Security Advisory - Published 2026-06-09 - WordPress plugin
Simple Personal Message CVE-2016-20063: Legacy WordPress SQL Injection Self-Check
CVE-2016-20063 is an authenticated SQL injection issue tied to the old
simple-personal-message WordPress plugin. This is mainly a legacy-site
problem: old community sites, intranets, membership sites, or abandoned WordPress
installs may still have the plugin active even if nobody uses private messaging
anymore.
Who is affected
- Plugin: Simple Personal Message, slug
simple-personal-message - CVE: CVE-2016-20063
- Known affected line: legacy version 1.0.3 and older
- Current WordPress.org version: 2.0.0, last updated about 9 years ago
- Attack surface: authenticated WordPress users with access to the plugin message view
- Impact: possible database read or limited modification through unsafe SQL handling
10-minute self-check
Check whether the plugin is installed
wp plugin list | grep simple-personal-message
wp plugin get simple-personal-message --field=version If the plugin is not installed, this CVE does not apply to the site. If version 1.0.3 or older is installed, treat it as exposed. For a plugin this old, removal is often safer than keeping it for a feature nobody uses.
Check whether users could reach the message pages
- Subscriber, customer, member, author, contributor, or forum accounts exist.
- The site has old membership, BuddyPress-style, community, or intranet features.
- Users can log in to wp-admin or reach plugin messaging screens.
The risk is higher when many low-privilege accounts existed during the exposure window. A private single-admin WordPress site is lower risk, but the plugin should still be removed or updated.
Review recent users and admin accounts
wp user list --fields=ID,user_login,user_email,roles,user_registered --orderby=registered --order=desc | head -50
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered Look for unfamiliar accounts, old subscriber accounts with changed roles, and admin activity that lines up with suspicious plugin access.
Review logs without replaying suspicious requests
grep -R "simple-personal-message\\|admin.php?page=simple-personal-message\\|admin.php?page=spm" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -120 Repeated hits to plugin admin pages from normal users, unusual query length, or a burst of failed database-looking requests should be preserved for review.
Safe fix path
- Remove the plugin if it is not needed. Old private-message plugins often stay installed after the feature is abandoned.
- Update to 2.0.0 if you must keep it. Confirm the running plugin version after the update.
- Check users and roles. Remove unexplained admins and reset sessions after preserving evidence.
- Review database access. Check for unexpected database users, modified WordPress options, and changed site URLs.
- Rotate secrets if suspicious access is confirmed. Include WordPress admins, database password, and hosting panel credentials.
Signs that need a deeper review
- The plugin was active on a site with many member or customer accounts.
- Logs show repeated access to message-view pages by low-privilege users.
- New admin users, changed site URLs, redirects, or suspicious options appeared after plugin access.
- The database user has broad privileges and old logs are missing.
Ping7 repair path
Ask for repair help if the plugin was active on a public or membership site and you find suspicious users, redirects, or database changes. Start from Ping7 CVE repair and include the domain, plugin version, whether user registration was open, the first suspicious timestamp, and any logs you can safely share.