Security Advisory - Published 2026-06-16 - WordPress Access / Data Batch

WordPress June 16 access and data exposure CVEs: check versions, accounts, and business records

This batch covers WordPress plugins where unauthenticated access, weak account checks, IDOR, or data exposure can affect bookings, orders, forms, payments, support tickets, and member records.

Defensive scope: this page is for owned sites and client-approved repair work. It does not provide instructions for probing third-party sites.

Affected plugins

CVEPluginAffectedIssueCVSS
CVE-2026-49065 Hippoo Mobile App for WooCommerce <= 1.9.5 Broken access control 8.2
CVE-2026-42411 CloudSecure WP Security <= 1.4.7 Broken authentication 8.1
CVE-2026-48970 Really Simple SSL <= 9.5.10 Broken authentication 8.1
CVE-2026-52695 ABC Crypto Checkout <= 1.8.2 Sensitive data exposure 7.5
CVE-2026-52692 Affiliates Manager <= 2.9.50 Sensitive data exposure 7.5
CVE-2026-40789 Amelia <= 2.2 Sensitive data exposure 7.5
CVE-2026-39533 AWP Classifieds <= 4.4.4 Broken access control 7.5
CVE-2026-39480 Backup Migration <= 2.1.1 Sensitive data exposure 7.5
CVE-2026-40774 Booking Package <= 1.7.06 Broken access control 7.5
CVE-2026-42667 Bookly <= 27.4 Sensitive data exposure 7.5
CVE-2026-49066 Conekta Payment Gateway <= 6.0.0 Sensitive data exposure 7.5
CVE-2026-48835 Contact Form by WPForms <= 1.10.0.4 Broken access control 7.5
CVE-2026-49068 Coupon Affiliates <= 7.8.1 Sensitive data exposure 7.5
CVE-2026-39513 Easy Appointments <= 3.12.21 Broken access control 7.5
CVE-2026-39503 Easy Digital Downloads <= 3.6.5 Broken access control 7.5
CVE-2026-42668 Email Marketing for WooCommerce by Omnisend <= 1.18.0 Broken authentication 7.5
CVE-2026-48872 EmbedPress <= 4.5.2 Sensitive data exposure 7.5
CVE-2026-34898 Event Tickets Manager for WooCommerce <= 1.5.3 Broken access control 7.5
CVE-2026-34891 IDPay Payment Gateway for WooCommerce <= 2.2.5 Sensitive data exposure 7.5
CVE-2026-39490 JupiterX Core <= 4.14.1 Broken access control 7.5
CVE-2026-49070 Knit Pay <= 9.4.0.0 Broken access control 7.5
CVE-2026-39524 Masteriyo - LMS <= 2.1.5 Broken access control 7.5
CVE-2026-48873 Montonio for WooCommerce <= 10.1.2 Broken access control 7.5
CVE-2025-59133 Projectopia <= 5.1.25.2 IDOR 7.5
CVE-2026-40741 Redsys for WooCommerce Light <= 7.0.0 Broken access control 7.5
CVE-2026-40781 ReviewX <= 2.3.6 Broken authentication 7.5
CVE-2026-42666 Salon booking system <= 10.30.25 Broken access control 7.5
CVE-2026-52694 Signature Add-On for WooCommerce <= 2.0 Sensitive data exposure 7.5
CVE-2026-34886 Simple Membership <= 4.7.1 Broken access control 7.5
CVE-2026-48868 Simple Shopping Cart <= 5.2.9 IDOR 7.5
CVE-2026-42384 Simply Schedule Appointments < 1.6.11.2 Sensitive data exposure 7.5
CVE-2026-49110 Upsell Order Bump Offer for WooCommerce <= 3.1.4 Broken authentication 7.5
CVE-2026-25425 User Registration <= 5.1.2 Broken access control 7.5
CVE-2026-52699 VikRentCar <= 1.4.5 IDOR 7.5
CVE-2026-49056 WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.9.4 Sensitive data exposure 7.5
CVE-2026-52711 WooCommerce POS <= 1.8.14 Broken access control 7.5
CVE-2026-39534 WP Directory Kit <= 1.5.0 Broken access control 7.5
CVE-2026-40776 WP Event Solution <= 4.1.8 Broken access control 7.5
CVE-2025-68045 WP Event SOlution <= 4.1.12 Broken access control 7.5
CVE-2026-49078 WP Travel Engine <= 6.7.10 Other vulnerability 7.5
CVE-2026-48883 WPC Product Bundles for WooCommerce <= 8.5.3 Broken access control 7.5
CVE-2026-45441 WpEvently <= 5.3.3 Other vulnerability 7.5
CVE-2026-40767 wpForo Forum < 3.0.2 Broken access control 7.5
CVE-2026-27089 WpTravelly <= 2.1.7 Bypass vulnerability 7.5
CVE-2026-49082 Chatway Live Chat <= 1.4.8 Sensitive data exposure 7.4
CVE-2026-40775 Royal MCP <= 1.4.2 Broken access control 7.3
CVE-2026-40785 AutomatorWP <= 5.6.7 Broken authentication 7.1
CVE-2026-40788 ChatBot <= 7.9.7 Broken access control 7.1
CVE-2026-39518 EventPrime <= 4.3.0.0 IDOR 7.1
CVE-2026-39450 FunnelKit Automations <= 3.7.3 Broken authentication 7.1
CVE-2026-40809 Metro Magazine <= 1.4.1 Broken access control 6.5
CVE-2026-49775 Welcart e-Commerce <= 2.11.28 Broken access control 6.5
CVE-2026-2381 WooCommerce Stripe Payment Gateway <= 10.3.1 Broken access control 6.5

Owner check

  • Confirm plugin versions and whether the affected plugin handles payments, bookings, forms, users, files, or customer records.
  • Review new users, password resets, account role changes, orders, bookings, invoices, exports, and support records after 2026-06-16.
  • Rotate payment, CRM, email, webhook, and API credentials if unauthorized access cannot be ruled out.
  • Keep logs and screenshots for the repair record before deleting suspicious records.
wp plugin list --fields=name,version,status
wp user list --fields=ID,user_login,user_email,roles,registered
grep -R "login\|password\|export\|download\|order\|booking\|invoice\|webhook" wp-content/debug.log 2>/dev/null

Clean result

  • No listed plugin remains at or below the affected version.
  • No unknown account, password reset, role change, order, booking, or export appears in the disclosure window.
  • Payment and CRM integrations show expected webhook traffic only.
  • Any exposed record type has been reviewed against backups, logs, and application history.

When to request repair

Use Ping7 CVE Repair when the affected plugin touches customer data, payment data, bookings, memberships, or support tickets and the access logs do not give a clean answer.

References