Security Advisory - Published 2026-07-01 - WordPress / WooCommerce

WordPress late June 29 batch: check plugin versions, public output, files, and WooCommerce data

This batch groups Patchstack-reported plugin and theme issues from the late June 29 window. The affected surface is mostly public pages, WooCommerce records, file deletion paths, and cached front-end output.

Defensive scope: check systems you own or are approved to repair. This page stays on version checks, exposure review, logs, patching, and compromise indicators.

Affected CVEs in this batch

CVEProductAffectedReviewCVSS
CVE-2026-57331Paid Videochat Turnkey Site<= 7.4.8files and performer accounts9.9
CVE-2026-57338ARForms<= 7.1.2form pages and submissions7.1
CVE-2026-57320BEAR<= 1.1.8public search and bulk editor pages7.1
CVE-2026-57346Epiphyt Embed Privacy<= 1.12.3embed privacy settings and file changes7.1
CVE-2026-57336Jobify<= 4.3.2job listing pages and cached fragments7.1
CVE-2026-57337Landing Page Builder<= 1.5.3.5landing pages and form output7.1
CVE-2026-57333Link Whisper Free<= 0.9.4public link suggestion output7.1
CVE-2026-57332Wallet System for WooCommerce<= 2.7.6wallet balances and WooCommerce orders7.1
CVE-2026-57341Colissimo Officiel for WooCommerce<= 2.9.0shipping records and customer order references6.5
CVE-2026-57340Japanized For WooCommerce<= 2.9.12WooCommerce checkout and order records6.5

What to check

  • Installed versions of Paid Videochat Turnkey Site, BEAR, Link Whisper Free, Jobify, Landing Page Builder, ARForms, and Epiphyt Embed Privacy.
  • WooCommerce-specific plugins: Wallet System for WooCommerce, Japanized For WooCommerce, and Colissimo Officiel for WooCommerce.
  • Front-end pages, cached HTML fragments, form submissions, order records, wallet balances, and shipping records touched during the exposure window.
  • Recent file deletions or timestamp changes under wp-content, especially when file-management or embed plugins are installed.

Safe fix path

  1. Patch or disable the affected plugin before reviewing content and logs.
  2. Clear page cache, object cache, CDN cache, and WooCommerce fragments after the vulnerable component is fixed.
  3. Review orders, wallet records, shipping references, form submissions, product pages, and public landing pages for unexpected changes.
  4. Rotate WordPress administrator and integration credentials if account, order, or file integrity is uncertain.

Compromise indicators

  • Unexpected scripts or HTML in public pages, forms, search output, product fields, or theme-generated pages.
  • Missing files, changed embed settings, or unexplained file timestamps under wp-content.
  • WooCommerce orders, wallet balances, shipping references, or customer records that do not match normal activity.
  • Plugin versions that remain vulnerable after a maintenance window.

When to ask Ping7 for repair

Use Ping7 CVE Repair when the affected site is public, WooCommerce data may have changed, files may be missing, or cleanup needs user, file, database, cache, and order review together.

References