Security Advisory - Published 2026-06-16 - WordPress File / Privilege Batch

WordPress June 16 file and privilege CVEs: review users, roles, uploads, and backups

This batch covers plugin issues that can affect roles, file access, generated files, downloads, deleted content, or unsafe object handling. Patch the plugin and check whether the site changed during the exposure window.

Defensive scope: use this checklist only for sites you own or support. The checks below avoid exploit strings and third-party testing.

Affected plugins

CVEPluginAffectedIssueCVSS
CVE-2026-42687 EventPrime <= 4.3.2.1 PHP object injection 8.1
CVE-2026-39587 WP BASE Booking <= 5.9.0 Privilege escalation 8.1
CVE-2026-8442 WP Review Slider Pro <= 12.6.8 Arbitrary file deletion 8.1
CVE-2026-40727 Groundhogg <= 4.4 Arbitrary file deletion 7.7
CVE-2026-40779 Link Library <= 7.8.8 Arbitrary file deletion 7.7
CVE-2026-49083 LatePoint <= 5.5.1 Privilege escalation 7.5
CVE-2026-49112 Shared Files <= 1.7.64 Path traversal 7.5
CVE-2026-49061 WPC Product Options for WooCommerce <= 3.2.1 Arbitrary file download 7.5
CVE-2026-49063 Listdom <= 5.5.0 Privilege escalation 7.3
CVE-2026-39499 Advanced Product Fields for WooCommerce <= 1.6.19 PHP object injection 7.2
CVE-2026-27407 AI Engine <= 3.4.9 Privilege escalation 7.2
CVE-2026-39434 CTX Feed <= 6.6.26 PHP object injection 7.2
CVE-2026-39481 Modula Image Gallery <= 2.14.18 PHP object injection 7.2
CVE-2026-39471 ShortPixel Image Optimizer <= 6.4.3 PHP object injection 7.2
CVE-2026-39470 WooCommerce Cart Abandonment Recovery < 2.1.0 Privilege escalation 7.2
CVE-2026-39472 WooCommerce PDF Invoices & Packing Slips < 5.9.0 PHP object injection 7.2
CVE-2026-39498 YayMail <= 4.3.3 PHP object injection 7.2
CVE-2026-9187 Abandoned Contact Form 7 <= 2.2 Arbitrary file deletion 5.3

Owner check

  • List plugin versions and account roles before making cleanup changes.
  • Review administrator, editor, shop manager, customer, subscriber, and custom-role changes after 2026-06-16.
  • Inspect uploads, backups, exports, cache directories, and plugin folders for new or missing files.
  • Rotate credentials tied to exposed downloads, invoices, exports, support tickets, or booking records if suspicious access cannot be ruled out.
wp plugin list --fields=name,version,status
wp user list --fields=ID,user_login,user_email,roles,registered
find wp-content -type f -mtime -7 | egrep '\.php$|\.phtml$|\.phar$|backup|export|invoice|ticket'
find wp-content -type f -mtime -7 | sort

Clean result

  • No affected plugin remains below the fixed vendor version.
  • No unexpected role changes or new privileged users appear after the disclosure window.
  • No unknown PHP-like file, backup, export, or deleted business record remains unexplained.
  • Relevant payment, booking, support, and customer records match expected activity.

When to request repair

Use Ping7 CVE Repair if file history is unclear, backups or exports were exposed, account roles changed, or a plugin cannot be updated without breaking production.

References