Security Advisory - Published 2026-06-16 - WordPress RCE / SQL Batch
WordPress June 16 RCE, SQL, and deserialization CVEs: patch first, preserve logs before cleanup
This batch covers WordPress plugin CVEs where database access, generated files, or unsafe data handling can turn a normal plugin issue into a site incident. Check the plugin version, take a backup, patch or disable the plugin, then review recent files and logs.
Affected plugins
| CVE | Plugin | Affected | Issue | CVSS |
|---|---|---|---|---|
| CVE-2026-49774 | RD Station | <= 5.6.0 | Remote code execution | 9.9 |
| CVE-2026-52715 | GEO my WordPress | <= 4.5.5 | SQL injection | 9.3 |
| CVE-2026-39574 | InPost Gallery | <= 2.1.4.6 | SQL injection | 9.3 |
| CVE-2026-49772 | The Events Calendar | 6.15.12 - 6.16.2 | SQL injection | 9.3 |
| CVE-2026-6933 | Premmerce Dev Tools | <= 2.0 | Remote code execution | 8.8 |
| CVE-2026-8443 | WP Review Slider Pro | <= 12.6.8 | SQL injection | 8.8 |
| CVE-2026-8444 | WP Review Slider Pro | <= 12.6.8 | SQL injection | 8.8 |
| CVE-2026-39581 | WP Sessions Time Monitoring Full Automatic | <= 1.1.4 | SQL injection | 8.5 |
| CVE-2026-27333 | Paid Videochat Turnkey Site | <= 7.3.23 | Deserialization | 8.1 |
| CVE-2026-52712 | Attendance Manager | <= 0.6.2 | SQL injection | 7.6 |
| CVE-2026-40762 | WPGraphQL | < 2.11.1 | SQL injection | 7.5 |
Owner check
- Confirm whether any affected plugin is installed, active, or left disabled under
wp-content/plugins. - Patch supported plugins. Remove unused plugins from the web root instead of leaving old code disabled.
- Preserve web server, PHP, WordPress debug, and database logs before deleting files.
- Review new administrator users, cron jobs, changed plugin files, and unexpected database errors after 2026-06-16.
wp plugin list --fields=name,version,status
find wp-content/plugins -maxdepth 3 -type f -mtime -7 | egrep '\.php$|\.phtml$|\.phar$|\.zip$'
find wp-content/uploads -type f -mtime -7 | egrep '\.php$|\.phtml$|\.phar$|backup|export'
grep -R "fatal\|database error\|permission\|plugin\|sql" wp-content/debug.log 2>/dev/null Clean result
- No listed plugin remains at or below the affected version.
- No new PHP-like files appear in uploads, cache, plugin, theme, or mu-plugin directories.
- No unknown administrator, editor, shop manager, or subscriber account appears in the disclosure window.
- No unexplained database errors, export activity, or changed plugin settings remain unresolved.
When to request repair
Use Ping7 CVE Repair when an affected plugin is present, the site stores customer data, logs are missing, or file changes and database activity cannot be explained.