25 WordPress Plugin CVEs Disclosed in One Day: 11 Critical Flaws Lead the Batch
Wordfence disclosed 25 vulnerabilities across 25 WordPress plugins on June 15, 2026, including 11 critical-severity flaws spanning PHP Object Injection, SQL Injection, and file deletion.
Key findings
- 25 vulnerabilities disclosed in 25 distinct WordPress plugins on a single day
- 11 CVEs rated Critical (CVSS 9.0+), including six unauthenticated PHP Object Injection flaws
- Three unauthenticated SQL Injection bugs, two rated Critical at CVSS 9.3
- Subscriber-level arbitrary file deletion in WP User Manager scored CVSS 9.9
- All affected plugins have been notified; administrators should update or disable immediately
On June 15, 2026, a massive batch of 25 vulnerabilities spanning 25 distinct WordPress plugins was disclosed, with a striking concentration of critical-severity flaws that put millions of sites at risk. The disclosure, published by Wordfence Intelligence, includes 11 CVEs rated Critical (CVSS 9.0+) and 10 rated High, covering bug classes from PHP Object Injection and SQL Injection to privilege escalation and file deletion. The sheer volume and severity make this one of the most consequential single-day WordPress plugin advisories of the year.
PHP Object Injection Cluster
The most prominent pattern in the batch is a cluster of six unauthenticated PHP Object Injection (POI) vulnerabilities, all rated Critical with CVSS scores of 9.8. These affect popular form-integration and utility plugins: CVE-2026-9691 in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms (≤1.1.1), CVE-2026-49781 in OttoKit (≤1.1.27), CVE-2026-49770 in WP Travel Engine (≤6.7.12), CVE-2026-49769 in wpForo Forum (≤3.1.0), CVE-2026-49768 in Happyforms (≤1.26.13), CVE-2026-49765 in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms (≤1.1.8), and CVE-2026-49763 in Integration for Contact Form 7 HubSpot (≤1.3.7). An additional POI flaw, CVE-2026-49109, affects Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms (≤1.4.3), also rated 9.8. All of these allow an unauthenticated attacker to inject arbitrary PHP objects, potentially leading to remote code execution.
SQL Injection and Path Traversal
Three unauthenticated SQL Injection vulnerabilities were disclosed, two of which are Critical. CVE-2026-52693 (CVSS 9.3) affects eCommerce Product Catalog ≤3.5.5, while CVE-2026-49776 (CVSS 9.3) impacts GPTranslate – Multilingual AI Translation for WordPress ≤2.32.6. A third SQLi, CVE-2026-52700 (CVSS 8.5, High), requires subscriber-level access and affects WCMultiShipping ≤3.0.2. Another subscriber-level SQLi, CVE-2026-52697 (CVSS 8.5), was found in Taskbuilder ≤5.0.7. Two path-traversal flaws were also disclosed: CVE-2026-52703 (CVSS 9.6, Critical) in FastDup ≤2.7.2 and CVE-2026-49112 (CVSS 7.5, High) in Shared Files ≤1.7.64, both exploitable without authentication.
Authentication, Authorization, and Data Exposure
Several vulnerabilities target authentication and access control. CVE-2026-49764 (CVSS 9.8, Critical) is an unauthenticated broken authentication flaw in RegistrationMagic ≤6.0.8.6. CVE-2026-49110 (CVSS 7.5, High) is another unauthenticated broken authentication bug in Upsell Order Bump Offer for WooCommerce ≤3.1.4. CVE-2026-49780 (CVSS 8.8, High) allows customer privilege escalation in Dokan ≤5.0.2. CVE-2026-49775 (CVSS 6.5, Medium) is an unauthenticated broken access control issue in Welcart e-Commerce ≤2.11.28. CVE-2026-52699 (CVSS 7.5, High) is an unauthenticated Insecure Direct Object Reference (IDOR) in VikRentCar ≤1.4.5. Three unauthenticated sensitive data exposure flaws were disclosed: CVE-2026-52695 in ABC Crypto Checkout ≤1.8.2, CVE-2026-52694 in Signature Add-On for WooCommerce ≤2.0, and CVE-2026-52692 in Affiliates Manager ≤2.9.50, all rated High (CVSS 7.5).
Cross-Site Scripting and File Deletion
Two XSS vulnerabilities round out the batch. CVE-2026-52702 (CVSS 7.1, High) is an unauthenticated stored XSS in SEO Redirection ≤9.17. CVE-2026-49773 (CVSS 6.5, Medium) is a subscriber-level XSS in FV Flowplayer Video Player <7.5.51.7212. A notable critical-severity flaw, CVE-2026-49766 (CVSS 9.9), allows subscriber-level arbitrary file deletion in WP User Manager ≤2.9.16, which could be leveraged to remove critical site files.
Response and Patching
Wordfence Intelligence published the full advisory on June 15, 2026, and all affected plugin vendors have been notified. Site administrators should immediately check whether they are running any of the affected plugins and update to the latest patched versions. For plugins where no patch has been released, the recommended mitigation is to disable the plugin until a fix is available. The Wordfence Intelligence weekly report covering the period June 1–7 had already flagged several of these CVEs, including CVE-2026-49109, CVE-2026-49110, CVE-2026-49112, CVE-2026-49763, CVE-2026-49764, CVE-2026-49765, CVE-2026-49766, CVE-2026-49768, CVE-2026-49769, CVE-2026-49770, CVE-2026-49773, CVE-2026-49775, CVE-2026-49776, CVE-2026-49780, CVE-2026-49781, and CVE-2026-9691.
Bottom Line
This single-day disclosure of 25 vulnerabilities across 25 plugins underscores the persistent challenge of securing the WordPress plugin ecosystem. The heavy concentration of unauthenticated PHP Object Injection and SQL Injection flaws — many carrying CVSS scores of 9.8 — means that attackers can achieve full site compromise without any credentials. Site owners should prioritize updating the affected plugins listed above and consider using a web application firewall (WAF) to block exploitation attempts for unpatched plugins.