Security Advisory - Published 2026-06-18 - WordPress Access Control

WordPress access and privilege CVEs: review users, roles, and sessions

This batch covers privilege escalation, broken authentication, broken access control, and CSRF-to-account-impact reports. The fastest useful check is version plus account history, not a public probing exercise.

Defensive scope: use this page only for owned WordPress sites and approved repair work. The checks stay at versions, roles, sessions, settings, and logs.

Affected components

CVEComponentAffectedIssueCVSS
CVE-2026-49058LoginPress Pro<= 6.2.2Privilege escalation9.8
CVE-2026-54807Registration Form for WooCommerce<= 1.0.9Privilege escalation9.8
CVE-2026-54803SMS Alert Order Notifications<= 3.9.4Privilege escalation9.8
CVE-2026-27395Support Board< 3.8.9Privilege escalation9.8
CVE-2025-69179Support Ticket Management System<= 1.9Privilege escalation9.8
CVE-2026-49767wpForo Forum<= 3.1.0Broken authentication9.8
CVE-2026-24611MetForm Pro<= 3.9.1Broken access control9.1
CVE-2026-12165Contest Gallery<= 30.0.2Privilege escalation8.8
CVE-2026-54805Falang multilanguage<= 1.4.2Privilege escalation8.8
CVE-2025-69138Genemy<= 1.6.6Privilege escalation8.8
CVE-2026-42629PowerPack Pro for Elementor< 2.13.0Broken authentication8.8
CVE-2025-59563Sonaar<= 4.27.4Privilege escalation8.8
CVE-2026-22342WordPress Dating Theme<= 11.2.0Cross-site request forgery8.8

Owner self-check

wp user list --fields=ID,user_login,user_email,roles,registered
wp plugin list --fields=name,version,status
wp theme list --fields=name,version,status
find wp-content -type f -mtime -7 | egrep '\\.php$|\\.phtml$|\\.phar$|\\.zip$'

Check new users, changed roles, password resets, application passwords, plugin settings, orders, bookings, support tickets, and form submissions after June 17, 2026.

Safe fix path

  • Patch supported components. Remove unsupported plugins and themes from the server.
  • Disable stale admin, editor, shop manager, and integration accounts.
  • Rotate passwords and API keys when account history is incomplete.
  • Review payments, orders, bookings, listings, tickets, and CRM syncs tied to the affected plugin.
  • Use Ping7 CVE Repair if unknown users, role changes, or unexplained records appear.

References