Security Advisory - Published 2026-06-19 - WordPress / WooCommerce
WordPress June 19 batch: check plugins, webhooks, orders, users, and files
This group covers BetterDocs Pro, Avada/Fusion Builder, Media Library Assistant, CF7 to Webhook, Bit Integrations, Advanced Import, Simple Membership, STRABL, Customize My Account for WooCommerce, User Registration Stripe, Clean Login, and several Patchstack-tracked WordPress themes. Patch the component first, then review whether the site changed before the update.
Affected components
| CVE | Component | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-7515 | BetterDocs Pro | <= 3.8.0 | PHP files and uploads | 9.8 |
| CVE-2026-8713 | Avada / Fusion Builder | <= 3.15.3 | Avada forms, deleted files, and wp-config state | 9.1 |
| CVE-2026-56012 | Media Library Assistant | <= 3.35 | database errors and media records | 8.5 |
| CVE-2026-54818 | Slimstat Analytics | <= 5.4.11 | analytics tables and database errors | 8.5 |
| CVE-2026-54813 | SureDash | <= 1.8.0 | database errors and dashboard records | 8.5 |
| CVE-2024-32949 | Integrate Google Drive | <= 1.3.8 | Google Drive file access and plugin permissions | 8.3 |
| CVE-2026-54184 | Clean Login | <= 1.15 | login flows and user records | 8.2 |
| CVE-2026-40726 | User Registration Stripe | <= 1.3.14 | registration payments and user records | 8.2 |
| CVE-2026-49081 | User Registration Stripe | <= 1.3.12 | registration payments and user records | 8.2 |
| CVE-2025-69110 | AirSupply theme | <= 2.0.0 | theme files and recent PHP changes | 8.1 |
| CVE-2025-58924 | Geya theme | <= 1.15 | theme files and recent PHP changes | 8.1 |
| CVE-2025-58954 | HomeRoofer theme | <= 2.11.0 | theme files and recent PHP changes | 8.1 |
| CVE-2025-58953 | Joly theme | <= 1.22.0 | theme files and recent PHP changes | 8.1 |
| CVE-2025-60085 | Learnify theme | <= 1.15.0 | theme files and recent PHP changes | 8.1 |
| CVE-2025-69105 | Modernee theme | <= 1.6.0 | theme files and recent PHP changes | 8.1 |
| CVE-2025-58952 | Neuronet theme | < 1.14.0 | theme files and recent PHP changes | 8.1 |
| CVE-2025-69112 | Planty theme | <= 1.14.0 | theme files and recent PHP changes | 8.1 |
| CVE-2025-69109 | Raider Spirit theme | <= 1.1.2 | theme files and recent PHP changes | 8.1 |
| CVE-2025-69107 | Rosaleen theme | <= 2.8 | theme files and recent PHP changes | 8.1 |
| CVE-2026-11395 | CF7 to Webhook | <= 5.0.0 | Contact Form 7 webhook settings | 7.2 |
| CVE-2026-11989 | Bit Integrations | <= 2.8.7 | WooCommerce and attachment integrations | 6.5 |
| CVE-2026-4328 | Advanced Import | <= 1.4.6 | import URLs and outbound requests | 6.4 |
| CVE-2026-12137 | Customize My Account for WooCommerce | <= 4.3.6 | shop manager sessions and admin visits | 6.1 |
| CVE-2026-12093 | Simple Membership | <= 4.7.5 | member status and Stripe webhook settings | 5.3 |
| CVE-2026-3640 | STRABL checkout solution | <= 4.5 | WooCommerce orders, refunds, and user creation | 5.3 |
Owner self-check
wp plugin list --fields=name,version,status | egrep 'betterdocs|fusion-builder|media-library-assistant|cf7-to-zapier|bit-integrations|advanced-import|simple-membership|strabl|customize-my-account'
wp plugin list --fields=name,version,status | egrep 'integrate-google-drive|user-registration-stripe|clean-login|suredash|wp-slimstat'
wp theme list --fields=name,version,status | egrep 'geya|neuronet|joly|homeroofer|learnify|modernee|rosaleen|raider|airsupply|planty'
wp user list --fields=ID,user_login,roles,user_registered
wp option list --search='webhook' --fields=option_name,option_value
wp wc order list --per_page=20 --orderby=date --order=desc 2>/dev/null
find wp-content -type f -mtime -10 | egrep '\\.php$|\\.phtml$|\\.phar$|\\.zip$|\\.sql$'What to review before closing
- Unexpected administrators, shop managers, customer accounts, or application passwords.
- WooCommerce orders, refunds, chargebacks, webhook settings, and payment status changes.
- Contact Form 7, import, attachment, and integration settings that fetch remote resources.
- WordPress themes with local file inclusion risk and any inactive copies still present on disk.
- Avada form records, deleted files, changed configuration, or missing site files.
- Executable files under uploads, cache, backup, import, or temporary directories.
Safe fix path
- Patch or disable every affected plugin. Remove inactive vulnerable copies from disk.
- Preserve access logs, order history, user lists, and recent file timestamps.
- Rotate WordPress admin, hosting, payment, and webhook secrets if suspicious changes are found.
- Restore files from a clean backup only after the vulnerable plugin is patched or removed.
Repair help
Use Ping7 CVE Repair when the site has unknown users, strange WooCommerce orders, changed webhooks, missing files, redirects, SEO spam, or PHP files that appeared during the exposure window.