Security Advisory - Published 2026-06-25 - WordPress

WordPress plugin batch: check updates, shortcodes, page builders, and duplicated posts

This batch covers AdRotate Banner Manager, the premium Cornerstone page builder, several ShapedPlugin products, and Post Duplicator. Patch first, then review plugin updates, contributor content, page-builder access, duplicated post metadata, users, and recent file changes.

Defensive scope: use these checks only on WordPress sites you own or are approved to repair. No exploit strings, staged code, or third-party probing steps are included.

Affected plugins

CVEPluginAffectedReviewCVSS
CVE-2026-12242AdRotate Banner Manager<= 5.17.7shortcodes8.8
CVE-2026-9710Cornerstone< 7.8.8wp-admin7.7
CVE-2026-10735ShapedPlugin plugin bundlemultipleupdates7.5
CVE-2026-10749Post Duplicator< 3.0.15post meta7.2

Owner self-check

wp plugin list --fields=name,version,status | egrep 'adrotate|cornerstone|post-duplicator|smart-post-show|real-testimonials|product-slider'
wp user list --fields=ID,user_login,roles,user_registered
find wp-content -type f -mtime -14 2>/dev/null | egrep '\\.php$|\\.phtml$|\\.phar$|\\.zip$|\\.js$'
grep -Rni 'adrotate\\|cornerstone\\|post duplicator\\|smart-post-show\\|real testimonials\\|product slider' wp-content/debug.log logs 2>/dev/null | tail -220

What to review

  • AdRotate shortcode content, cache integration settings, and posts edited by Contributor or Editor accounts.
  • Cornerstone page-builder access, logged-in user activity, and sensitive metadata exposure indicators.
  • ShapedPlugin product updates, changed plugin files, new administrator users, outbound requests, and credential exposure signs.
  • Post Duplicator activity, duplicated posts, custom fields, and unusual serialized metadata.

Safe fix path

  1. Patch each affected plugin to the fixed release. Disable and remove plugins with unclear update state.
  2. Preserve web logs, user lists, plugin update history, and recent file timestamps before cleanup.
  3. Rotate administrator, SFTP, database, and integration credentials when supply-chain or file changes look suspicious.
  4. Restore from clean backups only after the vulnerable or compromised plugin path is patched or removed.

Repair help

Use Ping7 CVE Repair when a WordPress site has suspicious plugin updates, unknown files, new users, redirects, or unclear page-builder activity.

References

Author: Ping7 security team - Published: 2026-06-25 - WordPress plugin CVE batch - Defensive self-check only.