Security Advisory - Published 2026-06-16 - WordPress Patchstack Batch

WordPress June 16 Patchstack CVEs: patch the plugin first, then check users, files, and logs

This batch adds 40 high and critical WordPress plugin CVEs from the latest Ping7 monitor run. The affected plugins include ecommerce, forms, maps, forums, galleries, redirects, user management, booking, travel, and automation integrations.

Defensive scope: this page is for owned WordPress sites and client-approved repair work. It does not include exploit payloads, request samples, unauthorized scanning steps, or attack-chain instructions.

Fast triage

  • Search the plugin list for the product names below, including disabled folders left under `wp-content/plugins`.
  • Patch supported plugins. Remove abandoned or unused plugins instead of leaving old code in place.
  • For SQL injection: preserve web and database logs, then review unusual requests and database errors.
  • For PHP object injection or RCE: review recently changed files, cron jobs, new users, and plugin settings.
  • For file upload, path traversal, or file deletion: inspect uploads, backups, media paths, and access logs before cleanup.

Affected plugins

CVEPluginAffectedIssueCVSS
CVE-2026-48836 Easy Invoice <= 2.1.19 Remote code execution 10.0
CVE-2026-40772 GeekyBot <= 1.2.2 Arbitrary file upload 10.0
CVE-2026-49766 WP User Manager <= 2.9.16 Arbitrary file deletion 9.9
CVE-2026-39591 WP-BusinessDirectory <= 4.0.0 Arbitrary file upload 9.9
CVE-2026-27053 Broadcast Live Video < 7.1.3 PHP object injection 9.8
CVE-2026-39583 Datalogics Ecommerce Delivery <= 2.6.62 Privilege escalation 9.8
CVE-2026-49768 Happyforms <= 1.26.13 PHP object injection 9.8
CVE-2026-34901 iControlWP <= 5.5.3 Privilege escalation 9.8
CVE-2026-9691 Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 PHP object injection 9.8
CVE-2026-49106 Integration for Contact Form 7 and Constant Contact <= 1.1.6 PHP object injection 9.8
CVE-2026-49763 Integration for Contact Form 7 HubSpot <= 1.3.7 PHP object injection 9.8
CVE-2026-49104 Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 PHP object injection 9.8
CVE-2026-49765 Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 PHP object injection 9.8
CVE-2026-49109 Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 PHP object injection 9.8
CVE-2026-49781 OttoKit <= 1.1.27 PHP object injection 9.8
CVE-2026-49764 RegistrationMagic <= 6.0.8.6 Broken authentication 9.8
CVE-2026-49085 WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 PHP object injection 9.8
CVE-2026-49770 WP Travel Engine <= 6.7.12 PHP object injection 9.8
CVE-2026-49105 WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 PHP object injection 9.8
CVE-2026-49769 wpForo Forum <= 3.1.0 PHP object injection 9.8
CVE-2026-52703 FastDup <= 2.7.2 Path traversal 9.6
CVE-2026-49067 Advanced 301 and 302 Redirect <= 1.6.9 SQL injection 9.3
CVE-2026-40771 Contest Gallery <= 28.1.6 SQL injection 9.3
CVE-2026-52693 eCommerce Product Catalog <= 3.5.5 SQL injection 9.3
CVE-2026-39441 Feed KuantoKusta for WooCommerce Free <= 5.3 SQL injection 9.3
CVE-2026-39502 Form Maker by 10Web <= 1.15.38 SQL injection 9.3
CVE-2026-42381 Funnel Builder by FunnelKit <= 3.15.0.1 SQL injection 9.3
CVE-2026-42639 GD Rating System <= 3.6.2 SQL injection 9.3
CVE-2026-39519 GeekyBot <= 1.2.0 SQL injection 9.3
CVE-2026-39512 GeoDirectory <= 2.8.152 SQL injection 9.3
CVE-2026-49776 GPTranslate <= 2.32.6 SQL injection 9.3
CVE-2026-48886 JS Help Desk <= 3.0.9 SQL injection 9.3
CVE-2026-42386 Order Delivery Date for WooCommerce <= 4.5.1 SQL injection 9.3
CVE-2026-45439 Realtyna Organic IDX <= 5.1.0 SQL injection 9.3
CVE-2026-39493 Simply Schedule Appointments <= 1.6.9.27 SQL injection 9.3
CVE-2026-39530 SpeakOut! Email Petitions <= 4.6.5 SQL injection 9.3
CVE-2026-42665 WP Data Access <= 5.5.70 SQL injection 9.3
CVE-2026-39492 WP Maps <= 4.9.1 SQL injection 9.3
CVE-2026-39511 WP Photo Album Plus <= 9.1.08.001 SQL injection 9.3
CVE-2026-40798 wpForo Forum <= 3.0.4 SQL injection 9.3

Owner self-check

wp plugin list --fields=name,version,status
find wp-content/plugins -maxdepth 2 -type f -mtime -7 | egrep '\\.php$|\\.zip$|\\.phar$|\\.phtml$'
find wp-content/uploads -type f -mtime -7 | egrep '\\.php$|\\.phtml$|\\.phar$|\\.zip$|backup|invoice|export'
grep -R "CVE-2026\\|sql\\|fatal\\|unserialize\\|permission\\|upload\\|download" wp-content/debug.log 2>/dev/null

On managed hosting, use the file manager and WordPress admin pages if shell access is unavailable. Record plugin versions and timestamps before deleting files, because the repair report needs the sequence of events.

Clean result

  • No affected plugin remains below the fixed vendor version.
  • No unknown administrator, shop manager, editor, subscriber, or integration account was added after the disclosure window.
  • No new PHP-like file appears in uploads, cache, plugin, theme, mu-plugin, or backup directories.
  • No unexplained order, invoice, form, booking, user, redirect, or forum changes appear in logs.
  • Payment, CRM, email-marketing, and form integration keys are rotated if suspicious access cannot be ruled out.

When to use Ping7 repair

Use Ping7 CVE Repair when the affected plugin is present, the site has payment or form data, the plugin cannot be updated safely, logs are noisy, or unknown files/users appear. Send the domain, plugin version, hosting type, and the first suspicious timestamp.

References