Skip to main content

Listdom CVE-2026-54819

CRITICAL
SQL Injection (CWE-89)
2026-06-17 Patchstack
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.6 HIGH

Remote unauthenticated blind SQLi in a WordPress plugin reaches the shared core DB (S:C, C:H); blind read-only nature makes integrity and availability impact negligible (I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 14:23 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Webilia Inc. Listdom allows Blind SQL Injection.

This issue affects Listdom: from n/a through 5.4.0.

AnalysisAI

Blind SQL injection in Webilia's Listdom WordPress plugin (versions up to and including 5.4.0) allows remote unauthenticated attackers to inject SQL fragments into back-end queries and extract data inferentially. The flaw carries a 9.3 CVSS score with a scope change (S:C), indicating the injection can affect resources beyond the vulnerable component. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Listdom ≤5.4.0
Delivery
Locate vulnerable plugin parameter
Exploit
Inject blind SQL payload
Execution
Infer database contents via timing/boolean
Persist
Extract admin hashes and secrets
Impact
Pivot to full site compromise

Vulnerability AssessmentAI

Exploitation Target site must have the Listdom plugin installed and activated at version 5.4.0 or earlier, with at least one vulnerable plugin endpoint reachable to anonymous web visitors (consistent with the typical front-end listing/search pages Listdom exposes). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed-but-leaning-serious. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker discovers a WordPress site running Listdom ≤5.4.0, identifies a vulnerable listing/search/filter endpoint exposed by the plugin, and submits crafted parameter values containing time-based or boolean SQL payloads. Through inferential responses, they enumerate the wp_users table to extract administrator password hashes and any sensitive data stored in wp_options, then attempt offline cracking or use the data to pivot to site takeover.
Remediation Upgrade Listdom to a version newer than 5.4.0 once Webilia publishes a fixed release; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/listdom/vulnerability/wordpress-listdom-plugin-5-4-0-sql-injection-vulnerability should be monitored for the exact patched version, as no specific fix version was provided in the supplied intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct a complete inventory of WordPress instances; identify all running Webilia Listdom versions 5.4.0 or earlier and classify by data sensitivity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54819 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy