Security Advisory - Published 2026-06-16 - WordPress XSS Batch

WordPress June 16 XSS CVEs: patch the plugin and review content, redirects, and admin sessions

This batch covers WordPress plugin XSS CVEs in forms, widgets, ecommerce add-ons, booking tools, automation plugins, and SEO utilities. The owner check is simple: patch, then review whether content or administrator sessions changed during the exposure window.

Defensive scope: this checklist is for owned WordPress sites. It does not include exploit strings or browser-side attack walkthroughs.

Affected plugins

CVEPluginAffectedIssueCVSS
CVE-2026-42650 AutomatorWP <= 5.6.7 Cross-site scripting 7.2
CVE-2026-42775 AutomatorWP <= 5.7.2 Cross-site scripting 7.1
CVE-2026-39435 CformsII <= 15.1.3 Cross-site scripting 7.1
CVE-2026-42658 Classified Listing <= 5.3.8 Cross-site scripting 7.1
CVE-2026-39449 Contact Form to Any API <= 3.0.3 Cross-site scripting 7.1
CVE-2026-40770 Coupon Affiliates <= 7.5.3 Cross-site scripting 7.1
CVE-2026-49055 Drag and Drop Multiple File Upload - Contact Form 7 <= 1.3.9.7 Cross-site scripting 7.1
CVE-2025-68872 Eli's WordCents AdSense Widget with Analytics <= 1.3.03.27 Cross-site scripting 7.1
CVE-2026-42686 EventPrime <= 4.3.2.1 Cross-site scripting 7.1
CVE-2026-42649 Favicon Rotator <= 1.2.11 Cross-site scripting 7.1
CVE-2026-48966 Funnel Builder by FunnelKit <= 3.15.0.2 Cross-site scripting 7.1
CVE-2026-34900 GiveWP <= 4.14.2 Cross-site scripting 7.1
CVE-2026-48885 HollerBox <= 2.3.10.1 Cross-site scripting 7.1
CVE-2025-68840 iRobots.txt SEO <= 1.1.2 Cross-site scripting 7.1
CVE-2026-39463 ManageWP Worker <= 4.9.31 Cross-site scripting 7.1
CVE-2026-54198 Media Library Assistant <= 3.35 Cross-site scripting 7.1
CVE-2026-39437 Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 Cross-site scripting 7.1
CVE-2026-48871 MW WP Form <= 5.1.3 Cross-site scripting 7.1
CVE-2026-40732 Notification for Telegram <= 3.5 Cross-site scripting 7.1
CVE-2025-68851 Okay Toolkit <= 2.3 Cross-site scripting 7.1
CVE-2026-39514 Paid Member Subscriptions <= 2.17.3 Cross-site scripting 7.1
CVE-2026-54191 Pods <= 3.3.8 Cross-site scripting 7.1
CVE-2026-48838 Post SMTP <= 3.6.2 Cross-site scripting 7.1
CVE-2026-45437 Product Filter Widget for Elementor <= 1.0.6 Cross-site scripting 7.1
CVE-2026-40787 Quiz And Survey Master <= 11.0.0 Cross-site scripting 7.1
CVE-2026-48867 Quiz And Survey Master <= 11.1.2 Cross-site scripting 7.1
CVE-2026-23970 Redirection for Contact Form 7 <= 3.2.8 Cross-site scripting 7.1
CVE-2026-52702 SEO Redirection <= 9.17 Cross-site scripting 7.1
CVE-2026-39447 Simply Schedule Appointments <= 1.6.10.6 Cross-site scripting 7.1
CVE-2026-39507 Social Slider Feed <= 2.3.2 Cross-site scripting 7.1
CVE-2026-48876 Stop Spammers <= 2026.3 Cross-site scripting 7.1
CVE-2026-34902 WooCommerce Product Table Lite <= 4.6.3 Cross-site scripting 7.1
CVE-2026-40791 WP Time Slots Booking Form <= 1.2.46 Cross-site scripting 7.1

Owner check

  • Patch or disable the affected plugin, then clear application and CDN caches.
  • Review posts, pages, widgets, forms, popups, shortcodes, redirects, and plugin settings changed after 2026-06-16.
  • Check administrator sessions, recently changed passwords, and new users before assuming the issue was harmless.
  • For ecommerce or membership sites, review checkout pages, account pages, coupons, and email templates.
wp plugin list --fields=name,version,status
wp post list --post_type=post,page --post_status=publish,draft --fields=ID,post_title,post_modified
wp user list --fields=ID,user_login,user_email,roles,registered

Clean result

  • No listed plugin remains at or below the affected version.
  • No unexpected script, iframe, redirect, shortcode, popup, widget, or form change appears in the disclosure window.
  • No unknown administrator session or account change appears after patching.
  • CDN and page caches have been purged after the fixed plugin version is live.

When to request repair

Use Ping7 CVE Repair if the site has unexplained redirects, injected content, suspicious admin sessions, checkout changes, or cached pages that still show old content after patching.

References