Security Advisory - Published 2026-06-27 - WordPress / CMS
WordPress critical plugin batch: check SQL, upload, privilege, and object-injection risks
This page groups the higher-risk WordPress plugin issues from the June 27 monitor window: SQL injection, file upload, privilege escalation, PHP object injection, RCE-labeled plugin paths, and sensitive control surfaces. Patch the affected component first, then preserve logs and review users, files, and database activity.
Affected CVEs in this batch
| CVE | Product | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-57700 | Daan.Dev OMGF Pro | vendor-fixed release | files and uploads | 10.0 |
| CVE-2026-56027 | Booster for WooCommerce | <= 8.0.1 | files and uploads | 9.9 |
| CVE-2026-56058 | Quform | <= 2.23.0 | files and uploads | 9.9 |
| CVE-2026-56059 | Travel Booking | <= 2.2.5 | files and uploads | 9.9 |
| CVE-2026-54823 | Widget Options | <= 4.2.3 | logs and users | 9.9 |
| CVE-2026-56032 | Buddyboss Platform | <= 3.0.4 | logs and users | 9.8 |
| CVE-2026-56033 | Dokan Pro | <= 5.0.4 | users and access | 9.8 |
| CVE-2026-56028 | Easy Elements for Elementor - Addons and Website Templates | <= 1.4.9 | users and access | 9.8 |
| CVE-2026-56030 | Paytium | <= 5.0.2 | users and access | 9.8 |
| CVE-2026-56057 | Uncanny Automator Pro | <= 7.3.0.6 | logs and users | 9.8 |
| CVE-2026-56070 | Advance Product Search | <= 1.4.4 | database logs | 9.3 |
| CVE-2026-54831 | GeoDirectory | <= 2.8.162 | database logs | 9.3 |
| CVE-2026-54820 | JetBooking | <= 4.0.4.1 | database logs | 9.3 |
| CVE-2026-56068 | JetEngine | <= 3.8.10.2 | database logs | 9.3 |
| CVE-2026-56067 | JetSmartFilters | <= 3.8.3 | database logs | 9.3 |
| CVE-2026-56036 | Korean SimplePay WooCommerce plugin | <= 5.5.6 | database logs | 9.3 |
| CVE-2026-56034 | Library Management System | <= 3.5.7 | database logs | 9.3 |
| CVE-2026-54843 | MDTF | <= 1.3.7 | database logs | 9.3 |
| CVE-2026-54849 | Premmerce Wishlist for WooCommerce | <= 1.1.11 | database logs | 9.3 |
| CVE-2026-56062 | Quotes llama | <= 3.1.5 | database logs | 9.3 |
| CVE-2026-54827 | Real Estate 7 | <= 3.5.9 | database logs | 9.3 |
| CVE-2026-54825 | wpDataTables | <= 7.4 | database logs | 9.3 |
| CVE-2026-54836 | YMC Filter | vendor-fixed release | database logs | 9.3 |
| CVE-2026-57658 | TemplateSpare | <= 4.2.0 | files and uploads | 9.1 |
| CVE-2026-56010 | Abandoned Cart Pro for WooCommerce | <= 10.4.0 | users and access | 8.8 |
| CVE-2025-68052 | Eagle Booking | <= 1.3.4.3 | users and access | 8.8 |
| CVE-2026-56053 | EventPrime | <= 4.3.4.1 | logs and users | 8.8 |
| CVE-2026-56038 | Frisbii Pay | <= 1.8.2 | users and access | 8.8 |
| CVE-2026-56008 | Fusion Builder | <= 3.15.4 | users and access | 8.8 |
| CVE-2026-57659 | Paid Memberships Pro - Add Member From Admin | <= 0.7.2 | users and access | 8.8 |
| CVE-2026-56055 | RealHomes | <= 4.5.3 | logs and users | 8.8 |
| CVE-2026-56035 | BitFire Security | <= 5.0.3 | users and access | 8.6 |
| CVE-2026-57315 | Blocksy Companion Pro | <= 2.1.45 | logs and users | 8.5 |
| CVE-2026-57662 | Contest Gallery | <= 30.0.0 | database logs | 8.5 |
| CVE-2026-57642 | Gallery | <= 4.7.8 | database logs | 8.5 |
| CVE-2026-57667 | Groundhogg | <= 4.5 | database logs | 8.5 |
| CVE-2026-56049 | Post Snippets | <= 4.0.19 | logs and users | 8.5 |
| CVE-2026-57663 | Recipe Maker For Your Food Blog from Zip Recipes | <= 8.2.7 | database logs | 8.5 |
| CVE-2026-57644 | Restaurant Menu by MotoPress | <= 2.4.10 | database logs | 8.5 |
| CVE-2026-54822 | SALESmanago & Leadoo | <= 3.11.2 | database logs | 8.5 |
| CVE-2026-56064 | Tourfic | <= 2.22.5 | database logs | 8.5 |
| CVE-2026-54838 | WC Vendors Marketplace | <= 2.6.8 | database logs | 8.5 |
| CVE-2026-57653 | WP Job Portal | <= 2.5.2 | database logs | 8.5 |
| CVE-2026-57643 | WP Post Author | <= 3.9.1 | database logs | 8.5 |
| CVE-2026-57636 | wpForo Forum | <= 3.0.9 | database logs | 8.5 |
| CVE-2026-56063 | MailChimp Block | <= 1.1.15 | users and access | 8.3 |
| CVE-2026-54848 | Saad Iqbal APIExperts Square for WooCommerce | vendor-fixed release | data exposure | 8.3 |
| CVE-2026-57655 | Child Theme Wizard | <= 1.4 | users and access | 8.2 |
| CVE-2026-54845 | MDTF | <= 1.3.8 | files and uploads | 8.1 |
| CVE-2026-57645 | Newsletters | <= 4.13 | users and access | 8.1 |
| CVE-2026-54842 | Royal Plugins Royal MCP | vendor-fixed release | users and access | 8.1 |
| CVE-2026-56031 | Uncanny Automator | <= 7.3.1.2 | users and access | 8.1 |
What to check
- Plugin and theme versions listed in the table, including premium or bundled copies.
- New administrator users, changed roles, password resets, and suspicious sessions.
- Recent PHP, ZIP, PHAR, PHTML, JavaScript, and template file changes under wp-content.
- Database errors, unusual search/filter requests, order or membership changes, and plugin-specific logs.
- Payment, marketplace, booking, form, membership, and automation integrations touched by the affected plugin.
Safe fix path
- Patch or disable the affected plugin or theme before cleanup.
- Keep web logs, wp-content file timestamps, user exports, and plugin update history.
- Remove unknown administrator accounts and rotate WordPress, SFTP, database, and payment/API credentials when compromise signs exist.
- Restore files from a clean backup only after the vulnerable component is updated or removed.
Compromise indicators
- New users, role changes, unexpected sessions, or unknown API tokens.
- Files changed during the exposure window, especially executable files or generated configs.
- Repeated application errors, database errors, queue failures, or unusual outbound requests.
- Plugin, container, service, or package versions that differ from the expected deployment record.
When to ask Ping7 for repair
Use Ping7 CVE Repair when the affected component is public, logs show suspicious activity, patching may break production, or cleanup requires file, database, user, token, or container review.