Security Advisory - Published 2026-06-16 - WordPress XSS Batch
WordPress June 16 XSS CVEs: patch the plugin and review content, redirects, and admin sessions
This batch covers WordPress plugin XSS CVEs in forms, widgets, ecommerce add-ons, booking tools, automation plugins, and SEO utilities. The owner check is simple: patch, then review whether content or administrator sessions changed during the exposure window.
Affected plugins
| CVE | Plugin | Affected | Issue | CVSS |
|---|---|---|---|---|
| CVE-2026-42650 | AutomatorWP | <= 5.6.7 | Cross-site scripting | 7.2 |
| CVE-2026-42775 | AutomatorWP | <= 5.7.2 | Cross-site scripting | 7.1 |
| CVE-2026-39435 | CformsII | <= 15.1.3 | Cross-site scripting | 7.1 |
| CVE-2026-42658 | Classified Listing | <= 5.3.8 | Cross-site scripting | 7.1 |
| CVE-2026-39449 | Contact Form to Any API | <= 3.0.3 | Cross-site scripting | 7.1 |
| CVE-2026-40770 | Coupon Affiliates | <= 7.5.3 | Cross-site scripting | 7.1 |
| CVE-2026-49055 | Drag and Drop Multiple File Upload - Contact Form 7 | <= 1.3.9.7 | Cross-site scripting | 7.1 |
| CVE-2025-68872 | Eli's WordCents AdSense Widget with Analytics | <= 1.3.03.27 | Cross-site scripting | 7.1 |
| CVE-2026-42686 | EventPrime | <= 4.3.2.1 | Cross-site scripting | 7.1 |
| CVE-2026-42649 | Favicon Rotator | <= 1.2.11 | Cross-site scripting | 7.1 |
| CVE-2026-48966 | Funnel Builder by FunnelKit | <= 3.15.0.2 | Cross-site scripting | 7.1 |
| CVE-2026-34900 | GiveWP | <= 4.14.2 | Cross-site scripting | 7.1 |
| CVE-2026-48885 | HollerBox | <= 2.3.10.1 | Cross-site scripting | 7.1 |
| CVE-2025-68840 | iRobots.txt SEO | <= 1.1.2 | Cross-site scripting | 7.1 |
| CVE-2026-39463 | ManageWP Worker | <= 4.9.31 | Cross-site scripting | 7.1 |
| CVE-2026-54198 | Media Library Assistant | <= 3.35 | Cross-site scripting | 7.1 |
| CVE-2026-39437 | Min Max Step Quantity Limits Manager for WooCommerce | <= 5.2.2 | Cross-site scripting | 7.1 |
| CVE-2026-48871 | MW WP Form | <= 5.1.3 | Cross-site scripting | 7.1 |
| CVE-2026-40732 | Notification for Telegram | <= 3.5 | Cross-site scripting | 7.1 |
| CVE-2025-68851 | Okay Toolkit | <= 2.3 | Cross-site scripting | 7.1 |
| CVE-2026-39514 | Paid Member Subscriptions | <= 2.17.3 | Cross-site scripting | 7.1 |
| CVE-2026-54191 | Pods | <= 3.3.8 | Cross-site scripting | 7.1 |
| CVE-2026-48838 | Post SMTP | <= 3.6.2 | Cross-site scripting | 7.1 |
| CVE-2026-45437 | Product Filter Widget for Elementor | <= 1.0.6 | Cross-site scripting | 7.1 |
| CVE-2026-40787 | Quiz And Survey Master | <= 11.0.0 | Cross-site scripting | 7.1 |
| CVE-2026-48867 | Quiz And Survey Master | <= 11.1.2 | Cross-site scripting | 7.1 |
| CVE-2026-23970 | Redirection for Contact Form 7 | <= 3.2.8 | Cross-site scripting | 7.1 |
| CVE-2026-52702 | SEO Redirection | <= 9.17 | Cross-site scripting | 7.1 |
| CVE-2026-39447 | Simply Schedule Appointments | <= 1.6.10.6 | Cross-site scripting | 7.1 |
| CVE-2026-39507 | Social Slider Feed | <= 2.3.2 | Cross-site scripting | 7.1 |
| CVE-2026-48876 | Stop Spammers | <= 2026.3 | Cross-site scripting | 7.1 |
| CVE-2026-34902 | WooCommerce Product Table Lite | <= 4.6.3 | Cross-site scripting | 7.1 |
| CVE-2026-40791 | WP Time Slots Booking Form | <= 1.2.46 | Cross-site scripting | 7.1 |
Owner check
- Patch or disable the affected plugin, then clear application and CDN caches.
- Review posts, pages, widgets, forms, popups, shortcodes, redirects, and plugin settings changed after 2026-06-16.
- Check administrator sessions, recently changed passwords, and new users before assuming the issue was harmless.
- For ecommerce or membership sites, review checkout pages, account pages, coupons, and email templates.
wp plugin list --fields=name,version,status
wp post list --post_type=post,page --post_status=publish,draft --fields=ID,post_title,post_modified
wp user list --fields=ID,user_login,user_email,roles,registered Clean result
- No listed plugin remains at or below the affected version.
- No unexpected script, iframe, redirect, shortcode, popup, widget, or form change appears in the disclosure window.
- No unknown administrator session or account change appears after patching.
- CDN and page caches have been purged after the fixed plugin version is live.
When to request repair
Use Ping7 CVE Repair if the site has unexplained redirects, injected content, suspicious admin sessions, checkout changes, or cached pages that still show old content after patching.