If you run a website, you know that a single unpatched vulnerability can take your site offline, damage your reputation, or leave you cleaning up after an attack. Most compromises we see start with automated attacks targeting known software flaws, often the same ones that have already been reported and disclosed.
To help you stay ahead of these threats, we’ve put together this month’s roundup of critical security updates and vulnerability patches affecting the WordPress ecosystem.
If you’re already using the Sucuri Firewall, you’re protected. These vulnerabilities are virtually patched for all clients. If not, consider putting a web application firewall in front of your site to block attacks before they reach your environment.
Plugins
Yoast SEO – Insecure Direct Object Reference (IDOR)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Insecure Direct Object Reference (IDOR) CVE: CVE-2025-14481 Number of Installations: 10,000,000+ Affected Software: Yoast SEO <= 26.5 Patched Versions: Yoast SEO 26.6
Mitigation steps: Update to Yoast SEO version 26.6 or greater.
LiteSpeed Cache – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-3375 Number of Installations: 7,000,000+ Affected Software: LiteSpeed Cache <= 7.7 Patched Versions: LiteSpeed Cache 7.8
Mitigation steps: Update to LiteSpeed Cache version 7.8 or greater.
WPForms – Broken Access Control
Security Risk: Medium Exploitation Level: See vulnerability details for exploitation requirements. Vulnerability: Broken Access Control CVE: CVE-2026-48835 Number of Installations: 6,000,000+ Affected Software: WPForms <= 1.10.0.4 Patched Versions: WPForms 1.10.0.5
Mitigation steps: Update to WPForms version 1.10.0.5 or greater.
Rank Math SEO – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-12714 Number of Installations: 4,000,000+ Affected Software: Rank Math SEO <= 1.0.271 Patched Versions: Rank Math SEO 1.0.271.1
Mitigation steps: Update to Rank Math SEO version 1.0.271.1 or greater.
WPCode – Remote Code Execution
Security Risk: High Exploitation Level: Requires Author or higher level authentication. Vulnerability: Remote Code Execution CVE: CVE-2026-8832 Number of Installations: 3,000,000+ Affected Software: WPCode <= 2.3.5 Patched Versions: WPCode 2.3.6
Mitigation steps: Update to WPCode version 2.3.6 or greater.
All in One SEO – Information Disclosure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Information Disclosure CVE: CVE-2026-5075 Number of Installations: 3,000,000+ Affected Software: All in One SEO <= 4.9.7 Patched Versions: All in One SEO 4.9.7.1
Mitigation steps: Update to All in One SEO version 4.9.7.1 or greater.
MonsterInsights – Broken Access Control
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-5371 Number of Installations: 2,000,000+ Affected Software: MonsterInsights <= 10.1.2 Patched Versions: MonsterInsights 10.1.3
Mitigation steps: Update to MonsterInsights version 10.1.3 or greater.
Essential Addons for Elementor – Privilege Escalation
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Privilege Escalation CVE: CVE-2026-5193 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 6.5.13 Patched Versions: Essential Addons for Elementor 6.6.0
Mitigation steps: Update to Essential Addons for Elementor version 6.6.0 or greater.
Advanced Custom Fields (ACF®) – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-8382 Number of Installations: 2,000,000+ Affected Software: Advanced Custom Fields (ACF®) <= 6.8.1 Patched Versions: Advanced Custom Fields (ACF®) 6.8.2
Mitigation steps: Update to Advanced Custom Fields (ACF®) version 6.8.2 or greater.
Spectra Gutenberg Blocks – Remote Code Execution
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Remote Code Execution CVE: CVE-2026-7465 Number of Installations: 1,000,000+ Affected Software: Spectra Gutenberg Blocks <= 2.19.25 Patched Versions: Spectra Gutenberg Blocks 2.19.26
Mitigation steps: Update to Spectra Gutenberg Blocks version 2.19.26 or greater.
ManageWP Worker – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-3718 Number of Installations: 1,000,000+ Affected Software: ManageWP Worker <= 4.9.31 Patched Versions: ManageWP Worker 4.9.32
Mitigation steps: Update to ManageWP Worker version 4.9.32 or greater.
Hostinger Reach – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-2515 Number of Installations: 1,000,000+ Affected Software: Hostinger Reach <= 1.3.8 Patched Versions: Hostinger Reach 1.3.9
Mitigation steps: Update to Hostinger Reach version 1.3.9 or greater.
Loco Translate – Path Traversal
Security Risk: Medium Exploitation Level: Requires authenticated access. Vulnerability: Path Traversal CVE: CVE-2026-1921 Number of Installations: 1,000,000+ Affected Software: Loco Translate <= 2.8.2 Patched Versions: Loco Translate 2.8.3
Mitigation steps: Update to Loco Translate version 2.8.3 or greater.
SVG Support – Broken Access Control
Security Risk: Medium Exploitation Level: See vulnerability details for exploitation requirements. Vulnerability: Broken Access Control CVE: CVE-2026-48973 Number of Installations: 1,000,000+ Affected Software: SVG Support <= 2.5.14 Patched Versions: SVG Support 2.5.15
Mitigation steps: Update to SVG Support version 2.5.15 or greater.
WooCommerce PayPal Payments – Broken Access Control
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-9284 Number of Installations: 800,000+ Affected Software: WooCommerce PayPal Payments <= 4.0.1 Patched Versions: WooCommerce PayPal Payments 4.0.2
Mitigation steps: Update to WooCommerce PayPal Payments version 4.0.2 or greater.
Premium Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-4790 Number of Installations: 700,000+ Affected Software: Premium Addons for Elementor <= 4.11.70 Patched Versions: Premium Addons for Elementor 4.11.71
Mitigation steps: Update to Premium Addons for Elementor version 4.11.71 or greater.
Forminator Forms – Arbitrary File Read
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Arbitrary File Read CVE: CVE-2026-5192 Number of Installations: 600,000+ Affected Software: Forminator Forms <= 1.52.1 Patched Versions: Forminator Forms 1.52.2
Mitigation steps: Update to Forminator Forms version 1.52.2 or greater.
WP Statistics – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-48839 Number of Installations: 600,000+ Affected Software: WP Statistics <= 14.16.6 Patched Versions: WP Statistics 14.16.7
Mitigation steps: Update to WP Statistics version 14.16.7 or greater.
Royal Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-4803 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor <= 1.7.1056 Patched Versions: Royal Addons for Elementor 1.7.1057
Mitigation steps: Update to Royal Addons for Elementor version 1.7.1057 or greater.
Forminator Forms – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-6214 Number of Installations: 600,000+ Affected Software: Forminator Forms <= 1.53.0 Patched Versions: Forminator Forms 1.53.0.1
Mitigation steps: Update to Forminator Forms version 1.53.0.1 or greater.
Royal Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-6504 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor <= 1.7.1058 Patched Versions: Royal Addons for Elementor 1.7.1059
Mitigation steps: Update to Royal Addons for Elementor version 1.7.1059 or greater.
Royal Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-27421 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor < 1.7.1053 Patched Versions: Royal Addons for Elementor 1.7.1053
Mitigation steps: Update to Royal Addons for Elementor version 1.7.1053 or greater.
Royal Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-5159 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor <= 1.7.1056 Patched Versions: Royal Addons for Elementor 1.7.1057
Mitigation steps: Update to Royal Addons for Elementor version 1.7.1057 or greater.
Royal Addons for Elementor – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-4024 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor <= 1.7.1056 Patched Versions: Royal Addons for Elementor 1.7.1057
Mitigation steps: Update to Royal Addons for Elementor version 1.7.1057 or greater.
Forminator Forms – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-2729 Number of Installations: 600,000+ Affected Software: Forminator Forms <= 1.52.0 Patched Versions: Forminator Forms 1.52.1
Mitigation steps: Update to Forminator Forms version 1.52.1 or greater.
Royal Addons for Elementor – Broken Access Control
Security Risk: Medium Exploitation Level: See vulnerability details for exploitation requirements. Vulnerability: Broken Access Control CVE: CVE-2026-25436 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor < 1.7.1053 Patched Versions: Royal Addons for Elementor 1.7.1053
Mitigation steps: Update to Royal Addons for Elementor version 1.7.1053 or greater.
Forminator Forms – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-6222 Number of Installations: 600,000+ Affected Software: Forminator Forms <= 1.51.1 Patched Versions: Forminator Forms 1.52
Mitigation steps: Update to Forminator Forms version 1.52 or greater.
Kirki – Arbitrary File Read
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Arbitrary File Read CVE: CVE-2026-8073 Number of Installations: 500,000+ Affected Software: Kirki <= 6.0.6 Patched Versions: Kirki 6.0.7
Mitigation steps: Update to Kirki version 6.0.7 or greater.
Kirki – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-8096 Number of Installations: 500,000+ Affected Software: Kirki <= 6.0.6 Patched Versions: Kirki 6.0.7
Mitigation steps: Update to Kirki version 6.0.7 or greater.
YITH WooCommerce Wishlist – Insecure Direct Object Reference (IDOR)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Insecure Direct Object Reference (IDOR) CVE: CVE-2026-27329 Number of Installations: 400,000+ Affected Software: YITH WooCommerce Wishlist <= 4.12.0 Patched Versions: YITH WooCommerce Wishlist 4.13.0
Mitigation steps: Update to YITH WooCommerce Wishlist version 4.13.0 or greater.
Happy Addons for Elementor – Information Disclosure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Information Disclosure CVE: CVE-2026-25468 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor <= 3.20.8 Patched Versions: Happy Addons for Elementor 3.21.0
Mitigation steps: Update to Happy Addons for Elementor version 3.21.0 or greater.
Meta for WooCommerce – Open Redirect
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Open Redirect CVE: CVE-2026-49059 Number of Installations: 400,000+ Affected Software: Meta for WooCommerce <= 3.7.0 Patched Versions: Not available at time of publication
Mitigation steps: A patch is not yet available. Disable or remove the affected plugin until a fix is released.
Photo Gallery, Sliders, Proofing and Themes – Insecure Direct Object Reference (IDOR)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Insecure Direct Object Reference (IDOR) CVE: CVE-2026-6566 Number of Installations: 400,000+ Affected Software: Photo Gallery, Sliders, Proofing and Themes <= 4.2.0 Patched Versions: Photo Gallery, Sliders, Proofing and Themes 4.2.1
Mitigation steps: Update to Photo Gallery, Sliders, Proofing and Themes version 4.2.1 or greater.
Simple History – Broken Access Control
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-7459 Number of Installations: 300,000+ Affected Software: Simple History <= 5.26.0 Patched Versions: Simple History 5.27.0
Mitigation steps: Update to Simple History version 5.27.0 or greater.
Post SMTP – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-48838 Number of Installations: 300,000+ Affected Software: Post SMTP <= 3.6.2 Patched Versions: Post SMTP 3.6.3
Mitigation steps: Update to Post SMTP version 3.6.3 or greater.
Unlimited Elements For Elementor – SQL Injection
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2026-48837 Number of Installations: 300,000+ Affected Software: Unlimited Elements For Elementor <= 2.0.8 Patched Versions: Unlimited Elements For Elementor 2.0.9
Mitigation steps: Update to Unlimited Elements For Elementor version 2.0.9 or greater.
Unlimited Elements For Elementor – SQL Injection
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2026-5486 Number of Installations: 300,000+ Affected Software: Unlimited Elements For Elementor <= 2.0.7 Patched Versions: Unlimited Elements For Elementor 2.0.8
Mitigation steps: Update to Unlimited Elements For Elementor version 2.0.8 or greater.
WP Activity Log – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-45435 Number of Installations: 300,000+ Affected Software: WP Activity Log <= 5.6.3 Patched Versions: WP Activity Log 5.6.3.1
Mitigation steps: Update to WP Activity Log version 5.6.3.1 or greater.
Jeg Kit for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-6916 Number of Installations: 300,000+ Affected Software: Jeg Kit for Elementor <= 3.1.0 Patched Versions: Jeg Kit for Elementor 3.1.1
Mitigation steps: Update to Jeg Kit for Elementor version 3.1.1 or greater.
PDF Embedder – Information Disclosure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Information Disclosure CVE: CVE-2026-7526 Number of Installations: 300,000+ Affected Software: PDF Embedder <= 4.9.3 Patched Versions: PDF Embedder 5.0.0
Mitigation steps: Update to PDF Embedder version 5.0.0 or greater.
Favicon by RealFaviconGenerator – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-42754 Number of Installations: 200,000+ Affected Software: Favicon by RealFaviconGenerator <= 1.3.46 Patched Versions: Favicon by RealFaviconGenerator 1.3.47
Mitigation steps: Update to Favicon by RealFaviconGenerator version 1.3.47 or greater.
Redirection for Contact Form 7 – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-23970 Number of Installations: 200,000+ Affected Software: Redirection for Contact Form 7 <= 3.2.8 Patched Versions: Redirection for Contact Form 7 3.2.9
Mitigation steps: Update to Redirection for Contact Form 7 version 3.2.9 or greater.
Photo Gallery by 10Web – SQL Injection
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2026-7048 Number of Installations: 200,000+ Affected Software: Photo Gallery by 10Web <= 1.8.40 Patched Versions: Photo Gallery by 10Web 1.8.41
Mitigation steps: Update to Photo Gallery by 10Web version 1.8.41 or greater.
GenerateBlocks – Insecure Direct Object Reference (IDOR)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Insecure Direct Object Reference (IDOR) CVE: CVE-2026-3454 Number of Installations: 200,000+ Affected Software: GenerateBlocks <= 2.2.0 Patched Versions: GenerateBlocks 2.2.1
Mitigation steps: Update to GenerateBlocks version 2.2.1 or greater.
Gutenberg Essential Blocks – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-4658 Number of Installations: 200,000+ Affected Software: Gutenberg Essential Blocks <= 6.0.4 Patched Versions: Gutenberg Essential Blocks 6.1.0
Mitigation steps: Update to Gutenberg Essential Blocks version 6.1.0 or greater.
MW WP Form – Insecure Direct Object Reference (IDOR)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Insecure Direct Object Reference (IDOR) CVE: CVE-2026-6206 Number of Installations: 200,000+ Affected Software: MW WP Form <= 5.1.2 Patched Versions: MW WP Form 5.1.3
Mitigation steps: Update to MW WP Form version 5.1.3 or greater.
GenerateBlocks – Information Disclosure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Information Disclosure CVE: CVE-2026-48877 Number of Installations: 200,000+ Affected Software: GenerateBlocks <= 2.1.0 Patched Versions: GenerateBlocks 2.1.1
Mitigation steps: Update to GenerateBlocks version 2.1.1 or greater.
Adminimize – Broken Access Control
Security Risk: Medium Exploitation Level: See vulnerability details for exploitation requirements. Vulnerability: Broken Access Control CVE: CVE-2026-49045 Number of Installations: 200,000+ Affected Software: Adminimize <= 1.11.11 Patched Versions: Not available at time of publication
Mitigation steps: A patch is not yet available. Disable or remove the affected plugin until a fix is released.
Advanced Custom Fields: Extended – Privilege Escalation
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Privilege Escalation CVE: CVE-2026-8809 Number of Installations: 100,000+ Affected Software: Advanced Custom Fields: Extended <= 0.9.2.5 Patched Versions: Advanced Custom Fields: Extended 0.9.2.6
Mitigation steps: Update to Advanced Custom Fields: Extended version 0.9.2.6 or greater.
AI Engine – Privilege Escalation
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Privilege Escalation CVE: CVE-2026-8719 Number of Installations: 100,000+ Affected Software: AI Engine (see vulnerability details for affected versions) Patched Versions: AI Engine 3.5.0
Mitigation steps: Update to AI Engine version 3.5.0 or greater.
LatePoint – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-7332 Number of Installations: 100,000+ Affected Software: LatePoint <= 5.5.0 Patched Versions: LatePoint 5.5.1
Mitigation steps: Update to LatePoint version 5.5.1 or greater.
AI Engine – Privilege Escalation
Security Risk: High Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Privilege Escalation CVE: CVE-2026-27407 Number of Installations: 100,000+ Affected Software: AI Engine <= 3.4.9 Patched Versions: AI Engine 3.5.0
Mitigation steps: Update to AI Engine version 3.5.0 or greater.
GiveWP – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-42678 Number of Installations: 100,000+ Affected Software: GiveWP <= 4.14.5 Patched Versions: GiveWP 4.14.6
Mitigation steps: Update to GiveWP version 4.14.6 or greater.
Custom Twitter Feeds – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-6177 Number of Installations: 100,000+ Affected Software: Custom Twitter Feeds <= 2.5.4 Patched Versions: Custom Twitter Feeds 2.5.5
Mitigation steps: Update to Custom Twitter Feeds version 2.5.5 or greater.
LatePoint – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-7448 Number of Installations: 100,000+ Affected Software: LatePoint <= 5.5.0 Patched Versions: LatePoint 5.5.1
Mitigation steps: Update to LatePoint version 5.5.1 or greater.
Advanced Custom Fields: Extended – Content Injection
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Content Injection CVE: CVE-2025-15463 Number of Installations: 100,000+ Affected Software: Advanced Custom Fields: Extended <= 0.9.2.3 Patched Versions: Advanced Custom Fields: Extended 0.9.2.4
Mitigation steps: Update to Advanced Custom Fields: Extended version 0.9.2.4 or greater.
Independent Analytics – Server-Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Server-Side Request Forgery (SSRF) CVE: CVE-2026-5737 Number of Installations: 100,000+ Affected Software: Independent Analytics <= 2.14.9 Patched Versions: Independent Analytics 2.14.10
Mitigation steps: Update to Independent Analytics version 2.14.10 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-9243 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor <= 6.4.15 Patched Versions: The Plus Addons for Elementor 6.4.16
Mitigation steps: Update to The Plus Addons for Elementor version 6.4.16 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-5243 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor <= 6.4.11 Patched Versions: The Plus Addons for Elementor 6.4.12
Mitigation steps: Update to The Plus Addons for Elementor version 6.4.12 or greater.
Envira Gallery – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-5361 Number of Installations: 100,000+ Affected Software: Envira Gallery <= 1.12.4 Patched Versions: Envira Gallery 1.12.5
Mitigation steps: Update to Envira Gallery version 1.12.5 or greater.
Modula Image Gallery – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-42688 Number of Installations: 100,000+ Affected Software: Modula Image Gallery <= 2.14.23 Patched Versions: Modula Image Gallery 2.14.24
Mitigation steps: Update to Modula Image Gallery version 2.14.24 or greater.
LatePoint – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-7457 Number of Installations: 100,000+ Affected Software: LatePoint <= 5.5.0 Patched Versions: LatePoint 5.5.1
Mitigation steps: Update to LatePoint version 5.5.1 or greater.
Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-5247 Number of Installations: 100,000+ Affected Software: Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.10.0 Patched Versions: Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories 4.10.1
Mitigation steps: Update to Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories version 4.10.1 or greater.
LatePoint – Broken Authentication
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Authentication CVE: CVE-2026-7652 Number of Installations: 100,000+ Affected Software: LatePoint <= 5.5.0 Patched Versions: LatePoint 5.5.1
Mitigation steps: Update to LatePoint version 5.5.1 or greater.
The Ultimate Video Player For WordPress – Broken Access Control
Security Risk: Medium Exploitation Level: See vulnerability details for exploitation requirements. Vulnerability: Broken Access Control CVE: CVE-2026-45442 Number of Installations: 100,000+ Affected Software: The Ultimate Video Player For WordPress <= 4.1.3 Patched Versions: The Ultimate Video Player For WordPress 4.1.4
Mitigation steps: Update to The Ultimate Video Player For WordPress version 4.1.4 or greater.
Mercado Pago payments for WooCommerce – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-3208 Number of Installations: 100,000+ Affected Software: Mercado Pago payments for WooCommerce <= 8.7.11 Patched Versions: Mercado Pago payments for WooCommerce 8.7.12
Mitigation steps: Update to Mercado Pago payments for WooCommerce version 8.7.12 or greater.
CloudSecure WP Security – Authentication Bypass
Security Risk: Medium Exploitation Level: See vulnerability details for exploitation requirements. Vulnerability: Authentication Bypass CVE: CVE-2026-42411 Number of Installations: 100,000+ Affected Software: CloudSecure WP Security <= 1.4.7 Patched Versions: CloudSecure WP Security 1.4.8
Mitigation steps: Update to CloudSecure WP Security version 1.4.8 or greater.
Advanced Access Manager – Broken Access Control
Security Risk: Medium Exploitation Level: See vulnerability details for exploitation requirements. Vulnerability: Broken Access Control CVE: CVE-2026-42674 Number of Installations: 100,000+ Affected Software: Advanced Access Manager <= 7.1.0 Patched Versions: Advanced Access Manager 7.1.1
Mitigation steps: Update to Advanced Access Manager version 7.1.1 or greater.
Simple CAPTCHA Alternative with Cloudflare Turnstile – Broken Authentication
Security Risk: Medium Exploitation Level: See vulnerability details for exploitation requirements. Vulnerability: Broken Authentication CVE: CVE-2026-40799 Number of Installations: 100,000+ Affected Software: Simple CAPTCHA Alternative with Cloudflare Turnstile <= 1.38.0 Patched Versions: Simple CAPTCHA Alternative with Cloudflare Turnstile 1.38.1
Mitigation steps: Update to Simple CAPTCHA Alternative with Cloudflare Turnstile version 1.38.1 or greater.
The Post Grid – Broken Access Control
Security Risk: Medium Exploitation Level: See vulnerability details for exploitation requirements. Vulnerability: Broken Access Control CVE: CVE-2026-49054 Number of Installations: 100,000+ Affected Software: The Post Grid <= 7.9.2 Patched Versions: Not available at time of publication
Mitigation steps: A patch is not yet available. Disable or remove the affected plugin until a fix is released.
Everest Forms – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-4888 Number of Installations: 100,000+ Affected Software: Everest Forms <= 3.4.7 Patched Versions: Everest Forms 3.4.8
Mitigation steps: Update to Everest Forms version 3.4.8 or greater.
Advanced Custom Fields: Font Awesome Field – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-49044 Number of Installations: 90,000+ Affected Software: Advanced Custom Fields: Font Awesome Field <= 5.0.2 Patched Versions: Advanced Custom Fields: Font Awesome Field 6.0.0
Mitigation steps: Update to Advanced Custom Fields: Font Awesome Field version 6.0.0 or greater.
Advanced Custom Fields: Font Awesome Field – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-6415 Number of Installations: 90,000+ Affected Software: Advanced Custom Fields: Font Awesome Field <= 5.0.2 Patched Versions: Advanced Custom Fields: Font Awesome Field 6.0.0
Mitigation steps: Update to Advanced Custom Fields: Font Awesome Field version 6.0.0 or greater.
a3 Lazy Load – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-6427 Number of Installations: 90,000+ Affected Software: a3 Lazy Load <= 2.7.6 Patched Versions: a3 Lazy Load 2.7.7
Mitigation steps: Update to a3 Lazy Load version 2.7.7 or greater.
ShopLentor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-6287 Number of Installations: 90,000+ Affected Software: ShopLentor <= 3.3.8 Patched Versions: ShopLentor 3.3.9
Mitigation steps: Update to ShopLentor version 3.3.9 or greater.
Event Tickets and Registration – Broken Access Control
Security Risk: Medium Exploitation Level: See vulnerability details for exploitation requirements. Vulnerability: Broken Access Control CVE: CVE-2026-42662 Number of Installations: 90,000+ Affected Software: Event Tickets and Registration <= 5.27.5 Patched Versions: Event Tickets and Registration 5.27.6.1
Mitigation steps: Update to Event Tickets and Registration version 5.27.6.1 or greater.
Hustle – Broken Access Control
Security Risk: Medium Exploitation Level: See vulnerability details for exploitation requirements. Vulnerability: Broken Access Control CVE: CVE-2026-25431 Number of Installations: 90,000+ Affected Software: Hustle <= 7.8.10.1 Patched Versions: Hustle 7.8.10.2
Mitigation steps: Update to Hustle version 7.8.10.2 or greater.
Booking for Appointments and Events Calendar – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-6449 Number of Installations: 90,000+ Affected Software: Booking for Appointments and Events Calendar <= 2.2.1 Patched Versions: Booking for Appointments and Events Calendar 2.3
Mitigation steps: Update to Booking for Appointments and Events Calendar version 2.3 or greater.
WP Meta and Date Remover – Broken Access Control
Security Risk: Medium Exploitation Level: See vulnerability details for exploitation requirements. Vulnerability: Broken Access Control CVE: CVE-2026-49051 Number of Installations: 90,000+ Affected Software: WP Meta and Date Remover <= 2.3.6 Patched Versions: WP Meta and Date Remover 2.3.7
Mitigation steps: Update to WP Meta and Date Remover version 2.3.7 or greater.
SlimStat Analytics – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-7634 Number of Installations: 80,000+ Affected Software: SlimStat Analytics <= 5.4.11 Patched Versions: SlimStat Analytics 5.4.12
Mitigation steps: Update to SlimStat Analytics version 5.4.12 or greater.
Duplicate Page and Post – SQL Injection
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2026-49046 Number of Installations: 80,000+ Affected Software: Duplicate Page and Post <= 2.9.5 Patched Versions: Not available at time of publication
Mitigation steps: A patch is not yet available. Disable or remove the affected plugin until a fix is released.
Product Import Export for WooCommerce – Broken Access Control
Security Risk: Medium Exploitation Level: See vulnerability details for exploitation requirements. Vulnerability: Broken Access Control CVE: CVE-2026-48971 Number of Installations: 80,000+ Affected Software: Product Import Export for WooCommerce <= 2.5.6 Patched Versions: Product Import Export for WooCommerce 2.5.7
Mitigation steps: Update to Product Import Export for WooCommerce version 2.5.7 or greater.
Import and export users and customers – Privilege Escalation
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Privilege Escalation CVE: CVE-2026-7641 Number of Installations: 70,000+ Affected Software: Import and export users and customers <= 2.0.8 Patched Versions: Import and export users and customers 2.0.9
Mitigation steps: Update to Import and export users and customers version 2.0.9 or greater.
Database Backup for WordPress – Arbitrary File Read
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Arbitrary File Read CVE: CVE-2026-4030 Number of Installations: 70,000+ Affected Software: Database Backup for WordPress <= 2.5.2 Patched Versions: Database Backup for WordPress 2.5.3
Mitigation steps: Update to Database Backup for WordPress version 2.5.3 or greater.
Database Backup for WordPress – Broken Access Control
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-4029 Number of Installations: 70,000+ Affected Software: Database Backup for WordPress <= 2.5.2 Patched Versions: Database Backup for WordPress 2.5.3
Mitigation steps: Update to Database Backup for WordPress version 2.5.3 or greater.
Database Backup for WordPress – Broken Access Control
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-4031 Number of Installations: 70,000+ Affected Software: Database Backup for WordPress <= 2.5.2 Patched Versions: Database Backup for WordPress 2.5.3
Mitigation steps: Update to Database Backup for WordPress version 2.5.3 or greater.
Brizy – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-5324 Number of Installations: 70,000+ Affected Software: Brizy <= 2.8.11 Patched Versions: Brizy 2.8.12
Mitigation steps: Update to Brizy version 2.8.12 or greater.
EmailKit – Arbitrary File Read
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Arbitrary File Read CVE: CVE-2026-5957 Number of Installations: 70,000+ Affected Software: EmailKit <= 1.6.5 Patched Versions: EmailKit 1.6.6
Mitigation steps: Update to EmailKit version 1.6.6 or greater.
Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-4665 Number of Installations: 70,000+ Affected Software: Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel <= 2.7.10 Patched Versions: Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel 2.7.11
Mitigation steps: Update to Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel version 2.7.11 or greater.
StatCounter – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-6275 Number of Installations: 70,000+ Affected Software: StatCounter <= 2.1.1 Patched Versions: StatCounter 2.1.2
Mitigation steps: Update to StatCounter version 2.1.2 or greater.
LearnPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: See vulnerability details for exploitation requirements. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-48865 Number of Installations: 70,000+ Affected Software: LearnPress <= 4.3.6 Patched Versions: LearnPress 4.3.7
Mitigation steps: Update to LearnPress version 4.3.7 or greater.
LearnPress – Broken Authentication
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Authentication CVE: CVE-2026-7648 Number of Installations: 70,000+ Affected Software: LearnPress <= 4.3.5 Patched Versions: LearnPress 4.3.6
Mitigation steps: Update to LearnPress version 4.3.6 or greater.
Appointment Booking Calendar – SQL Injection
Security Risk: High Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2026-7797 Number of Installations: 60,000+ Affected Software: Appointment Booking Calendar <= 1.6.11.8 Patched Versions: Appointment Booking Calendar 1.6.11.9
Mitigation steps: Update to Appointment Booking Calendar version 1.6.11.9 or greater.
Login No Captcha reCAPTCHA – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2374 Number of Installations: 60,000+ Affected Software: Login No Captcha reCAPTCHA <= 1.8.0 Patched Versions: Login No Captcha reCAPTCHA 1.8.1
Mitigation steps: Update to Login No Captcha reCAPTCHA version 1.8.1 or greater.
Appointment Booking Calendar – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-39447 Number of Installations: 60,000+ Affected Software: Appointment Booking Calendar <= 1.6.10.6 Patched Versions: Appointment Booking Calendar 1.6.11.0
Mitigation steps: Update to Appointment Booking Calendar version 1.6.11.0 or greater.
Appointment Booking Calendar – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-4807 Number of Installations: 60,000+ Affected Software: Appointment Booking Calendar <= 1.6.10.6 Patched Versions: Appointment Booking Calendar 1.6.11
Mitigation steps: Update to Appointment Booking Calendar version 1.6.11 or greater.
Master Slider – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-48968 Number of Installations: 60,000+ Affected Software: Master Slider <= 3.10.8 Patched Versions: Master Slider 3.10.9
Mitigation steps: Update to Master Slider version 3.10.9 or greater.
User Registration & Membership – Broken Access Control
Security Risk: Medium Exploitation Level: See vulnerability details for exploitation requirements. Vulnerability: Broken Access Control CVE: CVE-2026-25425 Number of Installations: 60,000+ Affected Software: User Registration & Membership <= 5.1.2 Patched Versions: User Registration & Membership 5.1.3
Mitigation steps: Update to User Registration & Membership version 5.1.3 or greater.
User Registration & Membership – Insecure Direct Object Reference (IDOR)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Insecure Direct Object Reference (IDOR) CVE: CVE-2026-7651 Number of Installations: 60,000+ Affected Software: User Registration & Membership <= 5.1.5 Patched Versions: User Registration & Membership 5.1.6
Mitigation steps: Update to User Registration & Membership version 5.1.6 or greater.
Appointment Booking Calendar – Denial of Service
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Denial of Service CVE: CVE-2026-7493 Number of Installations: 60,000+ Affected Software: Appointment Booking Calendar <= 1.6.11.5 Patched Versions: Appointment Booking Calendar 1.6.11.7
Mitigation steps: Update to Appointment Booking Calendar version 1.6.11.7 or greater.
Appointment Booking Calendar – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-6937 Number of Installations: 60,000+ Affected Software: Appointment Booking Calendar <= 1.6.11.8 Patched Versions: Appointment Booking Calendar 1.6.11.9
Mitigation steps: Update to Appointment Booking Calendar version 1.6.11.9 or greater.
User Registration & Membership – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-6145 Number of Installations: 60,000+ Affected Software: User Registration & Membership <= 5.1.5 Patched Versions: User Registration & Membership 5.1.6
Mitigation steps: Update to User Registration & Membership version 5.1.6 or greater.
User Registration & Membership – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-3601 Number of Installations: 60,000+ Affected Software: User Registration & Membership <= 5.1.4 Patched Versions: User Registration & Membership 5.1.5
Mitigation steps: Update to User Registration & Membership version 5.1.5 or greater.
RTMKit – Local File Inclusion
Security Risk: High Exploitation Level: Requires Author or higher level authentication. Vulnerability: Local File Inclusion CVE: CVE-2026-3425 Number of Installations: 50,000+ Affected Software: RTMKit <= 2.0.2 Patched Versions: RTMKit 2.0.3
Mitigation steps: Update to RTMKit version 2.0.3 or greater.
Email Marketing for WooCommerce by Omnisend – Broken Authentication
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Authentication CVE: CVE-2026-42668 Number of Installations: 50,000+ Affected Software: Email Marketing for WooCommerce by Omnisend <= 1.18.0 Patched Versions: Email Marketing for WooCommerce by Omnisend 1.18.1
Mitigation steps: Update to Email Marketing for WooCommerce by Omnisend version 1.18.1 or greater.
Blog2Social: Social Media Auto Post & Scheduler – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-7051 Number of Installations: 50,000+ Affected Software: Blog2Social: Social Media Auto Post & Scheduler <= 8.9.0 Patched Versions: Blog2Social: Social Media Auto Post & Scheduler 8.9.1
Mitigation steps: Update to Blog2Social: Social Media Auto Post & Scheduler version 8.9.1 or greater.
WP Encryption – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-3829 Number of Installations: 50,000+ Affected Software: WP Encryption <= 7.8.5.10 Patched Versions: WP Encryption 7.8.5.11
Mitigation steps: Update to WP Encryption version 7.8.5.11 or greater.
RTMKit – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-3426 Number of Installations: 50,000+ Affected Software: RTMKit <= 2.0.2 Patched Versions: RTMKit 2.0.3
Mitigation steps: Update to RTMKit version 2.0.3 or greater.
Avada (Fusion) Builder – Remote Code Execution
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Remote Code Execution CVE: CVE-2026-6279 Number of Installations: Premium plugin Affected Software: Avada (Fusion) Builder <= 3.15.2 Patched Versions: Avada (Fusion) Builder 3.15.3
Mitigation steps: Update to Avada (Fusion) Builder version 3.15.3 or greater.
Gravity Forms – Arbitrary File Deletion
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Arbitrary File Deletion CVE: CVE-2026-48866 Number of Installations: Premium plugin Affected Software: Gravity Forms <= 2.10.0.1 Patched Versions: Gravity Forms 2.10.1
Mitigation steps: Update to Gravity Forms version 2.10.1 or greater.
Slider Revolution – Arbitrary File Upload
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2026-6692 Number of Installations: Premium plugin Affected Software: Slider Revolution (see vulnerability details for affected versions) Patched Versions: Slider Revolution 7.0.11
Mitigation steps: Update to Slider Revolution version 7.0.11 or greater.
Avada (Fusion) Builder – SQL Injection
Security Risk: High Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2026-4798 Number of Installations: Premium plugin Affected Software: Avada (Fusion) Builder <= 3.15.1 Patched Versions: Avada (Fusion) Builder 3.15.2
Mitigation steps: Update to Avada (Fusion) Builder version 3.15.2 or greater.
PixelYourSite Pro – Server-Side Request Forgery (SSRF)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Server-Side Request Forgery (SSRF) CVE: CVE-2026-7049 Number of Installations: Premium plugin Affected Software: PixelYourSite Pro <= 12.5.0.1 Patched Versions: PixelYourSite Pro 12.5.0.2
Mitigation steps: Update to PixelYourSite Pro version 12.5.0.2 or greater.
Avada (Fusion) Builder – Arbitrary File Read
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary File Read CVE: CVE-2026-4782 Number of Installations: Premium plugin Affected Software: Avada (Fusion) Builder <= 3.15.2 Patched Versions: Avada (Fusion) Builder 3.15.3
Mitigation steps: Update to Avada (Fusion) Builder version 3.15.3 or greater.
Avada (Fusion) Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-1543 Number of Installations: Premium plugin Affected Software: Avada (Fusion) Builder <= 3.15.2 Patched Versions: Avada (Fusion) Builder 3.15.3
Mitigation steps: Update to Avada (Fusion) Builder version 3.15.3 or greater.
Slider Revolution – Information Disclosure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Information Disclosure CVE: CVE-2026-6728 Number of Installations: Premium plugin Affected Software: Slider Revolution <= 7.0.9 Patched Versions: Slider Revolution 6.7.55, 7.0.10
Mitigation steps: Update to Slider Revolution version 6.7.55, 7.0.10 or greater.
WPBakery Page Builder – Broken Access Control
Security Risk: Medium Exploitation Level: See vulnerability details for exploitation requirements. Vulnerability: Broken Access Control CVE: CVE-2026-45436 Number of Installations: Premium plugin Affected Software: WPBakery Page Builder <= 8.7.2 Patched Versions: WPBakery Page Builder 8.7.3
Mitigation steps: Update to WPBakery Page Builder version 8.7.3 or greater.
Themes
Total – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-5077 Number of Installations: Premium theme Affected Software: Total <= 2.2.1 Patched Versions: Total 2.2.2
Mitigation steps: Update to Total version 2.2.2 or greater.
Betheme – Remote Code Execution
Security Risk: High Exploitation Level: Requires Author or higher level authentication. Vulnerability: Remote Code Execution CVE: CVE-2026-6261 Number of Installations: Premium theme Affected Software: Betheme <= 28.4 Patched Versions: Betheme 28.4.1
Mitigation steps: Update to Betheme version 28.4.1 or greater.
Roneous – Local File Inclusion
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Local File Inclusion CVE: CVE-2025-69177 Number of Installations: Premium theme Affected Software: Roneous <= 2.1.5 Patched Versions: Not available at time of publication
Mitigation steps: A patch is not yet available. Disable or remove the affected plugin until a fix is released.
Betheme – Arbitrary File Deletion
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Arbitrary File Deletion CVE: CVE-2026-6262 Number of Installations: Premium theme Affected Software: Betheme <= 28.4 Patched Versions: Betheme 28.4.1
Mitigation steps: Update to Betheme version 28.4.1 or greater.
The7 – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-6646 Number of Installations: Premium theme Affected Software: The7 <= 14.3.2 Patched Versions: The7 14.3.3
Mitigation steps: Update to The7 version 14.3.3 or greater.
avante – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: See vulnerability details for exploitation requirements. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-68524 Number of Installations: Premium theme Affected Software: avante < 3.0.5 Patched Versions: avante 3.0.5
Mitigation steps: Update to avante version 3.0.5 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Ashley Sand
Liam Smith
Alycia Mitchell
Sucuri Malware Research Team
Marc Kranat
Kyle Knight
Rianna MacLeod
Victor Santoyo