Security Advisory - Published 2026-06-18 - WordPress SQL Injection
WordPress June 18 SQL injection CVEs: patch plugin versions and preserve logs
This batch covers high and critical SQL injection reports from the latest Ping7 monitor run. Check active plugins, disabled plugin folders left on disk, database errors, and account changes before closing the maintenance ticket.
Affected components
| CVE | Plugin or theme | Affected | CVSS |
|---|---|---|---|
| CVE-2025-59554 | Advanced Ads - Tracking | < 3.0.7 | 9.3 |
| CVE-2026-39596 | Blocksy Companion Pro | < 2.1.29 | 9.3 |
| CVE-2026-54815 | Cargo Shipping Location for WooCommerce | <= 5.6 | 9.3 |
| CVE-2026-54809 | GIFT4U | <= 1.0.10 | 9.3 |
| CVE-2026-49076 | JetEngine | <= 3.8.9.1 | 9.3 |
| CVE-2026-49084 | JetEngine | < 3.8.9.1 | 9.3 |
| CVE-2026-54187 | JetEngine | <= 3.8.10.1 | 9.3 |
| CVE-2026-49079 | JetSearch | <= 3.5.17 | 9.3 |
| CVE-2026-48875 | JetSmartFilters | <= 3.8.1 | 9.3 |
| CVE-2026-54186 | JobSearch | <= 3.2.9 | 9.3 |
| CVE-2026-54819 | Listdom | <= 5.4.0 | 9.3 |
| CVE-2026-39438 | ListingPro | <= 2.9.10 | 9.3 |
| CVE-2026-54812 | Motors | <= 1.4.109 | 9.3 |
| CVE-2026-22332 | Tutor LMS Pro | <= 3.9.6 | 9.3 |
| CVE-2026-54811 | WP eMember | < 10.9.4 | 9.3 |
| CVE-2026-54808 | WP Travel Gutenberg Blocks | <= 3.9.4 | 9.3 |
| CVE-2026-49080 | wpDataTables | <= 7.3.6 | 9.3 |
| CVE-2026-22340 | WPJobster | <= 6.3.5 | 9.3 |
Owner self-check
wp plugin list --fields=name,version,status
wp theme list --fields=name,version,status
grep -R "database error\\|SQL syntax\\|wpdb\\|dbDelta\\|mysql" wp-content/debug.log 2>/dev/null
find wp-content -type f -mtime -7 | egrep '\\.php$|\\.phtml$|\\.phar$|\\.zip$' A clean result means the affected component is patched or removed, no unexplained database errors are present, and no new administrator, shop manager, editor, or API user appeared during the exposure window.
Safe fix path
- Patch each affected plugin or theme to a fixed vendor release. Remove abandoned components.
- Preserve web, PHP, WordPress debug, WAF, and database logs before cleanup.
- Review recently changed options, users, roles, orders, bookings, listings, and form submissions.
- Rotate WordPress admin passwords and API keys if suspicious database activity is found.
- Use Ping7 CVE Repair if the site stores orders, leads, payments, or user accounts and logs are incomplete.