Security Advisory - Published 2026-06-16 - WordPress RCE / SQL Batch

WordPress June 16 RCE, SQL, and deserialization CVEs: patch first, preserve logs before cleanup

This batch covers WordPress plugin CVEs where database access, generated files, or unsafe data handling can turn a normal plugin issue into a site incident. Check the plugin version, take a backup, patch or disable the plugin, then review recent files and logs.

Defensive scope: this page is for owned WordPress sites and approved repair work. It does not include request samples or unauthorized testing steps.

Affected plugins

CVEPluginAffectedIssueCVSS
CVE-2026-49774 RD Station <= 5.6.0 Remote code execution 9.9
CVE-2026-52715 GEO my WordPress <= 4.5.5 SQL injection 9.3
CVE-2026-39574 InPost Gallery <= 2.1.4.6 SQL injection 9.3
CVE-2026-49772 The Events Calendar 6.15.12 - 6.16.2 SQL injection 9.3
CVE-2026-6933 Premmerce Dev Tools <= 2.0 Remote code execution 8.8
CVE-2026-8443 WP Review Slider Pro <= 12.6.8 SQL injection 8.8
CVE-2026-8444 WP Review Slider Pro <= 12.6.8 SQL injection 8.8
CVE-2026-39581 WP Sessions Time Monitoring Full Automatic <= 1.1.4 SQL injection 8.5
CVE-2026-27333 Paid Videochat Turnkey Site <= 7.3.23 Deserialization 8.1
CVE-2026-52712 Attendance Manager <= 0.6.2 SQL injection 7.6
CVE-2026-40762 WPGraphQL < 2.11.1 SQL injection 7.5

Owner check

  • Confirm whether any affected plugin is installed, active, or left disabled under wp-content/plugins.
  • Patch supported plugins. Remove unused plugins from the web root instead of leaving old code disabled.
  • Preserve web server, PHP, WordPress debug, and database logs before deleting files.
  • Review new administrator users, cron jobs, changed plugin files, and unexpected database errors after 2026-06-16.
wp plugin list --fields=name,version,status
find wp-content/plugins -maxdepth 3 -type f -mtime -7 | egrep '\.php$|\.phtml$|\.phar$|\.zip$'
find wp-content/uploads -type f -mtime -7 | egrep '\.php$|\.phtml$|\.phar$|backup|export'
grep -R "fatal\|database error\|permission\|plugin\|sql" wp-content/debug.log 2>/dev/null

Clean result

  • No listed plugin remains at or below the affected version.
  • No new PHP-like files appear in uploads, cache, plugin, theme, or mu-plugin directories.
  • No unknown administrator, editor, shop manager, or subscriber account appears in the disclosure window.
  • No unexplained database errors, export activity, or changed plugin settings remain unresolved.

When to request repair

Use Ping7 CVE Repair when an affected plugin is present, the site stores customer data, logs are missing, or file changes and database activity cannot be explained.

References