Security Advisory - Published 2026-06-18 - WordPress File Upload / RCE
WordPress file upload and RCE CVEs: inspect uploads before deleting files
This batch includes subscriber, contributor, and unauthenticated file upload or code execution risks. Patch the component, then check upload paths and administrator history before the site is considered clean.
Affected components
| CVE | Component | Affected | CVSS |
|---|---|---|---|
| CVE-2026-25470 | ACPT Pro - Custom Post Types Plugin for WordPress | <= 2.0.47 | 10.0 |
| CVE-2025-69129 | WordPress & WooCommerce Scraper Plugin, Import Data from Any Site | <= 1.0.7 | 10.0 |
| CVE-2026-40783 | Blocksy Companion Pro | <= 2.1.37 | 9.9 |
| CVE-2026-40749 | Charity Zone | <= 1.1.1 | 9.9 |
| CVE-2026-40747 | Ecommerce Zone | <= 0.9.7 | 9.9 |
| CVE-2024-52488 | Grip | <= 1.0.9 | 9.9 |
| CVE-2026-40748 | Kids Gift Shop | <= 0.5.4 | 9.9 |
| CVE-2025-60218 | PT Luxa Addons | <= 1.2.2 | 9.9 |
| CVE-2026-40746 | Restaurant Zone | <= 0.7.8 | 9.9 |
| CVE-2026-22327 | Restaurt | <= 1.0.4 | 9.9 |
| CVE-2026-27041 | Unlimited Elements for Elementor (Premium) | <= 2.0.6 | 9.9 |
| CVE-2026-39589 | Webenvo | <= 0.0.6 | 9.9 |
| CVE-2026-25446 | WishList Member X | <= 3.29.0 | 9.9 |
| CVE-2026-52705 | SigmaForms Pro - AI Generated Forms | <= 1.4.5 | 9.0 |
Owner self-check
wp plugin list --fields=name,version,status
wp theme list --fields=name,version,status
find wp-content/uploads wp-content/plugins wp-content/themes -type f -mtime -10 | egrep '\\.php$|\\.phtml$|\\.phar$|\\.shtml$|\\.zip$|\\.ico$|\\.svg$'
find wp-content -type f -perm -002 -ls 2>/dev/null Preserve filenames, timestamps, owner/group metadata, and web access logs before cleanup. A file that looks harmless may still be useful for the incident timeline.
Safe fix path
- Patch or remove the affected plugin or theme. Remove inactive vulnerable folders too.
- Block script execution under uploads, cache, backup, import, and temporary directories.
- Review admin users, application passwords, mu-plugins, cron jobs, and changed theme files.
- Rotate credentials if unknown executable files were reachable from the web.
- Use Ping7 CVE Repair when unknown files, redirects, SEO spam, or hidden users are present.