Security Advisory - Published 2026-06-16 - WordPress Patchstack Late Batch
WordPress late June 16 Patchstack CVEs: check plugin versions before reviewing users, files, and logs
This batch covers 18 additional WordPress plugin CVEs from the 2026-06-15 23:46 UTC monitor run. The affected plugins include booking, LMS, podcasting, ecommerce, helpdesk, forms, membership, sliders, anti-malware, and multivendor marketplace components.
Affected plugins
| CVE | Plugin | Affected | Issue | CVSS |
|---|---|---|---|---|
| CVE-2026-39465 | Responsive Slider by MetaSlider | <= 3.106.0 | Remote code execution | 9.1 |
| CVE-2026-48881 | TrueBooker | <= 1.1.9 | Broken access control | 9.1 |
| CVE-2026-48889 | Amelia | <= 2.3 | Privilege escalation | 8.8 |
| CVE-2026-39478 | Anti-Malware Security and Brute-Force Firewall | <= 4.23.87 | PHP object injection | 8.8 |
| CVE-2026-39579 | B Blocks | <= 2.0.31 | Privilege escalation | 8.8 |
| CVE-2026-49780 | Dokan | <= 5.0.2 | Privilege escalation | 8.8 |
| CVE-2026-39532 | Events Calendar for GeoDirectory | <= 2.3.25 | PHP object injection | 8.8 |
| CVE-2026-39474 | Post Duplicator | <= 3.0.10 | PHP object injection | 8.8 |
| CVE-2026-42661 | WP Customer Area | <= 8.3.4 | Path traversal | 8.8 |
| CVE-2026-40769 | Contact Form Extender for Divi | <= 1.0.6 | Arbitrary file deletion | 8.6 |
| CVE-2026-48964 | ELEX WordPress HelpDesk & Customer Ticketing System | <= 3.3.6 | SQL injection | 8.5 |
| CVE-2026-48874 | GamiPress | <= 7.8.7 | SQL injection | 8.5 |
| CVE-2026-40766 | MasterStudy LMS | <= 3.7.25 | SQL injection | 8.5 |
| CVE-2026-24637 | PowerPress Podcasting | <= 11.15.10 | SQL injection | 8.5 |
| CVE-2026-52697 | Taskbuilder | <= 5.0.7 | SQL injection | 8.5 |
| CVE-2026-52700 | WCMultiShipping | <= 3.0.2 | SQL injection | 8.5 |
| CVE-2026-48882 | WP Time Slots Booking Form | <= 1.2.50 | SQL injection | 8.5 |
| CVE-2026-42664 | AI Product Search for WooCommerce - Motive Commerce Search | <= 1.38.2 | Broken access control | 8.2 |
Fast owner check
- Confirm whether any listed plugin exists under
wp-content/plugins, including disabled folders. - Update supported plugins. Remove abandoned plugins and keep a backup copy only outside the web root.
- For RCE or PHP object injection entries, review changed PHP files, cron jobs, new users, and plugin settings.
- For SQL injection entries, preserve web and database logs before cleanup.
- For broken access control, privilege escalation, file deletion, or path traversal, check account history and recent file activity.
wp plugin list --fields=name,version,status
find wp-content/plugins -maxdepth 2 -type f -mtime -7 | egrep '\.php$|\.zip$|\.phar$|\.phtml$'
find wp-content/uploads -type f -mtime -7 | egrep '\.php$|\.phtml$|\.phar$|\.zip$|backup|export'
grep -R "fatal\|permission\|upload\|delete\|download\|sql" wp-content/debug.log 2>/dev/null Clean result
- No affected plugin remains at or below the affected version shown above.
- No unexpected administrator, shop manager, editor, customer, contributor, or subscriber account was added after 2026-06-15.
- No new PHP-like file appears in uploads, cache, plugin, theme, mu-plugin, or backup directories.
- No unexplained bookings, orders, tickets, lessons, podcast entries, marketplace changes, or redirects appear in logs.
When to request repair
Use Ping7 CVE Repair when an affected plugin is present, the site handles orders, bookings, forms, courses, or customer data, or the file/log review shows unknown users, changed PHP files, missing media, or suspicious database errors.