WordPress: 25 Vulnerabilities Disclosed Together on June 2, 2026
Key findings • 25 WordPress plugin and theme vulnerabilities disclosed on June 2, 2026. • Vulnerabilities range from medium to critical severity, including SQLi, XSS, and RFI. • Critical …
Key findings
- 25 WordPress plugin and theme vulnerabilities disclosed on June 2, 2026.
- Vulnerabilities range from medium to critical severity, including SQLi, XSS, and RFI.
- Critical flaws found in Ahmad WP Job Portal and Themeisle Masteriyo LMS PRO.
- Multiple PHP Local File Inclusion vulnerabilities affect several plugins.
- A significant number of Cross-Site Request Forgery (CSRF) vulnerabilities were also disclosed.
On June 2, 2026, a substantial cluster of 25 vulnerabilities affecting numerous WordPress plugins and themes was disclosed, impacting a wide range of functionalities and user permissions. The disclosures, occurring within a three-hour window, highlight ongoing security challenges within the expansive WordPress ecosystem. These vulnerabilities span several common exploit categories, including SQL injection, cross-site scripting (XSS), missing authorization, and deserialization flaws, with severity ratings ranging from medium to critical.
Several plugins were found to have critical or high-severity flaws. Ahmad WP Job Portal, for instance, is affected by a critical SQL injection vulnerability (CVE-2026-42684) and a high-severity reflected XSS vulnerability (CVE-2026-42685), both impacting versions up to 2.5.1. Themeisle Masteriyo LMS PRO faces a critical privilege escalation vulnerability (CVE-2025-53209) up to version 2.20.0. Additionally, Elated-Themes Töbel and Aperitif plugins are affected by high-severity deserialization of untrusted data vulnerabilities (CVE-2026-39551 and CVE-2026-39550, respectively), allowing object injection up to versions 1.8.1 and 1.6.
Another notable group of vulnerabilities involves PHP Local File Inclusion (LFI) flaws, with three distinct CVEs affecting Axiomthemes Crafti (CVE-2025-58705), UnboundStudio Accordion FAQ (CVE-2025-58024), and Axiomthemes Confidant (CVE-2025-53440). These high-severity issues, all impacting versions up to their respective latest releases (1.12, 2.2.1, and 1.4), could allow attackers to include and execute arbitrary PHP code from the server.
Missing authorization vulnerabilities were also prevalent, affecting plugins such as Five Star Restaurant Reservations (CVE-2026-42670), EventPrime (CVE-2026-42669), and Thim Core (CVE-2025-53346 and CVE-2025-53345). The latter, Thim Core, has a particularly severe missing authorization flaw (CVE-2025-53345) rated at 8.8, potentially leading to code execution. Other plugins with authorization issues include Anton Shevchuk Constructor (CVE-2025-53302), Printeers Print & Ship (CVE-2025-52766), and JTL-Connector for WooCommerce (CVE-2026-9234).
Cross-site scripting (XSS) vulnerabilities were identified in several plugins. The Tiled Gallery Carousel Without JetPack plugin has a stored XSS flaw (CVE-2026-5191) up to version 3.1. UnboundStudio Accordion FAQ also suffers from a reflected XSS vulnerability (CVE-2025-52759) up to version 2.2.1. Furthermore, stored XSS issues were found in DeMomentSomTres Shortcodes (CVE-2026-8885) and ZeM STL (CVE-2026-4081), both up to their latest versions, and Easy Cart (CVE-2026-4080) up to version 1.8.
A significant number of medium-severity Cross-Site Request Forgery (CSRF) vulnerabilities were also disclosed, affecting plugins like Remove NoFollow Commenter URL (CVE-2026-9730), Google Plus One Bottom (CVE-2026-9723), Laiser Tag (CVE-2026-9722), Tectite Forms (CVE-2026-9599), and Remove meta boxes per user role (CVE-2026-8422). These CSRF flaws, typically stemming from insufficient nonce validation, could allow unauthenticated attackers to trick users into performing unintended actions.
The disclosure of this large batch of vulnerabilities underscores the importance of regular security audits and prompt patching for WordPress sites. While specific threat actor information or in-the-wild exploitation details were not provided for this particular batch, the sheer volume and variety of flaws suggest a broad attack surface for compromised WordPress installations. Users are advised to consult the specific advisories for each affected plugin and theme to apply the necessary updates.