Security Advisory - Published 2026-06-16 - WordPress Access / Data Batch
WordPress June 16 access and data exposure CVEs: check versions, accounts, and business records
This batch covers WordPress plugins where unauthenticated access, weak account checks, IDOR, or data exposure can affect bookings, orders, forms, payments, support tickets, and member records.
Affected plugins
| CVE | Plugin | Affected | Issue | CVSS |
|---|---|---|---|---|
| CVE-2026-49065 | Hippoo Mobile App for WooCommerce | <= 1.9.5 | Broken access control | 8.2 |
| CVE-2026-42411 | CloudSecure WP Security | <= 1.4.7 | Broken authentication | 8.1 |
| CVE-2026-48970 | Really Simple SSL | <= 9.5.10 | Broken authentication | 8.1 |
| CVE-2026-52695 | ABC Crypto Checkout | <= 1.8.2 | Sensitive data exposure | 7.5 |
| CVE-2026-52692 | Affiliates Manager | <= 2.9.50 | Sensitive data exposure | 7.5 |
| CVE-2026-40789 | Amelia | <= 2.2 | Sensitive data exposure | 7.5 |
| CVE-2026-39533 | AWP Classifieds | <= 4.4.4 | Broken access control | 7.5 |
| CVE-2026-39480 | Backup Migration | <= 2.1.1 | Sensitive data exposure | 7.5 |
| CVE-2026-40774 | Booking Package | <= 1.7.06 | Broken access control | 7.5 |
| CVE-2026-42667 | Bookly | <= 27.4 | Sensitive data exposure | 7.5 |
| CVE-2026-49066 | Conekta Payment Gateway | <= 6.0.0 | Sensitive data exposure | 7.5 |
| CVE-2026-48835 | Contact Form by WPForms | <= 1.10.0.4 | Broken access control | 7.5 |
| CVE-2026-49068 | Coupon Affiliates | <= 7.8.1 | Sensitive data exposure | 7.5 |
| CVE-2026-39513 | Easy Appointments | <= 3.12.21 | Broken access control | 7.5 |
| CVE-2026-39503 | Easy Digital Downloads | <= 3.6.5 | Broken access control | 7.5 |
| CVE-2026-42668 | Email Marketing for WooCommerce by Omnisend | <= 1.18.0 | Broken authentication | 7.5 |
| CVE-2026-48872 | EmbedPress | <= 4.5.2 | Sensitive data exposure | 7.5 |
| CVE-2026-34898 | Event Tickets Manager for WooCommerce | <= 1.5.3 | Broken access control | 7.5 |
| CVE-2026-34891 | IDPay Payment Gateway for WooCommerce | <= 2.2.5 | Sensitive data exposure | 7.5 |
| CVE-2026-39490 | JupiterX Core | <= 4.14.1 | Broken access control | 7.5 |
| CVE-2026-49070 | Knit Pay | <= 9.4.0.0 | Broken access control | 7.5 |
| CVE-2026-39524 | Masteriyo - LMS | <= 2.1.5 | Broken access control | 7.5 |
| CVE-2026-48873 | Montonio for WooCommerce | <= 10.1.2 | Broken access control | 7.5 |
| CVE-2025-59133 | Projectopia | <= 5.1.25.2 | IDOR | 7.5 |
| CVE-2026-40741 | Redsys for WooCommerce Light | <= 7.0.0 | Broken access control | 7.5 |
| CVE-2026-40781 | ReviewX | <= 2.3.6 | Broken authentication | 7.5 |
| CVE-2026-42666 | Salon booking system | <= 10.30.25 | Broken access control | 7.5 |
| CVE-2026-52694 | Signature Add-On for WooCommerce | <= 2.0 | Sensitive data exposure | 7.5 |
| CVE-2026-34886 | Simple Membership | <= 4.7.1 | Broken access control | 7.5 |
| CVE-2026-48868 | Simple Shopping Cart | <= 5.2.9 | IDOR | 7.5 |
| CVE-2026-42384 | Simply Schedule Appointments | < 1.6.11.2 | Sensitive data exposure | 7.5 |
| CVE-2026-49110 | Upsell Order Bump Offer for WooCommerce | <= 3.1.4 | Broken authentication | 7.5 |
| CVE-2026-25425 | User Registration | <= 5.1.2 | Broken access control | 7.5 |
| CVE-2026-52699 | VikRentCar | <= 1.4.5 | IDOR | 7.5 |
| CVE-2026-49056 | WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels | <= 4.9.4 | Sensitive data exposure | 7.5 |
| CVE-2026-52711 | WooCommerce POS | <= 1.8.14 | Broken access control | 7.5 |
| CVE-2026-39534 | WP Directory Kit | <= 1.5.0 | Broken access control | 7.5 |
| CVE-2026-40776 | WP Event Solution | <= 4.1.8 | Broken access control | 7.5 |
| CVE-2025-68045 | WP Event SOlution | <= 4.1.12 | Broken access control | 7.5 |
| CVE-2026-49078 | WP Travel Engine | <= 6.7.10 | Other vulnerability | 7.5 |
| CVE-2026-48883 | WPC Product Bundles for WooCommerce | <= 8.5.3 | Broken access control | 7.5 |
| CVE-2026-45441 | WpEvently | <= 5.3.3 | Other vulnerability | 7.5 |
| CVE-2026-40767 | wpForo Forum | < 3.0.2 | Broken access control | 7.5 |
| CVE-2026-27089 | WpTravelly | <= 2.1.7 | Bypass vulnerability | 7.5 |
| CVE-2026-49082 | Chatway Live Chat | <= 1.4.8 | Sensitive data exposure | 7.4 |
| CVE-2026-40775 | Royal MCP | <= 1.4.2 | Broken access control | 7.3 |
| CVE-2026-40785 | AutomatorWP | <= 5.6.7 | Broken authentication | 7.1 |
| CVE-2026-40788 | ChatBot | <= 7.9.7 | Broken access control | 7.1 |
| CVE-2026-39518 | EventPrime | <= 4.3.0.0 | IDOR | 7.1 |
| CVE-2026-39450 | FunnelKit Automations | <= 3.7.3 | Broken authentication | 7.1 |
| CVE-2026-40809 | Metro Magazine | <= 1.4.1 | Broken access control | 6.5 |
| CVE-2026-49775 | Welcart e-Commerce | <= 2.11.28 | Broken access control | 6.5 |
| CVE-2026-2381 | WooCommerce Stripe Payment Gateway | <= 10.3.1 | Broken access control | 6.5 |
Owner check
- Confirm plugin versions and whether the affected plugin handles payments, bookings, forms, users, files, or customer records.
- Review new users, password resets, account role changes, orders, bookings, invoices, exports, and support records after 2026-06-16.
- Rotate payment, CRM, email, webhook, and API credentials if unauthorized access cannot be ruled out.
- Keep logs and screenshots for the repair record before deleting suspicious records.
wp plugin list --fields=name,version,status
wp user list --fields=ID,user_login,user_email,roles,registered
grep -R "login\|password\|export\|download\|order\|booking\|invoice\|webhook" wp-content/debug.log 2>/dev/null Clean result
- No listed plugin remains at or below the affected version.
- No unknown account, password reset, role change, order, booking, or export appears in the disclosure window.
- Payment and CRM integrations show expected webhook traffic only.
- Any exposed record type has been reviewed against backups, logs, and application history.
When to request repair
Use Ping7 CVE Repair when the affected plugin touches customer data, payment data, bookings, memberships, or support tickets and the access logs do not give a clean answer.