WordPress: 25 CVEs Disclosed in One Day — RCE, File Upload, and a Wave of PHP Object Injection Flaws in Themes
Key findings • 25 WordPress CVEs disclosed in a single 28-minute window on June 16, 2026 • 14 of the 25 are unauthenticated PHP Object Injection bugs across a family of themes • Critical …
Key findings
- 25 WordPress CVEs disclosed in a single 28-minute window on June 16, 2026
- 14 of the 25 are unauthenticated PHP Object Injection bugs across a family of themes
- Critical RCE in ACPT Custom Post Types plugin (CVE-2026-25470) and file upload in Academy LMS Pro (CVE-2026-39598)
- Two unauthenticated SQL injection flaws: Directorist Booking and wpDataTables
- Patches available for Academy LMS Pro (3.5.2), Cornerstone (7.8.8), and wpDataTables (7.3.7)
- Wordfence flagged several CVEs in their weekly intelligence report
On June 16, 2026, a batch of 25 vulnerabilities spanning WordPress plugins and themes was disclosed in a single coordinated event, with all CVEs published within a 28-minute window. The disclosure reveals a striking pattern: 14 of the 25 CVEs are unauthenticated PHP Object Injection flaws affecting a family of themes from a common developer, alongside a handful of critical-severity bugs in popular plugins including a Remote Code Execution (RCE) in the ACPT Custom Post Types plugin and an Arbitrary File Upload in Academy LMS Pro. For site owners running any of the affected software, the message is urgent — patch immediately.
Plugin Vulnerabilities: RCE, File Upload, SQLi, and Code Execution
The most severe individual bug is CVE-2026-25470, a Code Injection vulnerability in the ACPT (Pro) – Custom Post Types Plugin for WordPress (versions through 2.0.47) that allows Remote Code Execution. An attacker who can inject code can achieve full site compromise. Equally dangerous is CVE-2026-39598 in **Academy LMS Pro** (before 3.5.2), an unrestricted file upload flaw that lets an attacker upload a web shell to the server. Two SQL Injection bugs were also disclosed: CVE-2026-49073 in **Directorist Booking** (through 3.0.3) enables blind SQL injection, and CVE-2026-49080 in **wpDataTables** (through 7.3.6) is an unauthenticated SQL injection. CVE-2026-49113 in the **Cornerstone** plugin (before 7.8.8) allows subscriber-level arbitrary code execution, and CVE-2026-49057 in **JobSearch** (through 3.2.7) is an unauthenticated broken access control bug.
Theme Vulnerabilities: A Wave of PHP Object Injection
The largest cluster in this batch is a set of 14 unauthenticated PHP Object Injection vulnerabilities across a series of WordPress themes — all from the same developer family. The affected themes are: **Valeska** (≤1.2.2, CVE-2026-40761), **Behold** (≤1.5, CVE-2026-40760), **Esmée** (≤1.4, CVE-2026-40759), **Léonie** (≤1.2.1, CVE-2026-40758), **TechLink** (≤1.3, CVE-2026-40755), **Roisin** (≤1.4, CVE-2026-40754), **Ashtanga** (≤1.2, CVE-2026-40751), **LuxeDrive** (≤1.4, CVE-2026-40739), **Laurits** (≤1.5.1, CVE-2026-40736), **Micdrop** (≤1.3.1, CVE-2026-39580), **Valiance** (≤1.2, CVE-2026-39578), **Playroom** (≤1.4.1, CVE-2026-39577), **Santé** (≤1.5.1, CVE-2026-39567), **NeoBeat** (≤1.7, CVE-2026-39557**), and **Fidalgo** (≤1.2.2, CVE-2026-39554`). All are unauthenticated, meaning no login is required to exploit them. PHP Object Injection can lead to arbitrary code execution if a gadget chain is available, making these themes a significant attack surface.
Additional Theme Flaws: LFI and XSS
Two Local File Inclusion (LFI) bugs were also disclosed: CVE-2026-39568 in the Mr. SEO theme (≤2.0) and CVE-2026-39549 in the **Aperitif** theme (≤1.5), both unauthenticated. Two reflected Cross-Site Scripting (XSS) vulnerabilities round out the batch: CVE-2026-48869 in the **Enfold** theme (≤7.1.4) and CVE-2026-39548 in the **MagOne** theme (≤9.0).
Patch Status and Mitigation
At the time of disclosure, patches are available for several of the affected products: Academy LMS Pro users should update to version 3.5.2 or later, Cornerstone users to 7.8.8 or later, and wpDataTables users to 7.3.7 or later. For the ACPT plugin (CVE-2026-25470), Directorist Booking (CVE-2026-49073), and JobSearch (CVE-2026-49057), site owners should check for updates from their respective vendors. The 14 PHP Object Injection themes and the LFI/XSS themes all require updating to versions beyond the affected ranges listed above — users should verify with their theme provider whether a patched version has been released. Wordfence has flagged several of these CVEs in their weekly intelligence report, including CVE-2026-48869, CVE-2026-49057, and CVE-2026-49113, underscoring the breadth of the disclosure Wordfence.
Why This Batch Matters
This single-day disclosure event is a stark reminder of the supply-chain risk inherent in WordPress's plugin and theme ecosystem. The sheer volume — 25 CVEs in under half an hour — and the concentration of PHP Object Injection bugs in a single theme family suggest a systemic code-quality issue that could be exploited at scale if gadget chains are discovered. Site administrators should inventory their installed plugins and themes against the affected version ranges and apply patches immediately.