Security Advisory - Published 2026-06-20 - WordPress

WordPress June 20 plugin CVEs: check users, files, forms, maps, and WooCommerce

This batch covers Branda, Database for Contact Form 7/WPForms/Elementor Forms, Simple File List, WP Go Maps, and WooCommerce. Patch first, then check whether the site changed: new administrators, password resets, missing files, changed files, poisoned form records, map records, or WooCommerce product edits that were not part of normal site work.

Defensive scope: use these checks only on sites you own or are approved to review. The page avoids reproduction steps and focuses on inventory, patching, logs, and recovery.

Affected plugins

CVEPluginAffectedReviewCVSS
CVE-2026-11551Branda<= 3.4.29password reset events, administrators, and login sessions9.8
CVE-2022-50972WooCommerce7.1.0WooCommerce product edits, changed PHP files, and web root file timestamps9.8
CVE-2026-9843Database for Contact Form 7, WPForms, Elementor Forms<= 1.5.1form entries, deleted files, and recent admin views8.1
CVE-2026-11911Simple File List<= 6.3.7file list activity, missing files, and recent PHP changes7.5
CVE-2026-11912Simple File List<= 6.3.7file list activity, changed files, and recent PHP changes7.5
CVE-2026-12238WP Go Maps<= 10.1.01map records, REST activity, and plugin settings5.3

Owner self-check

wp plugin list --fields=name,version,status | egrep 'branda|contact-form-entries|simple-file-list|wp-google-maps|woocommerce'
wp user list --fields=ID,user_login,roles,user_registered
wp user meta list 1 2>/dev/null
find wp-content -type f -mtime -10 | egrep '\\.php$|\\.phtml$|\\.phar$|\\.zip$|\\.sql$'
find wp-content/uploads -type f -mtime -10 2>/dev/null
grep -Rni 'simple-file-list\\|contact-form-entries\\|wp-google-maps\\|branda' wp-content/debug.log 2>/dev/null

What to review

  • New administrators, changed emails, changed passwords, or unexpected application passwords.
  • Missing WordPress core files, missing configuration files, or changed PHP files outside a normal deployment.
  • Form entries viewed or edited by administrators during the exposure window.
  • Simple File List activity, upload directories, and file timestamps around the alert time.
  • WP Go Maps records, REST activity, and map settings changed by users who should not have that access.
  • WooCommerce product edits, web root file timestamps, and PHP files that appeared outside a normal deployment.

Safe fix path

  1. Patch the plugin to the fixed release. If no fixed release is available, disable and remove it from disk.
  2. Preserve web logs, WordPress debug logs, user lists, and recent file timestamps before cleanup.
  3. Rotate administrator, hosting, SFTP, database, and integration credentials if file or account changes look suspicious.
  4. Restore files from a clean backup only after the vulnerable plugin is patched or removed.

Repair help

Use Ping7 CVE Repair when the site has unknown users, missing files, changed PHP files, redirects, SEO spam, or form records that are too noisy to review manually.

References

Author: Ping7 security team - Published: 2026-06-20 - WordPress plugin CVE batch - Defensive self-check only.