep '\\.php$|\\.zip$|backup|invoice|cache'

If WP-CLI is not installed, use WordPress admin > Plugins and Appearance > Themes. Write down the exact version before removing anything. Disabled folders still matter when old code remains in `wp-content` or is loaded by custom includes.

What clean looks like

  • No affected plugin or theme folder remains, or the component is on a patched vendor release.
  • No unknown administrator, LMS instructor, course manager, shop manager, or payment staff account was added after disclosure.
  • No unexpected password recovery emails, reset tokens, or headless auth sessions appear around the incident window.
  • No public invoice, backup, media, or theme archive path appears in web access logs outside normal staff activity.
  • No newly modified PHP file appears under uploads, cache, plugin, mu-plugin, or theme directories.

Fix path

  1. Back up files and database before changing WordPress components.
  2. Patch supported plugins. Remove abandoned plugins and themes instead of leaving disabled folders behind.
  3. Clear page cache, object cache, and CDN cache for invoice, payment, LMS, login, and media pages.
  4. Review users, application passwords, REST API keys, payment webhooks, and LMS/course roles.
  5. Rotate database, admin, payment, and API credentials if file reads, backup downloads, or unknown users appear.
  6. Keep logs and changed-file lists for the repair report.

When to request repair help

Use Ping7 CVE Repair when the site has unknown users, suspicious password resets, exposed invoices, backup archive downloads, unexpected PHP files, payment data concerns, or a plugin folder you cannot safely remove. Ping7 handles defensive patching, cleanup, compromise review, and a written repair handoff for owned systems.

References