Security Advisory - Published 2026-06-15 - WordPress
WordPress June 15 CVEs: invoices, headless auth, LMS roles, payments, backups, and old media plugins
This batch deserves more than a plugin update click. It includes active ecommerce components, headless WordPress authentication, LMS role handling, payment data, and old plugins that can expose files or backup archives on forgotten sites.
Affected software to inventory
| CVE | Component | Affected version | Owner check |
|---|---|---|---|
| CVE-2026-52704 | WooCommerce PDF Invoice Builder | Through 2.0.8 | Disable or update, then review invoice templates, generated files, and admin changes. |
| CVE-2026-49062 | Faust.Js | Through 1.8.7 | Patch headless WordPress auth and review password recovery emails, reset tokens, and sessions. |
| CVE-2026-49111 | Masteriyo - LMS | Through 2.2.0 | Review student, instructor, course manager, and administrator role changes. |
| CVE-2026-49064 | GetPaid | Through 2.8.49 | Patch, clear caches, and review invoice, customer, and payment data exposure. |
| CVE-2016-20071 | 404 Redirection Manager | 1.0 | Remove the legacy plugin and review redirect records and database errors. |
| CVE-2016-20076 | Simple-Backup | 2.7.11 | Remove the plugin and review backup files, deleted files, and web access logs. |
| CVE-2016-20081 | HB Audio Gallery Lite | 1.0.0 | Remove the plugin and inspect media download activity for file reads outside the gallery. |
| CVE-2018-25437 | CherryFramework Themes | 3.1.4 | Remove exposed theme backups and review archive downloads. |
| CVE-2016-20078 | IMDb Profile Widget | 1.0.8 | Remove the plugin and review local file inclusion indicators. |
| CVE-2016-20080 | Brandfolder | Through 3.0 | Remove the plugin and check for unexpected includes, file reads, and PHP file changes. |
Site check
wp plugin list --fields=name,version,status | egrep 'woo-pdf-invoice-builder|faustwp|learning-management-system|invoicing|404-redirection-manager|simple-backup|hb-audio-gallery-lite|imdb-widget|brandfolder'
wp theme list --fields=name,version,status | egrep 'cherry|cherryframework'
find wp-content -maxdepth 3 -type d | egrep 'woo-pdf-invoice-builder|faustwp|learning-management-system|invoicing|404-redirection-manager|simple-backup|hb-audio-gallery-lite|imdb-widget|brandfolder|cherry'
find wp-content -type f -mtime -3 | egrep '\\.php$|\\.zip$|backup|invoice|cache' If WP-CLI is not installed, use WordPress admin > Plugins and Appearance > Themes. Write down the exact version before removing anything. Disabled folders still matter when old code remains in `wp-content` or is loaded by custom includes.
What clean looks like
- No affected plugin or theme folder remains, or the component is on a patched vendor release.
- No unknown administrator, LMS instructor, course manager, shop manager, or payment staff account was added after disclosure.
- No unexpected password recovery emails, reset tokens, or headless auth sessions appear around the incident window.
- No public invoice, backup, media, or theme archive path appears in web access logs outside normal staff activity.
- No newly modified PHP file appears under uploads, cache, plugin, mu-plugin, or theme directories.
Fix path
- Back up files and database before changing WordPress components.
- Patch supported plugins. Remove abandoned plugins and themes instead of leaving disabled folders behind.
- Clear page cache, object cache, and CDN cache for invoice, payment, LMS, login, and media pages.
- Review users, application passwords, REST API keys, payment webhooks, and LMS/course roles.
- Rotate database, admin, payment, and API credentials if file reads, backup downloads, or unknown users appear.
- Keep logs and changed-file lists for the repair report.
When to request repair help
Use Ping7 CVE Repair when the site has unknown users, suspicious password resets, exposed invoices, backup archive downloads, unexpected PHP files, payment data concerns, or a plugin folder you cannot safely remove. Ping7 handles defensive patching, cleanup, compromise review, and a written repair handoff for owned systems.
References
- GitHub Advisory: CVE-2026-52704 WooCommerce PDF Invoice Builder
- GitHub Advisory: CVE-2026-49062 Faust.Js
- GitHub Advisory: CVE-2026-49111 Masteriyo - LMS
- GitHub Advisory: CVE-2026-49064 GetPaid
- GitHub Advisory: CVE-2016-20071 404 Redirection Manager
- GitHub Advisory: CVE-2016-20076 Simple-Backup
- GitHub Advisory: CVE-2016-20081 HB Audio Gallery Lite
- GitHub Advisory: CVE-2018-25437 CherryFramework Themes
- GitHub Advisory: CVE-2016-20078 IMDb Profile Widget
- NVD: CVE-2016-20080 Brandfolder
- Acunetix: Brandfolder local/remote file inclusion