WordPress: 25 Plugin and Theme Vulnerabilities Disclosed in Single Batch
Key findings • 25 WordPress plugin and theme vulnerabilities disclosed together on June 2, 2026. • Vulnerabilities range from Medium to Critical severity, including SQLi, XSS, RFI, and Auth B…
Key findings
- 25 WordPress plugin and theme vulnerabilities disclosed together on June 2, 2026.
- Vulnerabilities range from Medium to Critical severity, including SQLi, XSS, RFI, and Auth Bypass.
- Multiple PHP Local File Inclusion flaws affect several themes and plugins, including those from Axiomthemes.
- Critical vulnerabilities include an insecure password reset in ARMember Premium and Blind SQLi in Ahmad WP Job Portal.
- The batch includes Deserialization of Untrusted Data and Remote Code Execution flaws.
On June 2, 2026, a significant batch of 25 vulnerabilities impacting various WordPress plugins and themes was disclosed, spanning a 12-hour window. These vulnerabilities, reported by security researchers and disclosed by entities like Vypr Intelligence, cover a range of severity levels, from medium to critical, with CVSS scores reaching as high as 9.8. The disclosures highlight persistent security challenges within the vast WordPress ecosystem, affecting functionalities from user authentication and password management to content display and data handling.
A notable portion of the disclosed vulnerabilities fall into the category of PHP Local File Inclusion (LFI), often stemming from improper control of filenames in include/require statements. This includes multiple instances affecting themes and plugins from Axiomthemes, such as Racquet (CVE-2025-69369), Fermentio (CVE-2025-58897), and Spin (CVE-2025-58707), as well as Code Supply Co. Blueprint (CVE-2026-39552) and Select-Themes WaveRide (CVE-2026-39553). These LFI vulnerabilities, many rated as High severity (CVSSv3 8.1), could allow attackers to read sensitive files from the server.
Another significant theme within this batch involves SQL Injection (SQLi) flaws. The ARMember Premium plugin, for instance, is affected by two SQLi vulnerabilities: one via the 'sSortDir_0' parameter in the get_private_content_data AJAX action (CVE-2026-5074, Medium severity) and another via the 'order' parameter in the 'arm_directory_paging_action' AJAX action (CVE-2026-5073, High severity). Additionally, Ahmad WP Job Portal suffers from a Blind SQL Injection vulnerability (CVE-2026-42684, Critical severity 9.3) affecting versions up to 2.5.1.
Cross-Site Scripting (XSS) vulnerabilities were also present in this disclosure event. The Passeum Ticketing plugin is vulnerable to Stored XSS (CVE-2026-7421, Medium severity 4.4) due to insufficient sanitization in its get_shop_url() method. Ahmad WP Job Portal also has a Reflected XSS vulnerability (CVE-2026-42685, High severity 7.1) affecting versions up to 2.5.1. Emilia Projects Progress Planner has a Stored XSS flaw (CVE-2026-28116, Medium severity 5.9) in its Progress Planner component.
Several vulnerabilities relate to authentication bypass and insecure password reset mechanisms. ARMember Premium (CVE-2026-5076, Critical severity 9.8) has a critical flaw where it stores a plaintext password reset key in user meta. WP Swings Wallet System for WooCommerce (CVE-2026-42654, High severity 7.1) and Liquid Web/StellarWP BookIt (CVE-2026-40780, High severity 7.5) both suffer from authentication bypass vulnerabilities that could allow password recovery exploitation.
Other notable vulnerabilities include Deserialization of Untrusted Data flaws, leading to Object Injection, in Elated-Themes Askka (CVE-2026-39555, High severity 8.1), Töbel (CVE-2026-39551, High severity 8.1), and Aperitif (CVE-2026-39550, High severity 8.1). The Content Visibility for Divi Builder plugin has a Remote Code Execution vulnerability (CVE-2026-1829, High severity 8.8) accessible to authenticated users with Contributor-level access.
Missing authorization vulnerabilities, allowing exploitation of incorrectly configured access control, were found in Elementor Website Builder (CVE-2026-49782, Medium severity 5.4), Sekander Badsha Crew HRM (CVE-2026-27351, Medium severity 5.4), Etoile Web Design Incorporated Five Star Restaurant Reservations (CVE-2026-42670, High severity 7.5), and EventPrime (CVE-2026-42669, High severity 7.5).
The EmergencyWP plugin is affected by a Cross-Site Request Forgery (CSRF) vulnerability (CVE-2026-9732, Medium severity 4.3) due to missing nonce validation. While specific patch details for each individual plugin and theme are not universally provided in the initial disclosure, users are strongly advised to consult the respective plugin/theme developers for updates. The sheer volume and severity of vulnerabilities disclosed in this single batch underscore the importance of diligent security practices and timely patching for WordPress site administrators.