Security Advisory - Published 2026-06-27 - WordPress / CMS
WordPress access and XSS batch: check exposed forms, customer data, and editor content
This batch is lower than the critical upload and privilege group, but it still matters on public WordPress sites. Most entries involve unauthenticated access, customer-facing plugins, forms, WooCommerce extensions, contributor/editor actions, or stored content that should be reviewed after patching.
Affected CVEs in this batch
| CVE | Product | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-56054 | JS Help Desk | <= 3.1.1 | files and uploads | 7.7 |
| CVE-2026-57631 | Popup box | <= 6.0.1 | database logs | 7.6 |
| CVE-2026-54826 | SupportCandy | <= 3.4.6 | users and access | 7.6 |
| CVE-2026-57628 | WP All Import | <= 4.0.1 | database logs | 7.6 |
| CVE-2026-54824 | Ads by WPQuads | <= 3.0.3 | users and access | 7.5 |
| CVE-2026-54844 | CheckView Automated Testing | <= 2.1.0 | users and access | 7.5 |
| CVE-2026-56029 | CorvusPay WooCommerce Payment Gateway | <= 2.7.4 | users and access | 7.5 |
| CVE-2026-54835 | Five Star Restaurant Menu | <= 2.5.2 | users and access | 7.5 |
| CVE-2026-54830 | Five Star Restaurant Reservations | <= 2.7.19 | users and access | 7.5 |
| CVE-2025-68064 | Goya Core | < 1.0.9.4 | files and uploads | 7.5 |
| CVE-2026-54832 | Gutenverse Companion | <= 2.5.0 | users and access | 7.5 |
| CVE-2026-9702 | InPost PL | before 1.9.1 | logs and users | 7.5 |
| CVE-2026-54837 | Intranet and Private Site - All-In-One Intranet | <= 1.8.1 | users and access | 7.5 |
| CVE-2026-54829 | Jacob N. Breetvelt WP Photo Album Plus | vendor-fixed release | database logs | 7.5 |
| CVE-2026-27366 | MainWP Child | <= 6.1.1 | users and access | 7.5 |
| CVE-2026-54828 | Motors | <= 1.4.109 | users and access | 7.5 |
| CVE-2026-54834 | Object Cache 4 everyone | <= 2.3.2 | users and access | 7.5 |
| CVE-2026-57647 | Panorama Viewer 360 Degree Image + Video Viewer | <= 1.6.1 | files and uploads | 7.5 |
| CVE-2026-56025 | Paymob for WooCommerce | <= 4.1.2 | users and access | 7.5 |
| CVE-2026-56060 | Print Invoice & Delivery Notes for WooCommerce | <= 7.1.1 | users and access | 7.5 |
| CVE-2025-68063 | Splash - Sport Club WordPress Theme for Basketball, Football, Hockey | <= 4.4.3 | files and uploads | 7.5 |
| CVE-2026-54847 | Stylish Cost Calculator | <= 8.3.9 | users and access | 7.5 |
| CVE-2026-56061 | Subscriptions for WooCommerce | <= 1.9.5 | users and access | 7.5 |
| CVE-2026-54846 | Syncee Premium Dropshipping and Wholesale | <= 1.0.27 | users and access | 7.5 |
| CVE-2026-56069 | Toolset Forms | <= 2.6.24 | users and access | 7.5 |
| CVE-2026-12937 | Tourfic AI Powered Travel Booking, Hotel Booking & Car Rental WordPress | vendor-fixed release | database logs | 7.5 |
| CVE-2026-54839 | Trinity Backup - Backup, Migrate, Restore, Clone and Schedule Backups | <= 2.0.9 | users and access | 7.5 |
| CVE-2026-54841 | Vitepos | <= 3.4.2 | users and access | 7.5 |
| CVE-2026-54833 | Enable CORS | <= 2.0.3 | users and access | 7.4 |
| CVE-2026-54821 | Visual Link Preview | <= 2.3.1 | data exposure | 7.4 |
| CVE-2026-54840 | Newsletters | <= 4.13 | users and access | 7.3 |
| CVE-2026-56042 | Advanced Order Export For WooCommerce | <= 4.0.9 | content and widgets | 7.1 |
| CVE-2026-56045 | Automatic | < 3.135.1 | users and access | 7.1 |
| CVE-2026-56044 | Blog2Social | <= 8.9.2 | users and access | 7.1 |
| CVE-2026-56043 | Customer Reviews for WooCommerce | <= 5.110.1 | users and access | 7.1 |
| CVE-2026-57312 | Everest Forms | <= 3.4.8 | users and access | 7.1 |
| CVE-2026-56071 | Forminator | <= 1.53.1 | users and access | 7.1 |
| CVE-2026-57319 | FOX | <= 1.4.8 | users and access | 7.1 |
| CVE-2026-56040 | Gutenverse Form | <= 2.4.7 | users and access | 7.1 |
| CVE-2026-57321 | H5P | <= 1.17.7 | files and uploads | 7.1 |
| CVE-2026-56006 | H5P | <= 1.17.6 | users and access | 7.1 |
| CVE-2026-56011 | MapPress Maps for WordPress | <= 2.97.3 | users and access | 7.1 |
| CVE-2026-56014 | Master Slider | <= 3.11.2 | users and access | 7.1 |
| CVE-2026-57325 | NanoMag | <= 1.8 | users and access | 7.1 |
| CVE-2026-56047 | perfmatters | <= 2.6.3 | users and access | 7.1 |
| CVE-2026-56039 | Quick Interest Slider | <= 3.1.6 | users and access | 7.1 |
| CVE-2026-56041 | Responsive Lightbox | <= 2.7.6 | users and access | 7.1 |
| CVE-2026-57317 | Simply Schedule Appointments | <= 1.6.12.2 | users and access | 7.1 |
| CVE-2026-57314 | SureCart | <= 4.3.2 | users and access | 7.1 |
| CVE-2026-56051 | TablePress | <= 3.3.1 | users and access | 7.1 |
| CVE-2026-57322 | weMail | <= 2.1.2 | users and access | 7.1 |
| CVE-2026-56072 | WoodMart | <= 8.5.3 | users and access | 7.1 |
| CVE-2026-56005 | WP Activity Log | <= 5.6.3.1 | content and widgets | 7.1 |
| CVE-2026-57635 | FunnelKit Payment Gateway for Stripe WooCommerce | <= 1.14.0.3 | users and access | 6.5 |
| CVE-2026-56013 | License Manager for WooCommerce | <= 3.0.15 | users and access | 6.5 |
| CVE-2026-56048 | Payment Gateway Based Fees and Discounts for WooCommerce | <= 3.0.0 | users and access | 6.5 |
| CVE-2026-56050 | Themeisle PPOM for WooCommerce | vendor-fixed release | users and access | 6.5 |
| CVE-2026-52701 | User Registration | <= 5.2.2 | users and access | 6.5 |
| CVE-2026-1869 | User Registration & Membership Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | vendor-fixed release | users and access | 6.5 |
What to check
- Plugin and theme versions, including child-theme bundles and page-builder add-ons.
- Public forms, customer review widgets, support tickets, maps, newsletters, booking, and WooCommerce extensions.
- Contributor and subscriber activity, edited posts, media changes, and deleted files.
- Sensitive data exposure reports, downloaded exports, order data changes, and unusual referers.
- Stored or reflected script indicators in pages, widgets, templates, and plugin settings.
Safe fix path
- Upgrade affected plugins and themes, then clear page, CDN, and object cache after confirming the patched files are active.
- Limit contributor/subscriber capabilities until suspicious content and file changes are reviewed.
- Preserve access logs and plugin logs before bulk deleting posts, media, tickets, or forms.
- Ask for repair review when XSS appears in live content, customer data is exposed, or files were deleted.
Compromise indicators
- New users, role changes, unexpected sessions, or unknown API tokens.
- Files changed during the exposure window, especially executable files or generated configs.
- Repeated application errors, database errors, queue failures, or unusual outbound requests.
- Plugin, container, service, or package versions that differ from the expected deployment record.
When to ask Ping7 for repair
Use Ping7 CVE Repair when the affected component is public, logs show suspicious activity, patching may break production, or cleanup requires file, database, user, token, or container review.