Security Advisory - Published 2026-06-13 - WordPress
WordPress plugin CVEs: booking, security, gallery, ads, CRM, and payment checks
This batch is worth a real site review because it touches parts of WordPress that owners often leave connected to money or administration: booking forms, security logs, contact-form CRM sync, image galleries, AdSense blocks, PayPal Commerce webhooks, Elementor product filters, campaign previews, debug logs, and customer support search, translation storage, and appointment booking cookies. Start with the plugin list, then check users, payments, logs, marketing content, translated pages, support tickets, appointment settings, and recent file changes.
What to check first
| CVE | Plugin | Affected versions | Why it matters |
|---|---|---|---|
| CVE-2026-7537 | MDJM Event Management | Through 1.7.8.3 | Administrator-level upload path can leave executable files on the server. |
| CVE-2026-9851 | Booking Package | Through 1.7.16 | Editor-level account takeover risk. Review administrators and booking staff accounts. |
| CVE-2026-8438 | All-In-One Security (AIOS) | Through 5.4.7 | Stored XSS can appear when REST blocking and debug logging are enabled together. |
| CVE-2026-8901 | Integration for Freshsales | Through 1.0.15 | Stored XSS risk in failed CRM submission logs shown to administrators. |
| CVE-2026-9829 | Photo Gallery by 10Web | Through 1.8.41 | Contributor-level SQL injection risk through a gallery shortcode parameter. |
| CVE-2026-9280 | Ad Inserter | Through 2.8.15 | Reflected XSS risk when iframe mode is enabled for an ad block. |
| CVE-2026-7792 | WPForms PayPal Commerce | Through 1.10.0.4 | Webhook verification gap can affect subscription or payment record integrity. |
| CVE-2026-11603 | Product Filter Widget for Elementor | Through 1.0.6 | Reflected XSS risk around product filter AJAX handling. |
| CVE-2026-8599 | MailerPress | Through 2.0.4 | Stored XSS risk in campaign HTML shown inside the admin dashboard preview. |
| CVE-2026-9016 | Debug Log Manager | Through 2.5.0 | Forged JavaScript error log entries can pollute incident review data. |
| CVE-2026-9848 | WP Ticket | Through 6.0.4 | Unauthenticated SQL injection risk through WordPress search handling. Patch to 6.0.5 or newer. |
| CVE-2026-9109 | GPTranslate | Through 2.31 | Unauthenticated stored XSS risk in REST API translation storage. Patch to 2.32 or newer. |
| CVE-2026-5513 | Bookly | Through 27.2 | Unauthenticated stored XSS risk when personal information is remembered in cookies. Patch to 27.3 or newer. |
15-minute self-check
Find the affected plugins
wp plugin list --fields=name,version,status | egrep 'mobile-dj-manager|booking-package|all-in-one-wp-security|crm-integration-freshworks|photo-gallery|ad-inserter|wpforms|product-filter-widget-for-elementor|mailerpress|debug-log-manager|wp-ticket|gptranslate|bookly'
find wp-content/plugins -maxdepth 2 -type f -name '*.php' | egrep 'mobile-dj-manager|booking-package|all-in-one-wp-security|crm-integration-freshworks|photo-gallery|ad-inserter|wpforms|product-filter-widget-for-elementor|mailerpress|debug-log-manager|wp-ticket|gptranslate|bookly' If WP-CLI is not available, use WordPress admin > Plugins and write down the exact plugin version before changing anything. Disabled plugins still deserve a look if the folder remains on disk and the site has custom includes or old cached pages.
Review users and sessions
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered
wp user list --role=editor --fields=ID,user_login,user_email,user_registered
wp user session list <admin-user-id> Booking Package and MDJM need account review because the reported paths require a privileged or semi-privileged WordPress user. Look for new editors, changed admin email addresses, unexplained password resets, or a staff account used outside normal hours.
Check plugin-specific risk areas
- MDJM Event Management: inspect recent communication/email activity and scan uploads or plugin-owned attachment folders for unexpected executable files.
- Booking Package: compare administrator accounts and booking staff accounts against your expected staff list. Treat an unknown account as a compromise signal.
- AIOS: check whether REST API blocking and debug logging were enabled together. Clear old debug log views after patching and review any suspicious admin activity.
- Freshsales integration: review failed CRM submission logs and admin screens that show error details. Patch before opening old log entries.
- Photo Gallery by 10Web: review contributor accounts, gallery shortcodes, database errors, and suspicious slow queries around gallery pages.
- Ad Inserter: check whether iframe mode is enabled on any ad block, then patch and clear affected cache/CDN pages.
- WPForms PayPal Commerce: reconcile subscriptions, payment status changes, refund notes, and PayPal webhook configuration.
- Product Filter Widget for Elementor: patch, clear page-builder cache, and review product filter pages that admins or shop managers opened while logged in.
- MailerPress: review authors with campaign access, campaign HTML changes, and admin dashboard previews before sending newsletters.
- Debug Log Manager: check whether JavaScript error logging is enabled. Treat unexpected log noise as untrusted until the plugin is patched.
- WP Ticket: update to 6.0.5 or newer, then review support-ticket searches, database error logs, and unusual front-end search traffic around disclosure time.
- GPTranslate: update to 2.32 or newer, clear page cache, and review recently translated public pages for unexpected script-like content or unexplained edits.
- Bookly: update to 27.3 or newer. If the site remembers customer details in cookies, clear page cache and review appointment pages opened by logged-in staff after disclosure.
Safe fix path
- Back up database and files before plugin changes.
- Update every affected plugin to a fixed version or temporarily disable the plugin if no safe build is available.
- Force password resets for administrator, editor, shop manager, and booking staff accounts if user history looks wrong.
- Rotate application passwords, REST API credentials, CRM tokens, and PayPal webhook secrets if logs or account history are suspicious.
- Review uploads, mu-plugins, theme files, campaign templates, recently modified PHP files, cron jobs, and redirects before closing the incident.
- Keep copies of access logs, WordPress debug logs, and payment/booking exports for the repair report.
When this becomes a repair job
Use Ping7 CVE Repair if you find an unknown administrator, changed payment records, unexpected booking staff changes, suspicious uploaded files, campaign changes, strange support-ticket searches, unexpected translated content, unusual Bookly appointment/customer entries, or CRM/debug logs you cannot safely inspect. Ping7 can handle defensive plugin updates, compromise review, cleanup, hardening, and a written handoff for owned systems.
References
- NVD: CVE-2026-7537 MDJM Event Management
- CVE Record: CVE-2026-9851 Booking Package
- Tenable: CVE-2026-8438 AIOS
- NVD: CVE-2026-8901 Integration for Freshsales
- GitHub Advisory: CVE-2026-9829 Photo Gallery by 10Web
- NVD: CVE-2026-9280 Ad Inserter
- NVD: CVE-2026-7792 WPForms PayPal Commerce
- Wordfence: Product Filter Widget for Elementor
- WordPress Trac: MailerPress campaign HTML handling
- Wordfence: Debug Log Manager log handling
- Wordfence: WP Ticket CVE-2026-9848
- NVD: CVE-2026-9848 WP Ticket
- Wordfence: GPTranslate CVE-2026-9109
- Wordfence: Bookly CVE-2026-5513
- Bookly changelog: version 27.3 fixes CVE-2026-5513
- Wordfence: MDJM Event Management file upload
- Wordfence: Integration for Freshsales stored XSS
- Wordfence: WPForms PayPal Commerce webhook