Security Advisory - Published 2026-06-18 - WordPress Access Control
WordPress access and privilege CVEs: review users, roles, and sessions
This batch covers privilege escalation, broken authentication, broken access control, and CSRF-to-account-impact reports. The fastest useful check is version plus account history, not a public probing exercise.
Affected components
| CVE | Component | Affected | Issue | CVSS |
|---|---|---|---|---|
| CVE-2026-49058 | LoginPress Pro | <= 6.2.2 | Privilege escalation | 9.8 |
| CVE-2026-54807 | Registration Form for WooCommerce | <= 1.0.9 | Privilege escalation | 9.8 |
| CVE-2026-54803 | SMS Alert Order Notifications | <= 3.9.4 | Privilege escalation | 9.8 |
| CVE-2026-27395 | Support Board | < 3.8.9 | Privilege escalation | 9.8 |
| CVE-2025-69179 | Support Ticket Management System | <= 1.9 | Privilege escalation | 9.8 |
| CVE-2026-49767 | wpForo Forum | <= 3.1.0 | Broken authentication | 9.8 |
| CVE-2026-24611 | MetForm Pro | <= 3.9.1 | Broken access control | 9.1 |
| CVE-2026-12165 | Contest Gallery | <= 30.0.2 | Privilege escalation | 8.8 |
| CVE-2026-54805 | Falang multilanguage | <= 1.4.2 | Privilege escalation | 8.8 |
| CVE-2025-69138 | Genemy | <= 1.6.6 | Privilege escalation | 8.8 |
| CVE-2026-42629 | PowerPack Pro for Elementor | < 2.13.0 | Broken authentication | 8.8 |
| CVE-2025-59563 | Sonaar | <= 4.27.4 | Privilege escalation | 8.8 |
| CVE-2026-22342 | WordPress Dating Theme | <= 11.2.0 | Cross-site request forgery | 8.8 |
Owner self-check
wp user list --fields=ID,user_login,user_email,roles,registered
wp plugin list --fields=name,version,status
wp theme list --fields=name,version,status
find wp-content -type f -mtime -7 | egrep '\\.php$|\\.phtml$|\\.phar$|\\.zip$' Check new users, changed roles, password resets, application passwords, plugin settings, orders, bookings, support tickets, and form submissions after June 17, 2026.
Safe fix path
- Patch supported components. Remove unsupported plugins and themes from the server.
- Disable stale admin, editor, shop manager, and integration accounts.
- Rotate passwords and API keys when account history is incomplete.
- Review payments, orders, bookings, listings, tickets, and CRM syncs tied to the affected plugin.
- Use Ping7 CVE Repair if unknown users, role changes, or unexplained records appear.