Security Advisory - Published 2026-06-13 - WordPress

WordPress plugin CVEs: booking, security, gallery, ads, CRM, and payment checks

This batch is worth a real site review because it touches parts of WordPress that owners often leave connected to money or administration: booking forms, security logs, contact-form CRM sync, image galleries, AdSense blocks, PayPal Commerce webhooks, Elementor product filters, campaign previews, debug logs, and customer support search, translation storage, and appointment booking cookies. Start with the plugin list, then check users, payments, logs, marketing content, translated pages, support tickets, appointment settings, and recent file changes.

Defensive scope: this page covers owned WordPress sites and client-approved environments. It does not publish exploit payloads, request samples, unauthorised scanning steps, or account-takeover instructions.

What to check first

CVEPluginAffected versionsWhy it matters
CVE-2026-7537MDJM Event ManagementThrough 1.7.8.3Administrator-level upload path can leave executable files on the server.
CVE-2026-9851Booking PackageThrough 1.7.16Editor-level account takeover risk. Review administrators and booking staff accounts.
CVE-2026-8438All-In-One Security (AIOS)Through 5.4.7Stored XSS can appear when REST blocking and debug logging are enabled together.
CVE-2026-8901Integration for FreshsalesThrough 1.0.15Stored XSS risk in failed CRM submission logs shown to administrators.
CVE-2026-9829Photo Gallery by 10WebThrough 1.8.41Contributor-level SQL injection risk through a gallery shortcode parameter.
CVE-2026-9280Ad InserterThrough 2.8.15Reflected XSS risk when iframe mode is enabled for an ad block.
CVE-2026-7792WPForms PayPal CommerceThrough 1.10.0.4Webhook verification gap can affect subscription or payment record integrity.
CVE-2026-11603Product Filter Widget for ElementorThrough 1.0.6Reflected XSS risk around product filter AJAX handling.
CVE-2026-8599MailerPressThrough 2.0.4Stored XSS risk in campaign HTML shown inside the admin dashboard preview.
CVE-2026-9016Debug Log ManagerThrough 2.5.0Forged JavaScript error log entries can pollute incident review data.
CVE-2026-9848WP TicketThrough 6.0.4Unauthenticated SQL injection risk through WordPress search handling. Patch to 6.0.5 or newer.
CVE-2026-9109GPTranslateThrough 2.31Unauthenticated stored XSS risk in REST API translation storage. Patch to 2.32 or newer.
CVE-2026-5513BooklyThrough 27.2Unauthenticated stored XSS risk when personal information is remembered in cookies. Patch to 27.3 or newer.

15-minute self-check

Find the affected plugins

wp plugin list --fields=name,version,status | egrep 'mobile-dj-manager|booking-package|all-in-one-wp-security|crm-integration-freshworks|photo-gallery|ad-inserter|wpforms|product-filter-widget-for-elementor|mailerpress|debug-log-manager|wp-ticket|gptranslate|bookly'

find wp-content/plugins -maxdepth 2 -type f -name '*.php' | egrep 'mobile-dj-manager|booking-package|all-in-one-wp-security|crm-integration-freshworks|photo-gallery|ad-inserter|wpforms|product-filter-widget-for-elementor|mailerpress|debug-log-manager|wp-ticket|gptranslate|bookly'

If WP-CLI is not available, use WordPress admin > Plugins and write down the exact plugin version before changing anything. Disabled plugins still deserve a look if the folder remains on disk and the site has custom includes or old cached pages.

Review users and sessions

wp user list --role=administrator --fields=ID,user_login,user_email,user_registered
wp user list --role=editor --fields=ID,user_login,user_email,user_registered
wp user session list <admin-user-id>

Booking Package and MDJM need account review because the reported paths require a privileged or semi-privileged WordPress user. Look for new editors, changed admin email addresses, unexplained password resets, or a staff account used outside normal hours.

Check plugin-specific risk areas

  • MDJM Event Management: inspect recent communication/email activity and scan uploads or plugin-owned attachment folders for unexpected executable files.
  • Booking Package: compare administrator accounts and booking staff accounts against your expected staff list. Treat an unknown account as a compromise signal.
  • AIOS: check whether REST API blocking and debug logging were enabled together. Clear old debug log views after patching and review any suspicious admin activity.
  • Freshsales integration: review failed CRM submission logs and admin screens that show error details. Patch before opening old log entries.
  • Photo Gallery by 10Web: review contributor accounts, gallery shortcodes, database errors, and suspicious slow queries around gallery pages.
  • Ad Inserter: check whether iframe mode is enabled on any ad block, then patch and clear affected cache/CDN pages.
  • WPForms PayPal Commerce: reconcile subscriptions, payment status changes, refund notes, and PayPal webhook configuration.
  • Product Filter Widget for Elementor: patch, clear page-builder cache, and review product filter pages that admins or shop managers opened while logged in.
  • MailerPress: review authors with campaign access, campaign HTML changes, and admin dashboard previews before sending newsletters.
  • Debug Log Manager: check whether JavaScript error logging is enabled. Treat unexpected log noise as untrusted until the plugin is patched.
  • WP Ticket: update to 6.0.5 or newer, then review support-ticket searches, database error logs, and unusual front-end search traffic around disclosure time.
  • GPTranslate: update to 2.32 or newer, clear page cache, and review recently translated public pages for unexpected script-like content or unexplained edits.
  • Bookly: update to 27.3 or newer. If the site remembers customer details in cookies, clear page cache and review appointment pages opened by logged-in staff after disclosure.

Safe fix path

  1. Back up database and files before plugin changes.
  2. Update every affected plugin to a fixed version or temporarily disable the plugin if no safe build is available.
  3. Force password resets for administrator, editor, shop manager, and booking staff accounts if user history looks wrong.
  4. Rotate application passwords, REST API credentials, CRM tokens, and PayPal webhook secrets if logs or account history are suspicious.
  5. Review uploads, mu-plugins, theme files, campaign templates, recently modified PHP files, cron jobs, and redirects before closing the incident.
  6. Keep copies of access logs, WordPress debug logs, and payment/booking exports for the repair report.

When this becomes a repair job

Use Ping7 CVE Repair if you find an unknown administrator, changed payment records, unexpected booking staff changes, suspicious uploaded files, campaign changes, strange support-ticket searches, unexpected translated content, unusual Bookly appointment/customer entries, or CRM/debug logs you cannot safely inspect. Ping7 can handle defensive plugin updates, compromise review, cleanup, hardening, and a written handoff for owned systems.

References