Security Advisory - Published 2026-06-29 - WordPress / CMS

WordPress plugin check: Invoice Generator, Frontend File Manager Plugin, and Dokan

This batch affects account recovery, file management, and marketplace product surfaces. Patch first, then review administrator accounts, file timestamps, product fields, and cached storefront pages.

Defensive scope: check systems you own or are approved to repair. This page stays on version checks, exposure review, logs, patching, and compromise indicators.

Affected CVEs in this batch

CVEProductAffectedReviewCVSS
CVE-2026-12415Invoice Generatorthrough 1.0.0admin users and password resets9.8
CVE-2026-8095Frontend File Manager Pluginthrough 23.6wp-content and core file changes8.1
CVE-2026-11783Dokanthrough 5.0.4product fields and cached pages6.4

What to check

  • Invoice Generator through 1.0.0, especially administrator email changes and password reset events.
  • Frontend File Manager Plugin through 23.6, including recent file deletions, failed file operations, and changed WordPress files.
  • Dokan through 5.0.4, especially vendor product SKU edits, storefront search output, and cached product fragments.
  • New administrator accounts, role changes, unknown sessions, and plugin update history around the exposure window.

Safe fix path

  1. Patch or disable the affected plugin before cleaning accounts or files.
  2. Preserve access logs, WordPress user exports, wp-content timestamps, and plugin logs.
  3. Review administrator email changes, password reset records, file deletions, and product-field changes.
  4. Rotate WordPress, SFTP, database, and payment/API credentials when account or file compromise signs exist.

Compromise indicators

  • Administrator email changes, unexpected password reset messages, or unknown admin sessions.
  • Missing configuration files, changed PHP files, or file timestamps that do not match a planned update.
  • Unexpected scripts in product fields, vendor listings, cached search results, or page-builder fragments.
  • Plugin versions that remain vulnerable after a claimed maintenance window.

When to ask Ping7 for repair

Use Ping7 CVE Repair when the affected plugin is public, account changes are visible, files are missing, or cleanup needs user, file, database, cache, and payment/API review together.

References

Author: Ping7 security team - Published: 2026-06-29 - WordPress June 29 Plugin CVE Batch Self-Check - Defensive self-check only.