Security Advisory - Published 2026-06-18 - WordPress Plugins / Themes

WordPress late June 18 CVEs: check versions, users, deleted files, and database changes

This batch is mostly Patchstack and WordPress ecosystem alerts. The affected components sit in themes, booking plugins, PDF exports, maps, directories, WooCommerce tooling, and media integrations. Patch first, then check whether the site changed before the update.

Defensive scope: use this page for owned WordPress sites and approved cleanup only. The checks below stay at inventory, logs, users, files, options, and recovery.

Affected components

CVEComponentAffectedReviewCVSS
CVE-2026-12407E2Pdf - Export PDF Tool for WordPress<= 1.32.26Missing authorization / privilege escalation8.8
CVE-2025-69130Entrepreneur - Booking for Small Businesses<= 3.1.3PHP object injection8.8
CVE-2026-9860Offload, AI & Optimize with Cloudflare Images<= 1.10.2Remote code execution8.8
CVE-2026-27400BookPro<= 1.1.0Arbitrary file deletion8.6
CVE-2025-69139Car Zone<= 3.7Arbitrary file deletion8.6
CVE-2025-69128JobCareer<= 7.3Path traversal / file deletion8.6
CVE-2026-22343WordPress Dating Theme<= 11.2.0Broken access control8.6
CVE-2026-49113Cornerstone< 7.8.8Arbitrary code execution8.5
CVE-2026-54185Cornerstone< 7.8.8SQL injection8.5
CVE-2026-49073Directorist Booking<= 3.0.3Blind SQL injection8.5
CVE-2025-69135Events Schedule<= 2.7.2SQL injection8.5
CVE-2026-48967Geo Mashup<= 1.13.19SQL injection8.5
CVE-2026-22335WooCommerce Frontend Manager - Ultimate< 6.7.7SQL injection8.5

Owner self-check

wp plugin list --fields=name,version,status | egrep 'e2pdf|wc-frontend-manager|geo-mashup|directorist-booking|cornerstone|cf-images|weekly-class|ovabookpro'
wp theme list --fields=name,version,status | egrep 'jobcareer|entrepreneur|carzone|dating|da10'
wp user list --fields=ID,user_login,roles,user_registered
wp option list --search='default_role' --fields=option_name,option_value
find wp-content -type f -mtime -10 | egrep '\\.php$|\\.phtml$|\\.phar$|\\.zip$|\\.sql$'

What looks suspicious

  • New administrators, changed roles, or unexpected application passwords.
  • Missing plugin/theme files, broken media, or deleted configuration after the disclosure window.
  • Database errors, unknown WooCommerce records, changed directory listings, or injected content.
  • New executable files under uploads, cache, import, backup, or temporary folders.
  • Unexpected Cloudflare Images settings, PDF export settings, or Cornerstone changes.

Safe fix path

  1. Patch the affected plugin or theme. Remove inactive vulnerable copies from disk.
  2. Preserve access logs and file timestamps before cleanup.
  3. Review users, roles, application passwords, mu-plugins, cron jobs, and changed options.
  4. Restore deleted files from a clean backup only after the vulnerable component is removed or patched.
  5. Rotate admin and hosting credentials if user roles, config files, or executable uploads changed.

Repair help

Use Ping7 CVE Repair when the site has unknown admins, deleted files, changed payment or booking data, redirects, SEO spam, or executable files that appeared around the patch window.

References