Security Advisory - Published 2026-06-18 - WordPress Plugins / Themes
WordPress late June 18 CVEs: check versions, users, deleted files, and database changes
This batch is mostly Patchstack and WordPress ecosystem alerts. The affected components sit in themes, booking plugins, PDF exports, maps, directories, WooCommerce tooling, and media integrations. Patch first, then check whether the site changed before the update.
Affected components
| CVE | Component | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-12407 | E2Pdf - Export PDF Tool for WordPress | <= 1.32.26 | Missing authorization / privilege escalation | 8.8 |
| CVE-2025-69130 | Entrepreneur - Booking for Small Businesses | <= 3.1.3 | PHP object injection | 8.8 |
| CVE-2026-9860 | Offload, AI & Optimize with Cloudflare Images | <= 1.10.2 | Remote code execution | 8.8 |
| CVE-2026-27400 | BookPro | <= 1.1.0 | Arbitrary file deletion | 8.6 |
| CVE-2025-69139 | Car Zone | <= 3.7 | Arbitrary file deletion | 8.6 |
| CVE-2025-69128 | JobCareer | <= 7.3 | Path traversal / file deletion | 8.6 |
| CVE-2026-22343 | WordPress Dating Theme | <= 11.2.0 | Broken access control | 8.6 |
| CVE-2026-49113 | Cornerstone | < 7.8.8 | Arbitrary code execution | 8.5 |
| CVE-2026-54185 | Cornerstone | < 7.8.8 | SQL injection | 8.5 |
| CVE-2026-49073 | Directorist Booking | <= 3.0.3 | Blind SQL injection | 8.5 |
| CVE-2025-69135 | Events Schedule | <= 2.7.2 | SQL injection | 8.5 |
| CVE-2026-48967 | Geo Mashup | <= 1.13.19 | SQL injection | 8.5 |
| CVE-2026-22335 | WooCommerce Frontend Manager - Ultimate | < 6.7.7 | SQL injection | 8.5 |
Owner self-check
wp plugin list --fields=name,version,status | egrep 'e2pdf|wc-frontend-manager|geo-mashup|directorist-booking|cornerstone|cf-images|weekly-class|ovabookpro'
wp theme list --fields=name,version,status | egrep 'jobcareer|entrepreneur|carzone|dating|da10'
wp user list --fields=ID,user_login,roles,user_registered
wp option list --search='default_role' --fields=option_name,option_value
find wp-content -type f -mtime -10 | egrep '\\.php$|\\.phtml$|\\.phar$|\\.zip$|\\.sql$' What looks suspicious
- New administrators, changed roles, or unexpected application passwords.
- Missing plugin/theme files, broken media, or deleted configuration after the disclosure window.
- Database errors, unknown WooCommerce records, changed directory listings, or injected content.
- New executable files under uploads, cache, import, backup, or temporary folders.
- Unexpected Cloudflare Images settings, PDF export settings, or Cornerstone changes.
Safe fix path
- Patch the affected plugin or theme. Remove inactive vulnerable copies from disk.
- Preserve access logs and file timestamps before cleanup.
- Review users, roles, application passwords, mu-plugins, cron jobs, and changed options.
- Restore deleted files from a clean backup only after the vulnerable component is removed or patched.
- Rotate admin and hosting credentials if user roles, config files, or executable uploads changed.
Repair help
Use Ping7 CVE Repair when the site has unknown admins, deleted files, changed payment or booking data, redirects, SEO spam, or executable files that appeared around the patch window.