Security Advisory - Published 2026-06-16 - WordPress Patchstack Late Batch

WordPress late June 16 Patchstack CVEs: check plugin versions before reviewing users, files, and logs

This batch covers 18 additional WordPress plugin CVEs from the 2026-06-15 23:46 UTC monitor run. The affected plugins include booking, LMS, podcasting, ecommerce, helpdesk, forms, membership, sliders, anti-malware, and multivendor marketplace components.

Defensive scope: use this checklist only for sites you own or support. It does not include exploit payloads, request samples, or instructions for testing third-party sites.

Affected plugins

CVEPluginAffectedIssueCVSS
CVE-2026-39465 Responsive Slider by MetaSlider <= 3.106.0 Remote code execution 9.1
CVE-2026-48881 TrueBooker <= 1.1.9 Broken access control 9.1
CVE-2026-48889 Amelia <= 2.3 Privilege escalation 8.8
CVE-2026-39478 Anti-Malware Security and Brute-Force Firewall <= 4.23.87 PHP object injection 8.8
CVE-2026-39579 B Blocks <= 2.0.31 Privilege escalation 8.8
CVE-2026-49780 Dokan <= 5.0.2 Privilege escalation 8.8
CVE-2026-39532 Events Calendar for GeoDirectory <= 2.3.25 PHP object injection 8.8
CVE-2026-39474 Post Duplicator <= 3.0.10 PHP object injection 8.8
CVE-2026-42661 WP Customer Area <= 8.3.4 Path traversal 8.8
CVE-2026-40769 Contact Form Extender for Divi <= 1.0.6 Arbitrary file deletion 8.6
CVE-2026-48964 ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.6 SQL injection 8.5
CVE-2026-48874 GamiPress <= 7.8.7 SQL injection 8.5
CVE-2026-40766 MasterStudy LMS <= 3.7.25 SQL injection 8.5
CVE-2026-24637 PowerPress Podcasting <= 11.15.10 SQL injection 8.5
CVE-2026-52697 Taskbuilder <= 5.0.7 SQL injection 8.5
CVE-2026-52700 WCMultiShipping <= 3.0.2 SQL injection 8.5
CVE-2026-48882 WP Time Slots Booking Form <= 1.2.50 SQL injection 8.5
CVE-2026-42664 AI Product Search for WooCommerce - Motive Commerce Search <= 1.38.2 Broken access control 8.2

Fast owner check

  • Confirm whether any listed plugin exists under wp-content/plugins, including disabled folders.
  • Update supported plugins. Remove abandoned plugins and keep a backup copy only outside the web root.
  • For RCE or PHP object injection entries, review changed PHP files, cron jobs, new users, and plugin settings.
  • For SQL injection entries, preserve web and database logs before cleanup.
  • For broken access control, privilege escalation, file deletion, or path traversal, check account history and recent file activity.
wp plugin list --fields=name,version,status
find wp-content/plugins -maxdepth 2 -type f -mtime -7 | egrep '\.php$|\.zip$|\.phar$|\.phtml$'
find wp-content/uploads -type f -mtime -7 | egrep '\.php$|\.phtml$|\.phar$|\.zip$|backup|export'
grep -R "fatal\|permission\|upload\|delete\|download\|sql" wp-content/debug.log 2>/dev/null

Clean result

  • No affected plugin remains at or below the affected version shown above.
  • No unexpected administrator, shop manager, editor, customer, contributor, or subscriber account was added after 2026-06-15.
  • No new PHP-like file appears in uploads, cache, plugin, theme, mu-plugin, or backup directories.
  • No unexplained bookings, orders, tickets, lessons, podcast entries, marketplace changes, or redirects appear in logs.

When to request repair

Use Ping7 CVE Repair when an affected plugin is present, the site handles orders, bookings, forms, courses, or customer data, or the file/log review shows unknown users, changed PHP files, missing media, or suspicious database errors.

References