Security Advisory - Published 2026-06-09 - WordPress plugin

Simple Personal Message CVE-2016-20063: Legacy WordPress SQL Injection Self-Check

CVE-2016-20063 is an authenticated SQL injection issue tied to the old simple-personal-message WordPress plugin. This is mainly a legacy-site problem: old community sites, intranets, membership sites, or abandoned WordPress installs may still have the plugin active even if nobody uses private messaging anymore.

Risk note: this page does not include exploit strings or replay steps. The useful action is to confirm whether the plugin exists, remove or update it, and check whether low-privilege users had access while the old version was installed.

Who is affected

  • Plugin: Simple Personal Message, slug simple-personal-message
  • CVE: CVE-2016-20063
  • Known affected line: legacy version 1.0.3 and older
  • Current WordPress.org version: 2.0.0, last updated about 9 years ago
  • Attack surface: authenticated WordPress users with access to the plugin message view
  • Impact: possible database read or limited modification through unsafe SQL handling

10-minute self-check

Check whether the plugin is installed

wp plugin list | grep simple-personal-message
wp plugin get simple-personal-message --field=version

If the plugin is not installed, this CVE does not apply to the site. If version 1.0.3 or older is installed, treat it as exposed. For a plugin this old, removal is often safer than keeping it for a feature nobody uses.

Check whether users could reach the message pages

  • Subscriber, customer, member, author, contributor, or forum accounts exist.
  • The site has old membership, BuddyPress-style, community, or intranet features.
  • Users can log in to wp-admin or reach plugin messaging screens.

The risk is higher when many low-privilege accounts existed during the exposure window. A private single-admin WordPress site is lower risk, but the plugin should still be removed or updated.

Review recent users and admin accounts

wp user list --fields=ID,user_login,user_email,roles,user_registered --orderby=registered --order=desc | head -50
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered

Look for unfamiliar accounts, old subscriber accounts with changed roles, and admin activity that lines up with suspicious plugin access.

Review logs without replaying suspicious requests

grep -R "simple-personal-message\\|admin.php?page=simple-personal-message\\|admin.php?page=spm" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -120

Repeated hits to plugin admin pages from normal users, unusual query length, or a burst of failed database-looking requests should be preserved for review.

Safe fix path

  1. Remove the plugin if it is not needed. Old private-message plugins often stay installed after the feature is abandoned.
  2. Update to 2.0.0 if you must keep it. Confirm the running plugin version after the update.
  3. Check users and roles. Remove unexplained admins and reset sessions after preserving evidence.
  4. Review database access. Check for unexpected database users, modified WordPress options, and changed site URLs.
  5. Rotate secrets if suspicious access is confirmed. Include WordPress admins, database password, and hosting panel credentials.

Signs that need a deeper review

  • The plugin was active on a site with many member or customer accounts.
  • Logs show repeated access to message-view pages by low-privilege users.
  • New admin users, changed site URLs, redirects, or suspicious options appeared after plugin access.
  • The database user has broad privileges and old logs are missing.

Ping7 repair path

Ask for repair help if the plugin was active on a public or membership site and you find suspicious users, redirects, or database changes. Start from Ping7 CVE repair and include the domain, plugin version, whether user registration was open, the first suspicious timestamp, and any logs you can safely share.

References