Security Advisory - Published 2026-06-16 - WordPress File / Privilege Batch
WordPress June 16 file and privilege CVEs: review users, roles, uploads, and backups
This batch covers plugin issues that can affect roles, file access, generated files, downloads, deleted content, or unsafe object handling. Patch the plugin and check whether the site changed during the exposure window.
Affected plugins
| CVE | Plugin | Affected | Issue | CVSS |
|---|---|---|---|---|
| CVE-2026-42687 | EventPrime | <= 4.3.2.1 | PHP object injection | 8.1 |
| CVE-2026-39587 | WP BASE Booking | <= 5.9.0 | Privilege escalation | 8.1 |
| CVE-2026-8442 | WP Review Slider Pro | <= 12.6.8 | Arbitrary file deletion | 8.1 |
| CVE-2026-40727 | Groundhogg | <= 4.4 | Arbitrary file deletion | 7.7 |
| CVE-2026-40779 | Link Library | <= 7.8.8 | Arbitrary file deletion | 7.7 |
| CVE-2026-49083 | LatePoint | <= 5.5.1 | Privilege escalation | 7.5 |
| CVE-2026-49112 | Shared Files | <= 1.7.64 | Path traversal | 7.5 |
| CVE-2026-49061 | WPC Product Options for WooCommerce | <= 3.2.1 | Arbitrary file download | 7.5 |
| CVE-2026-49063 | Listdom | <= 5.5.0 | Privilege escalation | 7.3 |
| CVE-2026-39499 | Advanced Product Fields for WooCommerce | <= 1.6.19 | PHP object injection | 7.2 |
| CVE-2026-27407 | AI Engine | <= 3.4.9 | Privilege escalation | 7.2 |
| CVE-2026-39434 | CTX Feed | <= 6.6.26 | PHP object injection | 7.2 |
| CVE-2026-39481 | Modula Image Gallery | <= 2.14.18 | PHP object injection | 7.2 |
| CVE-2026-39471 | ShortPixel Image Optimizer | <= 6.4.3 | PHP object injection | 7.2 |
| CVE-2026-39470 | WooCommerce Cart Abandonment Recovery | < 2.1.0 | Privilege escalation | 7.2 |
| CVE-2026-39472 | WooCommerce PDF Invoices & Packing Slips | < 5.9.0 | PHP object injection | 7.2 |
| CVE-2026-39498 | YayMail | <= 4.3.3 | PHP object injection | 7.2 |
| CVE-2026-9187 | Abandoned Contact Form 7 | <= 2.2 | Arbitrary file deletion | 5.3 |
Owner check
- List plugin versions and account roles before making cleanup changes.
- Review administrator, editor, shop manager, customer, subscriber, and custom-role changes after 2026-06-16.
- Inspect uploads, backups, exports, cache directories, and plugin folders for new or missing files.
- Rotate credentials tied to exposed downloads, invoices, exports, support tickets, or booking records if suspicious access cannot be ruled out.
wp plugin list --fields=name,version,status
wp user list --fields=ID,user_login,user_email,roles,registered
find wp-content -type f -mtime -7 | egrep '\.php$|\.phtml$|\.phar$|backup|export|invoice|ticket'
find wp-content -type f -mtime -7 | sort Clean result
- No affected plugin remains below the fixed vendor version.
- No unexpected role changes or new privileged users appear after the disclosure window.
- No unknown PHP-like file, backup, export, or deleted business record remains unexplained.
- Relevant payment, booking, support, and customer records match expected activity.
When to request repair
Use Ping7 CVE Repair if file history is unclear, backups or exports were exposed, account roles changed, or a plugin cannot be updated without breaking production.