Security Advisory - Published 2026-06-24 - WordPress

WordPress SQL and data exposure batch: check forms, funnels, payments, and invoices

This batch affects ClearSale Total, FunnelKit Funnel Builder, WP Forms Connector, and WhatsOrder Instant Checkout for WooCommerce. Patch or disable the plugin, then review REST access, database errors, WooCommerce order data, and generated invoice files that may have been exposed.

Defensive scope: keep checks to your own WordPress site or an approved repair job. The page does not include SQL test strings, request examples, or third-party scanning steps.

Affected plugins

CVEPluginAffectedReviewCVSS
CVE-2026-56052FunnelKit Funnel Builder<= 3.15.0.5funnel data7.6
CVE-2026-8705ClearSale Total<= 3.4.2payment logs7.5
CVE-2026-9178WP Forms Connector<= 1.8REST logs7.5
CVE-2026-9179WP Forms Connector<= 1.8REST logs7.5
CVE-2026-9612WhatsOrder Instant Checkout for WooCommerce<= 1.0.1invoice files5.3

Owner self-check

wp plugin list --fields=name,version,status | egrep 'clearsale-total|funnel-builder|wp-forms-connector|whatsorder'
wp core version
wp option get permalink_structure
find wp-content/uploads -maxdepth 3 -type f -mtime -14 2>/dev/null | egrep 'invoice|order|whatsorder|\\.html$|\\.pdf$'
grep -Rni 'wp-json/wp/v3\\|clearsale\\|funnel\\|whatsorder\\|database error\\|wpdb' wp-content/debug.log logs 2>/dev/null | tail -220

What to review

  • REST requests to WP Forms Connector routes and any user or post data returned during the exposure window.
  • WooCommerce order exports, invoice files, customer PII, and public upload paths.
  • Database errors, slow queries, unusual wpdb warnings, or changed plugin tables.
  • Funnel and checkout changes made by administrators or integrations that do not match planned work.
  • PHP runtime state for older WooCommerce stacks that still run unsupported PHP versions.

Safe fix path

  1. Patch affected plugins. If a patch is not available, disable the plugin and remove public access to generated files.
  2. Block direct browsing of customer invoice directories and remove stale exported files that should not be public.
  3. Preserve web logs, WooCommerce logs, and database error logs before cleanup.
  4. Notify store operators before rotating payment, shipping, and CRM integration credentials.

Repair help

Use Ping7 CVE Repair when customer invoices were public, REST logs show unknown access, database errors spike, or checkout data needs a careful exposure review.

References

Author: Ping7 security team - Published: 2026-06-24 - WordPress SQL and data exposure CVE batch - Defensive self-check only.