Security Advisory - Published 2026-06-18 - WordPress Object Injection
WordPress PHP object injection batch: remove stale code before log review
These CVEs affect themes, builders, ecommerce filters, forms, and integration plugins. The practical risk rises when the affected component is installed on a site with old dependencies, writable plugin directories, or exposed form endpoints.
Affected components
| CVE | Component | Affected | CVSS |
|---|---|---|---|
| CVE-2026-42380 | AI Lab | < 5.4.2 | 9.8 |
| CVE-2025-60236 | Creatify | <= 1.5 | 9.8 |
| CVE-2026-39529 | Elementra | <= 1.0.9 | 9.8 |
| CVE-2026-54194 | Fusion Builder | <= 3.15.4 | 9.8 |
| CVE-2025-69108 | Hot Coffee | <= 1.7 | 9.8 |
| CVE-2026-49075 | JetEngine | <= 3.8.9.1 | 9.8 |
| CVE-2026-52706 | JetEngine | <= 3.8.10 | 9.8 |
| CVE-2025-60229 | Lagom | <= 2.0 | 9.8 |
| CVE-2026-49108 | Moderno | < 1.43 | 9.8 |
| CVE-2026-27429 | Nifty | <= 1.4.1 | 9.8 |
| CVE-2025-69127 | Plumbing | <= 1.6 | 9.8 |
| CVE-2025-69111 | Reisen | <= 1.4.1 | 9.8 |
| CVE-2025-69122 | SeaFood Company | <= 1.4 | 9.8 |
| CVE-2025-60230 | The Barber Shop | <= 1.9 | 9.8 |
| CVE-2025-60231 | The Hospital | <= 1.8.1 | 9.8 |
| CVE-2025-60205 | ThemeREX Addons | <= 2.36.1.1 | 9.8 |
| CVE-2026-49107 | Thrive Apprentice | < 10.8.10.2 | 9.8 |
| CVE-2026-40725 | WooCommerce Product Filters | < 2.0.6 | 9.8 |
| CVE-2026-54806 | WP Activity Log | <= 5.6.3.1 | 9.8 |
| CVE-2026-12256 | Avada | <= 3.15.3 | 8.8 |
Owner self-check
wp plugin list --fields=name,version,status
wp theme list --fields=name,version,status
find wp-content/plugins wp-content/themes -type f -mtime -7 | egrep '\\.php$|\\.phtml$|\\.phar$|\\.zip$'
grep -R "unserialize\\|__wakeup\\|fatal error\\|unexpected object" wp-content/debug.log 2>/dev/null Disabled plugins and old theme folders still count as exposed code if they remain under the web root. Keep suspicious files and logs until the timeline is clear.
Safe fix path
- Patch supported components and delete unused plugins or themes from disk.
- Review new PHP-like files, cron jobs, mu-plugins, admin users, and plugin editor activity.
- Rotate salts, administrator passwords, API keys, SFTP credentials, and payment or CRM tokens if compromise cannot be ruled out.
- Rebuild from a clean backup when modified plugin code cannot be explained.
- Use Ping7 CVE Repair for cleanup, backdoor review, and a written repair report.