Security Advisory - Published 2026-06-16 - WordPress Patchstack Batch
WordPress June 16 Patchstack CVEs: patch the plugin first, then check users, files, and logs
This batch adds 40 high and critical WordPress plugin CVEs from the latest Ping7 monitor run. The affected plugins include ecommerce, forms, maps, forums, galleries, redirects, user management, booking, travel, and automation integrations.
Fast triage
- Search the plugin list for the product names below, including disabled folders left under `wp-content/plugins`.
- Patch supported plugins. Remove abandoned or unused plugins instead of leaving old code in place.
- For SQL injection: preserve web and database logs, then review unusual requests and database errors.
- For PHP object injection or RCE: review recently changed files, cron jobs, new users, and plugin settings.
- For file upload, path traversal, or file deletion: inspect uploads, backups, media paths, and access logs before cleanup.
Affected plugins
| CVE | Plugin | Affected | Issue | CVSS |
|---|---|---|---|---|
| CVE-2026-48836 | Easy Invoice | <= 2.1.19 | Remote code execution | 10.0 |
| CVE-2026-40772 | GeekyBot | <= 1.2.2 | Arbitrary file upload | 10.0 |
| CVE-2026-49766 | WP User Manager | <= 2.9.16 | Arbitrary file deletion | 9.9 |
| CVE-2026-39591 | WP-BusinessDirectory | <= 4.0.0 | Arbitrary file upload | 9.9 |
| CVE-2026-27053 | Broadcast Live Video | < 7.1.3 | PHP object injection | 9.8 |
| CVE-2026-39583 | Datalogics Ecommerce Delivery | <= 2.6.62 | Privilege escalation | 9.8 |
| CVE-2026-49768 | Happyforms | <= 1.26.13 | PHP object injection | 9.8 |
| CVE-2026-34901 | iControlWP | <= 5.5.3 | Privilege escalation | 9.8 |
| CVE-2026-9691 | Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms | <= 1.1.1 | PHP object injection | 9.8 |
| CVE-2026-49106 | Integration for Contact Form 7 and Constant Contact | <= 1.1.6 | PHP object injection | 9.8 |
| CVE-2026-49763 | Integration for Contact Form 7 HubSpot | <= 1.3.7 | PHP object injection | 9.8 |
| CVE-2026-49104 | Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms | <= 1.2.1 | PHP object injection | 9.8 |
| CVE-2026-49765 | Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms | <= 1.1.8 | PHP object injection | 9.8 |
| CVE-2026-49109 | Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms | <= 1.4.3 | PHP object injection | 9.8 |
| CVE-2026-49781 | OttoKit | <= 1.1.27 | PHP object injection | 9.8 |
| CVE-2026-49764 | RegistrationMagic | <= 6.0.8.6 | Broken authentication | 9.8 |
| CVE-2026-49085 | WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms | <= 1.1.4 | PHP object injection | 9.8 |
| CVE-2026-49770 | WP Travel Engine | <= 6.7.12 | PHP object injection | 9.8 |
| CVE-2026-49105 | WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms | <= 1.1.4 | PHP object injection | 9.8 |
| CVE-2026-49769 | wpForo Forum | <= 3.1.0 | PHP object injection | 9.8 |
| CVE-2026-52703 | FastDup | <= 2.7.2 | Path traversal | 9.6 |
| CVE-2026-49067 | Advanced 301 and 302 Redirect | <= 1.6.9 | SQL injection | 9.3 |
| CVE-2026-40771 | Contest Gallery | <= 28.1.6 | SQL injection | 9.3 |
| CVE-2026-52693 | eCommerce Product Catalog | <= 3.5.5 | SQL injection | 9.3 |
| CVE-2026-39441 | Feed KuantoKusta for WooCommerce Free | <= 5.3 | SQL injection | 9.3 |
| CVE-2026-39502 | Form Maker by 10Web | <= 1.15.38 | SQL injection | 9.3 |
| CVE-2026-42381 | Funnel Builder by FunnelKit | <= 3.15.0.1 | SQL injection | 9.3 |
| CVE-2026-42639 | GD Rating System | <= 3.6.2 | SQL injection | 9.3 |
| CVE-2026-39519 | GeekyBot | <= 1.2.0 | SQL injection | 9.3 |
| CVE-2026-39512 | GeoDirectory | <= 2.8.152 | SQL injection | 9.3 |
| CVE-2026-49776 | GPTranslate | <= 2.32.6 | SQL injection | 9.3 |
| CVE-2026-48886 | JS Help Desk | <= 3.0.9 | SQL injection | 9.3 |
| CVE-2026-42386 | Order Delivery Date for WooCommerce | <= 4.5.1 | SQL injection | 9.3 |
| CVE-2026-45439 | Realtyna Organic IDX | <= 5.1.0 | SQL injection | 9.3 |
| CVE-2026-39493 | Simply Schedule Appointments | <= 1.6.9.27 | SQL injection | 9.3 |
| CVE-2026-39530 | SpeakOut! Email Petitions | <= 4.6.5 | SQL injection | 9.3 |
| CVE-2026-42665 | WP Data Access | <= 5.5.70 | SQL injection | 9.3 |
| CVE-2026-39492 | WP Maps | <= 4.9.1 | SQL injection | 9.3 |
| CVE-2026-39511 | WP Photo Album Plus | <= 9.1.08.001 | SQL injection | 9.3 |
| CVE-2026-40798 | wpForo Forum | <= 3.0.4 | SQL injection | 9.3 |
Owner self-check
wp plugin list --fields=name,version,status
find wp-content/plugins -maxdepth 2 -type f -mtime -7 | egrep '\\.php$|\\.zip$|\\.phar$|\\.phtml$'
find wp-content/uploads -type f -mtime -7 | egrep '\\.php$|\\.phtml$|\\.phar$|\\.zip$|backup|invoice|export'
grep -R "CVE-2026\\|sql\\|fatal\\|unserialize\\|permission\\|upload\\|download" wp-content/debug.log 2>/dev/null On managed hosting, use the file manager and WordPress admin pages if shell access is unavailable. Record plugin versions and timestamps before deleting files, because the repair report needs the sequence of events.
Clean result
- No affected plugin remains below the fixed vendor version.
- No unknown administrator, shop manager, editor, subscriber, or integration account was added after the disclosure window.
- No new PHP-like file appears in uploads, cache, plugin, theme, mu-plugin, or backup directories.
- No unexplained order, invoice, form, booking, user, redirect, or forum changes appear in logs.
- Payment, CRM, email-marketing, and form integration keys are rotated if suspicious access cannot be ruled out.
When to use Ping7 repair
Use Ping7 CVE Repair when the affected plugin is present, the site has payment or form data, the plugin cannot be updated safely, logs are noisy, or unknown files/users appear. Send the domain, plugin version, hosting type, and the first suspicious timestamp.