Security Advisory - Published 2026-07-01 - WordPress / WooCommerce
WordPress late June 29 batch: check plugin versions, public output, files, and WooCommerce data
This batch groups Patchstack-reported plugin and theme issues from the late June 29 window. The affected surface is mostly public pages, WooCommerce records, file deletion paths, and cached front-end output.
Affected CVEs in this batch
| CVE | Product | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-57331 | Paid Videochat Turnkey Site | <= 7.4.8 | files and performer accounts | 9.9 |
| CVE-2026-57338 | ARForms | <= 7.1.2 | form pages and submissions | 7.1 |
| CVE-2026-57320 | BEAR | <= 1.1.8 | public search and bulk editor pages | 7.1 |
| CVE-2026-57346 | Epiphyt Embed Privacy | <= 1.12.3 | embed privacy settings and file changes | 7.1 |
| CVE-2026-57336 | Jobify | <= 4.3.2 | job listing pages and cached fragments | 7.1 |
| CVE-2026-57337 | Landing Page Builder | <= 1.5.3.5 | landing pages and form output | 7.1 |
| CVE-2026-57333 | Link Whisper Free | <= 0.9.4 | public link suggestion output | 7.1 |
| CVE-2026-57332 | Wallet System for WooCommerce | <= 2.7.6 | wallet balances and WooCommerce orders | 7.1 |
| CVE-2026-57341 | Colissimo Officiel for WooCommerce | <= 2.9.0 | shipping records and customer order references | 6.5 |
| CVE-2026-57340 | Japanized For WooCommerce | <= 2.9.12 | WooCommerce checkout and order records | 6.5 |
What to check
- Installed versions of Paid Videochat Turnkey Site, BEAR, Link Whisper Free, Jobify, Landing Page Builder, ARForms, and Epiphyt Embed Privacy.
- WooCommerce-specific plugins: Wallet System for WooCommerce, Japanized For WooCommerce, and Colissimo Officiel for WooCommerce.
- Front-end pages, cached HTML fragments, form submissions, order records, wallet balances, and shipping records touched during the exposure window.
- Recent file deletions or timestamp changes under wp-content, especially when file-management or embed plugins are installed.
Safe fix path
- Patch or disable the affected plugin before reviewing content and logs.
- Clear page cache, object cache, CDN cache, and WooCommerce fragments after the vulnerable component is fixed.
- Review orders, wallet records, shipping references, form submissions, product pages, and public landing pages for unexpected changes.
- Rotate WordPress administrator and integration credentials if account, order, or file integrity is uncertain.
Compromise indicators
- Unexpected scripts or HTML in public pages, forms, search output, product fields, or theme-generated pages.
- Missing files, changed embed settings, or unexplained file timestamps under wp-content.
- WooCommerce orders, wallet balances, shipping references, or customer records that do not match normal activity.
- Plugin versions that remain vulnerable after a maintenance window.
When to ask Ping7 for repair
Use Ping7 CVE Repair when the affected site is public, WooCommerce data may have changed, files may be missing, or cleanup needs user, file, database, cache, and order review together.