Security Bulletin for 24 June 2026: Two Flaws in WP Activity Log and a SQL Injection in The Events Calendar

This is our daily security overview, in which we review the newly published vulnerabilities and pick out the ones that genuinely matter for running WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. Three vulnerabilities stand out for 24 June 2026, spread across two plugins and all already corrected: two of them affect the WP Activity Log audit plugin, while a third affects the The Events Calendar plugin.

CVE-2026-54806 — Unauthenticated PHP Object Injection in the WP Activity Log Plugin (critical)

A PHP object injection has been discovered in all versions up to and including 5.6.3.1 of WP Activity Log, the activity and audit-log plugin by Melapress that is installed on around 300,000 WordPress sites, where it records every user action. The flaw arises because submitted data is deserialised before it has been sufficiently validated. Because the vulnerability can be exploited without any login at all, a single crafted request is enough for an attacker to inject arbitrary PHP objects into the application. The plugin itself does not contain a directly exploitable call chain (a POP chain), yet as soon as another installed plugin or theme provides such a chain, the flaw can be escalated to the deletion of files, the theft of confidential data or even full code execution on the server. The rating issued by Patchstack as the assigning CVE authority, which the National Vulnerability Database also adopts, classifies the vulnerability at a CVSS score of 9.8 and therefore as critical, whereas the WordPress vulnerability service WPScan assigns a somewhat lower, but still high, score of 8.1. A fix is available in version 5.6.4, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-54806 · WPScan advisory

CVE-2026-56005 — Stored Cross-Site Scripting in WP Activity Log (medium)

The same plugin carries a second, less severe vulnerability in all versions up to and including 5.6.3.1: because user input is neither sufficiently sanitised on storage nor escaped on later output, an already authenticated user holding the low-privilege “Subscriber” role can store malicious code that is subsequently executed in the browser of other users as soon as they open the affected view. Since many sites allow subscribers to register themselves, this barrier is often low in practice. The vulnerability is rated at a CVSS score of 6.4, which is medium, and is fixed together with the object injection described above in the very same version 5.6.4, so that a single update closes both flaws.

Sources: National Vulnerability Database — CVE-2026-56005 · WPScan advisory

CVE-2026-49772 — Unauthenticated SQL Injection in the The Events Calendar Plugin (critical)

The widely used The Events Calendar by StellarWP, which is in use on around 700,000 sites, contains a SQL injection vulnerability in versions 6.15.12 up to and including 6.16.2 that stems from a user-supplied parameter not being sufficiently escaped and the underlying database query not being adequately prepared. Because the flaw can be exploited without any login, unauthenticated attackers can inject manipulated database queries — in this case in the form of a so-called blind SQL injection — and by this means read or alter confidential contents of the database. The National Vulnerability Database carries the rating of 9.3 assigned by Patchstack and thereby classifies the vulnerability as critical, while WPScan rates it at a CVSS score of 8.6, which is high. Operators should update the plugin to version 6.16.3 or newer without delay.

Sources: National Vulnerability Database — CVE-2026-49772 · WPScan advisory

Not sure whether you’re affected? Get in touch.

---

This bulletin is provided for security awareness. The official notices from the respective vendors and the sources linked above always take precedence.