Security Advisory - Published 2026-06-18 - WordPress File Upload / RCE

WordPress file upload and RCE CVEs: inspect uploads before deleting files

This batch includes subscriber, contributor, and unauthenticated file upload or code execution risks. Patch the component, then check upload paths and administrator history before the site is considered clean.

Defensive scope: use this page only for owned sites and approved incident review. The checks stay at versions, upload paths, file changes, users, logs, and backups.

Affected components

CVEComponentAffectedCVSS
CVE-2026-25470ACPT Pro - Custom Post Types Plugin for WordPress<= 2.0.4710.0
CVE-2025-69129WordPress & WooCommerce Scraper Plugin, Import Data from Any Site<= 1.0.710.0
CVE-2026-40783Blocksy Companion Pro<= 2.1.379.9
CVE-2026-40749Charity Zone<= 1.1.19.9
CVE-2026-40747Ecommerce Zone<= 0.9.79.9
CVE-2024-52488Grip<= 1.0.99.9
CVE-2026-40748Kids Gift Shop<= 0.5.49.9
CVE-2025-60218PT Luxa Addons<= 1.2.29.9
CVE-2026-40746Restaurant Zone<= 0.7.89.9
CVE-2026-22327Restaurt<= 1.0.49.9
CVE-2026-27041Unlimited Elements for Elementor (Premium)<= 2.0.69.9
CVE-2026-39589Webenvo<= 0.0.69.9
CVE-2026-25446WishList Member X<= 3.29.09.9
CVE-2026-52705SigmaForms Pro - AI Generated Forms<= 1.4.59.0

Owner self-check

wp plugin list --fields=name,version,status
wp theme list --fields=name,version,status
find wp-content/uploads wp-content/plugins wp-content/themes -type f -mtime -10 | egrep '\\.php$|\\.phtml$|\\.phar$|\\.shtml$|\\.zip$|\\.ico$|\\.svg$'
find wp-content -type f -perm -002 -ls 2>/dev/null

Preserve filenames, timestamps, owner/group metadata, and web access logs before cleanup. A file that looks harmless may still be useful for the incident timeline.

Safe fix path

  • Patch or remove the affected plugin or theme. Remove inactive vulnerable folders too.
  • Block script execution under uploads, cache, backup, import, and temporary directories.
  • Review admin users, application passwords, mu-plugins, cron jobs, and changed theme files.
  • Rotate credentials if unknown executable files were reachable from the web.
  • Use Ping7 CVE Repair when unknown files, redirects, SEO spam, or hidden users are present.

References