Security Advisory - Published 2026-06-18 - WordPress SQL Injection

WordPress June 18 SQL injection CVEs: patch plugin versions and preserve logs

This batch covers high and critical SQL injection reports from the latest Ping7 monitor run. Check active plugins, disabled plugin folders left on disk, database errors, and account changes before closing the maintenance ticket.

Defensive scope: use this page only for owned WordPress sites or approved repair work. The checks stay at inventory, patch state, logs, users, and database changes.

Affected components

CVEPlugin or themeAffectedCVSS
CVE-2025-59554Advanced Ads - Tracking< 3.0.79.3
CVE-2026-39596Blocksy Companion Pro< 2.1.299.3
CVE-2026-54815Cargo Shipping Location for WooCommerce<= 5.69.3
CVE-2026-54809GIFT4U<= 1.0.109.3
CVE-2026-49076JetEngine<= 3.8.9.19.3
CVE-2026-49084JetEngine< 3.8.9.19.3
CVE-2026-54187JetEngine<= 3.8.10.19.3
CVE-2026-49079JetSearch<= 3.5.179.3
CVE-2026-48875JetSmartFilters<= 3.8.19.3
CVE-2026-54186JobSearch<= 3.2.99.3
CVE-2026-54819Listdom<= 5.4.09.3
CVE-2026-39438ListingPro<= 2.9.109.3
CVE-2026-54812Motors<= 1.4.1099.3
CVE-2026-22332Tutor LMS Pro<= 3.9.69.3
CVE-2026-54811WP eMember< 10.9.49.3
CVE-2026-54808WP Travel Gutenberg Blocks<= 3.9.49.3
CVE-2026-49080wpDataTables<= 7.3.69.3
CVE-2026-22340WPJobster<= 6.3.59.3

Owner self-check

wp plugin list --fields=name,version,status
wp theme list --fields=name,version,status
grep -R "database error\\|SQL syntax\\|wpdb\\|dbDelta\\|mysql" wp-content/debug.log 2>/dev/null
find wp-content -type f -mtime -7 | egrep '\\.php$|\\.phtml$|\\.phar$|\\.zip$'

A clean result means the affected component is patched or removed, no unexplained database errors are present, and no new administrator, shop manager, editor, or API user appeared during the exposure window.

Safe fix path

  • Patch each affected plugin or theme to a fixed vendor release. Remove abandoned components.
  • Preserve web, PHP, WordPress debug, WAF, and database logs before cleanup.
  • Review recently changed options, users, roles, orders, bookings, listings, and form submissions.
  • Rotate WordPress admin passwords and API keys if suspicious database activity is found.
  • Use Ping7 CVE Repair if the site stores orders, leads, payments, or user accounts and logs are incomplete.

References