Security Advisory - Published 2026-06-18 - WordPress Object Injection

WordPress PHP object injection batch: remove stale code before log review

These CVEs affect themes, builders, ecommerce filters, forms, and integration plugins. The practical risk rises when the affected component is installed on a site with old dependencies, writable plugin directories, or exposed form endpoints.

Defensive scope: use this page only for owned WordPress sites and client-approved cleanup. The checks stay at versions, file changes, users, logs, and backups.

Affected components

CVEComponentAffectedCVSS
CVE-2026-42380AI Lab< 5.4.29.8
CVE-2025-60236Creatify<= 1.59.8
CVE-2026-39529Elementra<= 1.0.99.8
CVE-2026-54194Fusion Builder<= 3.15.49.8
CVE-2025-69108Hot Coffee<= 1.79.8
CVE-2026-49075JetEngine<= 3.8.9.19.8
CVE-2026-52706JetEngine<= 3.8.109.8
CVE-2025-60229Lagom<= 2.09.8
CVE-2026-49108Moderno< 1.439.8
CVE-2026-27429Nifty<= 1.4.19.8
CVE-2025-69127Plumbing<= 1.69.8
CVE-2025-69111Reisen<= 1.4.19.8
CVE-2025-69122SeaFood Company<= 1.49.8
CVE-2025-60230The Barber Shop<= 1.99.8
CVE-2025-60231The Hospital<= 1.8.19.8
CVE-2025-60205ThemeREX Addons<= 2.36.1.19.8
CVE-2026-49107Thrive Apprentice< 10.8.10.29.8
CVE-2026-40725WooCommerce Product Filters< 2.0.69.8
CVE-2026-54806WP Activity Log<= 5.6.3.19.8
CVE-2026-12256Avada<= 3.15.38.8

Owner self-check

wp plugin list --fields=name,version,status
wp theme list --fields=name,version,status
find wp-content/plugins wp-content/themes -type f -mtime -7 | egrep '\\.php$|\\.phtml$|\\.phar$|\\.zip$'
grep -R "unserialize\\|__wakeup\\|fatal error\\|unexpected object" wp-content/debug.log 2>/dev/null

Disabled plugins and old theme folders still count as exposed code if they remain under the web root. Keep suspicious files and logs until the timeline is clear.

Safe fix path

  • Patch supported components and delete unused plugins or themes from disk.
  • Review new PHP-like files, cron jobs, mu-plugins, admin users, and plugin editor activity.
  • Rotate salts, administrator passwords, API keys, SFTP credentials, and payment or CRM tokens if compromise cannot be ruled out.
  • Rebuild from a clean backup when modified plugin code cannot be explained.
  • Use Ping7 CVE Repair for cleanup, backdoor review, and a written repair report.

References