Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Plugins
Elementor Website Builder – more than just a page builder – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-1206 Number of Installations: 10,000,000+ Affected Software: Elementor Website Builder – more than just a page builder <= 3.35.7 Patched Versions: Elementor Website Builder – more than just a page builder 3.35.8
Mitigation steps: Update to Elementor Website Builder – more than just a page builder version 3.35.8 or greater.
Yoast SEO – Advanced SEO with real-time guidance and built-in AI – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-3427 Number of Installations: 10,000,000+ Affected Software: Yoast SEO – Advanced SEO with real-time guidance and built-in AI <= 27.1 Patched Versions: Yoast SEO – Advanced SEO with real-time guidance and built-in AI 27.2
Mitigation steps: Update to Yoast SEO – Advanced SEO with real-time guidance and built-in AI version 27.2 or greater.
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-25339 Number of Installations: 6,000,000+ Affected Software: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More <= 1.9.9.1 Patched Versions: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More 1.9.9.2
Mitigation steps: Update to WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More version 1.9.9.2 or greater.
Yoast Duplicate Post – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-1217 Number of Installations: 4,000,000+ Affected Software: Yoast Duplicate Post <= 4.5 Patched Versions: Yoast Duplicate Post 4.6
Mitigation steps: Update to Yoast Duplicate Post version 4.6 or greater.
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-32461 Number of Installations: 3,000,000+ Affected Software: Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) <= 9.5.7 Patched Versions: Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) 9.5.8
Mitigation steps: Update to Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) version 9.5.8 or greater.
Complianz – GDPR/CCPA Cookie Consent – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2389 Number of Installations: 1,000,000+ Affected Software: Complianz – GDPR/CCPA Cookie Consent <= 7.4.4 Patched Versions: Complianz – GDPR/CCPA Cookie Consent 7.4.5
Mitigation steps: Update to Complianz – GDPR/CCPA Cookie Consent version 7.4.5 or greater.
MC4WP: Mailchimp for WordPress – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-1781 Number of Installations: 1,000,000+ Affected Software: MC4WP: Mailchimp for WordPress <= 4.11.9 Patched Versions: MC4WP: Mailchimp for WordPress 4.12.0
Mitigation steps: Update to MC4WP: Mailchimp for WordPress version 4.12.0 or greater.
Autoptimize – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2430 Number of Installations: 900,000+ Affected Software: Autoptimize <= 3.1.14 Patched Versions: Autoptimize 3.1.15
Mitigation steps: Update to Autoptimize version 3.1.15 or greater.
Autoptimize – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2352 Number of Installations: 900,000+ Affected Software: Autoptimize <= 3.1.14 Patched Versions: Autoptimize 3.1.15
Mitigation steps: Update to Autoptimize version 3.1.15 or greater.
W3 Total Cache – Arbitrary Code Execution
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Arbitrary Code Execution CVE: CVE-2026-27384 Number of Installations: 900,000+ Affected Software: W3 Total Cache <= latest Patched Versions: No Fix
Mitigation steps: No patch available. Consider disabling or removing the plugin until a fix is released.
Smart Slider 3 – Arbitrary File Download
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary File Download CVE: CVE-2026-3098 Number of Installations: 800,000+ Affected Software: Smart Slider 3 <= 3.5.1.33 Patched Versions: Smart Slider 3 3.5.1.34
Mitigation steps: Update to Smart Slider 3 version 3.5.1.34 or greater.
The Events Calendar – Arbitrary File Download
Security Risk: High Exploitation Level: Requires Author or higher level authentication. Vulnerability: Arbitrary File Download CVE: CVE-2026-3585 Number of Installations: 700,000+ Affected Software: The Events Calendar <= 6.15.17 Patched Versions: The Events Calendar 6.15.17.1
Mitigation steps: Update to The Events Calendar version 6.15.17.1 or greater.
Ninja Forms – The Contact Form Builder That Grows With You – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-1307 Number of Installations: 600,000+ Affected Software: Ninja Forms – The Contact Form Builder That Grows With You <= 3.14.1 Patched Versions: Ninja Forms – The Contact Form Builder That Grows With You 3.14.2
Mitigation steps: Update to Ninja Forms – The Contact Form Builder That Grows With You version 3.14.2 or greater.
Royal Addons for Elementor – Addons and Templates Kit for Elementor – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-2373 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 Patched Versions: Royal Addons for Elementor – Addons and Templates Kit for Elementor 1.7.1050
Mitigation steps: Update to Royal Addons for Elementor – Addons and Templates Kit for Elementor version 1.7.1050 or greater.
Royal Addons for Elementor – Addons and Templates Kit for Elementor – Arbitrary File Upload
Security Risk: High Exploitation Level: Requires Author or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2025-13067 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 Patched Versions: Royal Addons for Elementor – Addons and Templates Kit for Elementor 1.7.1050
Mitigation steps: Update to Royal Addons for Elementor – Addons and Templates Kit for Elementor version 1.7.1050 or greater.
Enable Media Replace – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-2732 Number of Installations: 600,000+ Affected Software: Enable Media Replace <= 4.1.7 Patched Versions: Enable Media Replace 4.1.8
Mitigation steps: Update to Enable Media Replace version 4.1.8 or greater.
Royal Addons for Elementor – Addons and Templates Kit for Elementor – Other Vulnerability Type
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Other Vulnerability Type CVE: CVE-2026-28135 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor – Addons and Templates Kit for Elementor <= latest Patched Versions: No Fix
Mitigation steps: No patch available. Consider disabling or removing the plugin until a fix is released.
SiteGuard WP Plugin – Bypass Vulnerability
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Bypass Vulnerability CVE: CVE-2026-27411 Number of Installations: 600,000+ Affected Software: SiteGuard WP Plugin <= latest Patched Versions: No Fix
Mitigation steps: No patch available. Consider disabling or replacing the plugin.
Ally – Web Accessibility & Usability – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2026-2413 Number of Installations: 500,000+ Affected Software: Ally – Web Accessibility & Usability <= 4.0.9 Patched Versions: Ally – Web Accessibility & Usability 4.1.0
Mitigation steps: Update to Ally – Web Accessibility & Usability version 4.1.0 or greater.
Checkout Field Editor (Checkout Manager) for WooCommerce – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-3231 Number of Installations: 500,000+ Affected Software: Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.1.7 Patched Versions: Checkout Field Editor (Checkout Manager) for WooCommerce 2.1.8
Mitigation steps: Update to Checkout Field Editor (Checkout Manager) for WooCommerce version 2.1.8 or greater.
PixelYourSite – Your smart PIXEL (TAG) & API Manager – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-1841 Number of Installations: 500,000+ Affected Software: PixelYourSite – Your smart PIXEL (TAG) & API Manager <= 11.2.0 Patched Versions: PixelYourSite – Your smart PIXEL (TAG) & API Manager 11.2.0.1
Mitigation steps: Update to PixelYourSite – Your smart PIXEL (TAG) & API Manager version 11.2.0.1 or greater.
Meta Box – Arbitrary File Deletion
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Arbitrary File Deletion CVE: CVE-2025-14675 Number of Installations: 500,000+ Affected Software: Meta Box <= 5.11.1 Patched Versions: Meta Box 5.11.2
Mitigation steps: Update to Meta Box version 5.11.2 or greater.
Page Builder by SiteOrigin – Local File Inclusion
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Local File Inclusion CVE: CVE-2026-2448 Number of Installations: 500,000+ Affected Software: Page Builder by SiteOrigin <= 2.33.9 Patched Versions: Page Builder by SiteOrigin 2.34.0
Mitigation steps: Update to Page Builder by SiteOrigin version 2.34.0 or greater.
SureForms – Contact Form, Payment Form & Other Custom Form Builder – Broken Access Control
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-4987 Number of Installations: 500,000+ Affected Software: SureForms – Contact Form, Payment Form & Other Custom Form Builder <= 2.5.9 Patched Versions: SureForms – Contact Form, Payment Form & Other Custom Form Builder 2.6.0
Mitigation steps: Update to SureForms – Contact Form, Payment Form & Other Custom Form Builder version 2.6.0 or greater.
Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty – Sensitive Data Exposure
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-27370 Number of Installations: 400,000+ Affected Software: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty <= 3.5.1 Patched Versions: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty 3.5.2
Mitigation steps: Update to Chaty version 3.5.2 or greater.
Happy Addons for Elementor – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2026-2917 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor <= 3.21.0 Patched Versions: Happy Addons for Elementor 3.21.1
Mitigation steps: Update to Happy Addons for Elementor version 3.21.1 or greater.
Happy Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2918 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor <= 3.21.0 Patched Versions: Happy Addons for Elementor 3.21.1
Mitigation steps: Update to Happy Addons for Elementor version 3.21.1 or greater.
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery – Local File Inclusion
Security Risk: High Exploitation Level: Requires Author or higher level authentication. Vulnerability: Local File Inclusion CVE: CVE-2026-1463 Number of Installations: 400,000+ Affected Software: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 4.0.4 Patched Versions: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery 4.0.5
Mitigation steps: Update to NextGEN Gallery version 4.0.5 or greater.
Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-3090 Number of Installations: 400,000+ Affected Software: Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App <= 3.8.9 Patched Versions: Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App 3.9.0
Mitigation steps: Update to Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App version 3.9.0 or greater.
Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-2559 Number of Installations: 400,000+ Affected Software: Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App <= 3.8.9 Patched Versions: Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App 3.9.0
Mitigation steps: Update to Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App version 3.9.0 or greater.
Page Builder: Pagelayer – Drag and Drop website builder – Content Injection
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Content Injection CVE: CVE-2026-2442 Number of Installations: 400,000+ Affected Software: Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.7 Patched Versions: Page Builder: Pagelayer – Drag and Drop website builder 2.0.8
Mitigation steps: Update to Page Builder: Pagelayer – Drag and Drop website builder version 2.0.8 or greater.
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-4335 Number of Installations: 300,000+ Affected Software: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF <= 6.4.3 Patched Versions: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF 6.4.4
Mitigation steps: Update to ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF version 6.4.4 or greater.
WP Go Maps (formerly WP Google Maps) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-4268 Number of Installations: 300,000+ Affected Software: WP Go Maps (formerly WP Google Maps) <= 10.0.05 Patched Versions: WP Go Maps (formerly WP Google Maps) 10.0.06
Mitigation steps: Update to WP Go Maps (formerly WP Google Maps) version 10.0.06 or greater.
WP Mail Logging – PHP Object Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: PHP Object Injection CVE: CVE-2026-2471 Number of Installations: 300,000+ Affected Software: WP Mail Logging <= 1.15 Patched Versions: WP Mail Logging 1.16
Mitigation steps: Update to WP Mail Logging version 1.16 or greater.
Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder – Broken Authentication
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Authentication CVE: CVE-2026-2888 Number of Installations: 300,000+ Affected Software: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder <= 6.28 Patched Versions: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder 6.29
Mitigation steps: Update to Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder version 6.29 or greater.
Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder – Broken Access Control
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-2890 Number of Installations: 300,000+ Affected Software: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder <= 6.28 Patched Versions: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder 6.29
Mitigation steps: Update to Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder version 6.29 or greater.
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) – Privilege Escalation
Security Risk: Critical Exploitation Level: Custom role Vulnerability: Privilege Escalation CVE: CVE-2026-1993 Number of Installations: 300,000+ Affected Software: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) <= 9.0.2 Patched Versions: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) 9.0.3
Mitigation steps: Update to ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) version 9.0.3 or greater.
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) – Insecure Direct Object References (IDOR)
Security Risk: High Exploitation Level: Custom role Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2026-1992 Number of Installations: 300,000+ Affected Software: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) <= 9.0.2 Patched Versions: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) 9.0.3
Mitigation steps: Update to ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) version 9.0.3 or greater.
Unlimited Elements For Elementor – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2724 Number of Installations: 300,000+ Affected Software: Unlimited Elements For Elementor <= 2.0.5 Patched Versions: Unlimited Elements For Elementor 2.0.6
Mitigation steps: Update to Unlimited Elements For Elementor version 2.0.6 or greater.
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin – Privilege Escalation
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Privilege Escalation CVE: CVE-2026-4248 Number of Installations: 200,000+ Affected Software: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.11.2 Patched Versions: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin 2.11.3
Mitigation steps: Update to Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin version 2.11.3 or greater.
Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2569 Number of Installations: 100,000+ Affected Software: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer <= 2.4.26 Patched Versions: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer 2.4.27
Mitigation steps: Update to Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer version 2.4.27 or greater.
Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-1236 Number of Installations: 100,000+ Affected Software: Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More <= 1.12.3 Patched Versions: Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More 1.12.4
Mitigation steps: Update to Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More version 1.12.4 or greater.
Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets – Remote Code Execution (RCE)
Security Risk: Critical Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2026-27984 Number of Installations: 100,000+ Affected Software: Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets <= latest Patched Versions: No Fix
Mitigation steps: No patch available. Consider disabling or removing the plugin until a fix is released.
AI Engine – The Chatbot, AI Framework & MCP for WordPress – Arbitrary File Upload
Security Risk: Critical Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2026-23802 Number of Installations: 100,000+ Affected Software: AI Engine – The Chatbot, AI Framework & MCP for WordPress <= 3.3.2 Patched Versions: AI Engine – The Chatbot, AI Framework & MCP for WordPress 3.3.3
Mitigation steps: Update to AI Engine – The Chatbot, AI Framework & MCP for WordPress version 3.3.3 or greater.
Download Manager – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-2571 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.3.49 Patched Versions: Download Manager 3.3.50
Mitigation steps: Update to Download Manager version 3.3.50 or greater.
LatePoint – Calendar Booking Plugin for Appointments and Events – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2026-32533 Number of Installations: 100,000+ Affected Software: LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6 Patched Versions: LatePoint – Calendar Booking Plugin for Appointments and Events 5.2.7
Mitigation steps: Update to LatePoint – Calendar Booking Plugin for Appointments and Events version 5.2.7 or greater.
LatePoint – Calendar Booking Plugin for Appointments and Events – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2324 Number of Installations: 100,000+ Affected Software: LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 Patched Versions: LatePoint – Calendar Booking Plugin for Appointments and Events 5.2.8
Mitigation steps: Update to LatePoint – Calendar Booking Plugin for Appointments and Events version 5.2.8 or greater.
LatePoint – Calendar Booking Plugin for Appointments and Events – SQL Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2026-1487 Number of Installations: 100,000+ Affected Software: LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 Patched Versions: LatePoint – Calendar Booking Plugin for Appointments and Events 5.2.8
Mitigation steps: Update to LatePoint – Calendar Booking Plugin for Appointments and Events version 5.2.8 or greater.
LatePoint – Calendar Booking Plugin for Appointments and Events – Privilege Escalation
Security Risk: High Exploitation Level: Requires Agent or higher level authentication. Vulnerability: Privilege Escalation CVE: CVE-2026-1566 Number of Installations: 100,000+ Affected Software: LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 Patched Versions: LatePoint – Calendar Booking Plugin for Appointments and Events 5.2.8
Mitigation steps: Update to LatePoint – Calendar Booking Plugin for Appointments and Events version 5.2.8 or greater.
My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2026-3657 Number of Installations: 100,000+ Affected Software: My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) <= 2.8.6 Patched Versions: My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) 2.8.7
Mitigation steps: Update to My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) version 2.8.7 or greater.
Social Icons Widget & Block – Social Media Icons & Share Buttons – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-4063 Number of Installations: 100,000+ Affected Software: Social Icons Widget & Block – Social Media Icons & Share Buttons <= 4.5.8 Patched Versions: Social Icons Widget & Block – Social Media Icons & Share Buttons 4.5.9
Mitigation steps: Update to Social Icons Widget & Block – Social Media Icons & Share Buttons version 4.5.9 or greater.
Tutor LMS – eLearning and online course solution – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-32223 Number of Installations: 100,000+ Affected Software: Tutor LMS – eLearning and online course solution <= 3.9.4 Patched Versions: Tutor LMS – eLearning and online course solution 3.9.5
Mitigation steps: Update to Tutor LMS – eLearning and online course solution version 3.9.5 or greater.
Tutor LMS – eLearning and online course solution – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-23799 Number of Installations: 100,000+ Affected Software: Tutor LMS – eLearning and online course solution <= 3.9.5 Patched Versions: Tutor LMS – eLearning and online course solution 3.9.6
Mitigation steps: Update to Tutor LMS – eLearning and online course solution version 3.9.6 or greater.
Tutor LMS – eLearning and online course solution – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2025-13673 Number of Installations: 100,000+ Affected Software: Tutor LMS – eLearning and online course solution <= 3.9.6 Patched Versions: Tutor LMS – eLearning and online course solution 3.9.7
Mitigation steps: Update to Tutor LMS – eLearning and online course solution version 3.9.7 or greater.
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress – Insecure Direct Object References (IDOR)
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2026-3453 Number of Installations: 100,000+ Affected Software: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 Patched Versions: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress 4.16.12
Mitigation steps: Update to Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress version 4.16.12 or greater.
WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2830 Number of Installations: 100,000+ Affected Software: WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets <= 4.0.0 Patched Versions: WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets 4.0.1
Mitigation steps: Update to WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets version 4.0.1 or greater.
Download Monitor – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2026-3124 Number of Installations: 90,000+ Affected Software: Download Monitor <= 5.1.7 Patched Versions: Download Monitor 5.1.8
Mitigation steps: Update to Download Monitor version 5.1.8 or greater.
JetFormBuilder — Dynamic Blocks Form Builder – Arbitrary File Download
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Arbitrary File Download CVE: CVE-2026-4373 Number of Installations: 90,000+ Affected Software: JetFormBuilder — Dynamic Blocks Form Builder <= 3.5.6.2 Patched Versions: JetFormBuilder — Dynamic Blocks Form Builder 3.5.6.3
Mitigation steps: Update to JetFormBuilder — Dynamic Blocks Form Builder version 3.5.6.3 or greater.
JetFormBuilder — Dynamic Blocks Form Builder – Remote Code Execution (RCE)
Security Risk: Critical Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2026-32525 Number of Installations: 90,000+ Affected Software: JetFormBuilder — Dynamic Blocks Form Builder <= 3.5.6.1 Patched Versions: JetFormBuilder — Dynamic Blocks Form Builder 3.5.6.2
Mitigation steps: Update to JetFormBuilder — Dynamic Blocks Form Builder version 3.5.6.2 or greater.
Booking for Appointments and Events Calendar – Amelia – Privilege Escalation
Security Risk: High Exploitation Level: Custom role Vulnerability: Privilege Escalation CVE: CVE-2026-24963 Number of Installations: 90,000+ Affected Software: Booking for Appointments and Events Calendar – Amelia <= 1.9.9 Patched Versions: Booking for Appointments and Events Calendar – Amelia 2.0
Mitigation steps: Update to Booking for Appointments and Events Calendar – Amelia version 2.0 or greater.
Booking for Appointments and Events Calendar – Amelia – Broken Authentication
Security Risk: High Exploitation Level: Requires Customer or higher level authentication. Vulnerability: Broken Authentication CVE: CVE-2026-2931 Number of Installations: 90,000+ Affected Software: Booking for Appointments and Events Calendar – Amelia <= 9.1 Patched Versions: Booking for Appointments and Events Calendar – Amelia 9.2
Mitigation steps: Update to Booking for Appointments and Events Calendar – Amelia version 9.2 or greater.
Import and export users and customers – Privilege Escalation
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Privilege Escalation CVE: CVE-2026-3629 Number of Installations: 80,000+ Affected Software: Import and export users and customers <= 1.9.9 Patched Versions: Import and export users and customers 2.0
Mitigation steps: Update to Import and export users and customers version 2.0 or greater.
Jupiter X Core – Broken Access Control
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-3533 Number of Installations: 80,000+ Affected Software: Jupiter X Core <= 4.14.1 Patched Versions: Jupiter X Core 4.14.2
Mitigation steps: Update to Jupiter X Core version 4.14.2 or greater.
SlimStat Analytics – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-1238 Number of Installations: 80,000+ Affected Software: SlimStat Analytics <= 5.3.9 Patched Versions: SlimStat Analytics 5.4.0
Mitigation steps: Update to SlimStat Analytics version 5.4.0 or greater.
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-3225 Number of Installations: 80,000+ Affected Software: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses <= 4.3.2 Patched Versions: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses 4.3.3
Mitigation steps: Update to LearnPress – WordPress LMS Plugin for Create and Sell Online Courses version 4.3.3 or greater.
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-3226 Number of Installations: 80,000+ Affected Software: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses <= 4.3.2 Patched Versions: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses 4.3.3
Mitigation steps: Update to LearnPress – WordPress LMS Plugin for Create and Sell Online Courses version 4.3.3 or greater.
Online Scheduling and Appointment Booking System – Bookly – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-32540 Number of Installations: 70,000+ Affected Software: Online Scheduling and Appointment Booking System – Bookly <= 26.7 Patched Versions: Online Scheduling and Appointment Booking System – Bookly 26.8
Mitigation steps: Update to Online Scheduling and Appointment Booking System – Bookly version 26.8 or greater.
EmailKit – Email Customizer for WooCommerce & WP – Path Traversal
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Path Traversal CVE: CVE-2026-3474 Number of Installations: 70,000+ Affected Software: EmailKit – Email Customizer for WooCommerce & WP <= 1.6.3 Patched Versions: EmailKit – Email Customizer for WooCommerce & WP 1.6.4
Mitigation steps: Update to EmailKit – Email Customizer for WooCommerce & WP version 1.6.4 or greater.
SMTP Mailer – Sensitive Data Exposure
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-32538 Number of Installations: 70,000+ Affected Software: SMTP Mailer <= 1.1.24 Patched Versions: SMTP Mailer 1.1.25
Mitigation steps: Update to SMTP Mailer version 1.1.25 or greater.
GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2257 Number of Installations: 70,000+ Affected Software: GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools <= 4.3.2 Patched Versions: GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools 4.3.3
Mitigation steps: Update to GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools version 4.3.3 or greater.
GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2026-2879 Number of Installations: 70,000+ Affected Software: GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools <= 4.3.2 Patched Versions: GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools 4.3.3
Mitigation steps: Update to GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools version 4.3.3 or greater.
Database for Contact Form 7, WPforms, Elementor forms – PHP Object Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: PHP Object Injection CVE: CVE-2026-2599 Number of Installations: 70,000+ Affected Software: Database for Contact Form 7, WPforms, Elementor forms <= 1.4.7 Patched Versions: Database for Contact Form 7, WPforms, Elementor forms 1.4.8
Mitigation steps: Update to Database for Contact Form 7, WPforms, Elementor forms version 1.4.8 or greater.
Greenshift – animation and page builder blocks – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-2371 Number of Installations: 70,000+ Affected Software: Greenshift – animation and page builder blocks <= 12.8.3 Patched Versions: Greenshift – animation and page builder blocks 12.8.4
Mitigation steps: Update to Greenshift – animation and page builder blocks version 12.8.4 or greater.
Greenshift – animation and page builder blocks – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-2589 Number of Installations: 70,000+ Affected Software: Greenshift – animation and page builder blocks <= 12.8.3 Patched Versions: Greenshift – animation and page builder blocks 12.8.4
Mitigation steps: Update to Greenshift – animation and page builder blocks version 12.8.4 or greater.
Greenshift – animation and page builder blocks – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2593 Number of Installations: 70,000+ Affected Software: Greenshift – animation and page builder blocks <= 12.8.5 Patched Versions: Greenshift – animation and page builder blocks 12.8.6
Mitigation steps: Update to Greenshift – animation and page builder blocks version 12.8.6 or greater.
Media Library Assistant – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-3072 Number of Installations: 70,000+ Affected Software: Media Library Assistant <= 3.33 Patched Versions: Media Library Assistant 3.34
Mitigation steps: Update to Media Library Assistant version 3.34 or greater.
wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin – Local File Inclusion
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Local File Inclusion CVE: CVE-2026-28039 Number of Installations: 70,000+ Affected Software: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin <= 6.5.0.1 Patched Versions: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin 6.5.0.2
Mitigation steps: Update to wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin version 6.5.0.2 or greater.
WP ULike – Like & Dislike Buttons for Engagement and Feedback – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2358 Number of Installations: 70,000+ Affected Software: WP ULike – Like & Dislike Buttons for Engagement and Feedback <= latest Patched Versions: No Fix
Mitigation steps: No patch available. Consider disabling or removing the plugin until a fix is released.
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin – Broken Access Control
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-3045 Number of Installations: 60,000+ Affected Software: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.9 Patched Versions: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin 1.6.10.0
Mitigation steps: Update to Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin version 1.6.10.0 or greater.
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Staff or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-1704 Number of Installations: 60,000+ Affected Software: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.9 Patched Versions: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin 1.6.10.0
Mitigation steps: Update to Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin version 1.6.10.0 or greater.
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2026-1708 Number of Installations: 60,000+ Affected Software: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.28 Patched Versions: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin 1.6.9.29
Mitigation steps: Update to Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin version 1.6.9.29 or greater.
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2026-3658 Number of Installations: 60,000+ Affected Software: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.10.1 Patched Versions: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin 1.6.10.2
Mitigation steps: Update to Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin version 1.6.10.2 or greater.
Contextual Related Posts – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-32565 Number of Installations: 60,000+ Affected Software: Contextual Related Posts <= 4.2.1 Patched Versions: Contextual Related Posts 4.2.2
Mitigation steps: Update to Contextual Related Posts version 4.2.2 or greater.
Drag and Drop Multiple File Upload for Contact Form 7 – Arbitrary File Upload
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Arbitrary File Upload CVE: CVE-2026-3459 Number of Installations: 60,000+ Affected Software: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.5 Patched Versions: Drag and Drop Multiple File Upload for Contact Form 7 1.3.9.6
Mitigation steps: Update to Drag and Drop Multiple File Upload for Contact Form 7 version 1.3.9.6 or greater.
Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress – SQL Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2026-1651 Number of Installations: 60,000+ Affected Software: Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress <= 5.9.16 Patched Versions: Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress 5.9.17
Mitigation steps: Update to Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress version 5.9.17 or greater.
Fast Page & Post Duplicator – SQL Injection
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2026-2893 Number of Installations: 60,000+ Affected Software: Fast Page & Post Duplicator <= 6.3 Patched Versions: Fast Page & Post Duplicator 6.4
Mitigation steps: Update to Fast Page & Post Duplicator version 6.4 or greater.
Seraphinite Accelerator – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-3058 Number of Installations: 60,000+ Affected Software: Seraphinite Accelerator <= 2.28.14 Patched Versions: Seraphinite Accelerator 2.28.15
Mitigation steps: Update to Seraphinite Accelerator version 2.28.15 or greater.
Seraphinite Accelerator – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-3056 Number of Installations: 60,000+ Affected Software: Seraphinite Accelerator <= 2.28.14 Patched Versions: Seraphinite Accelerator 2.28.15
Mitigation steps: Update to Seraphinite Accelerator version 2.28.15 or greater.
Product Filter for WooCommerce by WBW – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-3138 Number of Installations: 60,000+ Affected Software: Product Filter for WooCommerce by WBW <= 3.1.2 Patched Versions: Product Filter for WooCommerce by WBW 3.1.3
Mitigation steps: Update to Product Filter for WooCommerce by WBW version 3.1.3 or greater.
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder – Privilege Escalation
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Privilege Escalation CVE: CVE-2026-1492 Number of Installations: 60,000+ Affected Software: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder <= 5.1.2 Patched Versions: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder 5.1.3
Mitigation steps: Update to User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder version 5.1.3 or greater.
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder – Privilege Escalation
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Privilege Escalation CVE: CVE-2026-32488 Number of Installations: 60,000+ Affected Software: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder <= 5.1.2 Patched Versions: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder 5.1.3
Mitigation steps: Update to User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder version 5.1.3 or greater.
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-4056 Number of Installations: 60,000+ Affected Software: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder <= 5.1.4 Patched Versions: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder 5.1.5
Mitigation steps: Update to User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder version 5.1.5 or greater.
Ultra Addons for Contact Form 7 – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-32460 Number of Installations: 60,000+ Affected Software: Ultra Addons for Contact Form 7 <= 3.5.36 Patched Versions: Ultra Addons for Contact Form 7 3.5.37
Mitigation steps: Update to Ultra Addons for Contact Form 7 version 3.5.37 or greater.
Visual Portfolio, Photo Gallery & Post Grid – Local File Inclusion
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Local File Inclusion CVE: CVE-2026-32537 Number of Installations: 60,000+ Affected Software: Visual Portfolio, Photo Gallery & Post Grid <= 3.5.1 Patched Versions: Visual Portfolio, Photo Gallery & Post Grid 3.5.2
Mitigation steps: Update to Visual Portfolio, Photo Gallery & Post Grid version 3.5.2 or greater.
Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts – Remote Code Execution (RCE)
Security Risk: Critical Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2026-25366 Number of Installations: 60,000+ Affected Software: Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts <= 2.7.1 Patched Versions: Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts 2.7.2
Mitigation steps: Update to Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts version 2.7.2 or greater.
WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2026-3222 Number of Installations: 60,000+ Affected Software: WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.9.1 Patched Versions: WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters 4.9.2
Mitigation steps: Update to WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters version 4.9.2 or greater.
WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2026-2580 Number of Installations: 60,000+ Affected Software: WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.9.1 Patched Versions: WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters 4.9.2
Mitigation steps: Update to WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters version 4.9.2 or greater.
Advanced Product Fields (Product Addons) for WooCommerce – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-32457 Number of Installations: 50,000+ Affected Software: Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.18 Patched Versions: Advanced Product Fields (Product Addons) for WooCommerce 1.6.19
Mitigation steps: Update to Advanced Product Fields (Product Addons) for WooCommerce version 1.6.19 or greater.
Blog2Social: Social Media Auto Post & Scheduler – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-4331 Number of Installations: 50,000+ Affected Software: Blog2Social: Social Media Auto Post & Scheduler <= 8.8.2 Patched Versions: Blog2Social: Social Media Auto Post & Scheduler 8.8.3
Mitigation steps: Update to Blog2Social: Social Media Auto Post & Scheduler version 8.8.3 or greater.
RTMKit – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-12473 Number of Installations: 50,000+ Affected Software: RTMKit <= 1.9.9 Patched Versions: RTMKit 2.0.0
Mitigation steps: Update to RTMKit version 2.0.0 or greater.
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2433 Number of Installations: 50,000+ Affected Software: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.11 Patched Versions: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging 5.0.12
Mitigation steps: Update to RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging version 5.0.12 or greater.
OoohBoi Steroids for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-3034 Number of Installations: 50,000+ Affected Software: OoohBoi Steroids for Elementor <= 2.1.24 Patched Versions: OoohBoi Steroids for Elementor 2.1.25
Mitigation steps: Update to OoohBoi Steroids for Elementor version 2.1.25 or greater.
Sina Extension for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-6229 Number of Installations: 50,000+ Affected Software: Sina Extension for Elementor <= 3.7.0 Patched Versions: Sina Extension for Elementor 3.7.1
Mitigation steps: Update to Sina Extension for Elementor version 3.7.1 or greater.
Smart Custom Fields – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-4066 Number of Installations: 50,000+ Affected Software: Smart Custom Fields <= 5.0.6 Patched Versions: Smart Custom Fields 5.0.7
Mitigation steps: Update to Smart Custom Fields version 5.0.7 or greater.
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin – Arbitrary File Upload
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2026-2269 Number of Installations: 50,000+ Affected Software: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 7.0.9 Patched Versions: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin 7.1.0
Mitigation steps: Update to Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin version 7.1.0 or greater.
WP-Members Membership Plugin – SQL Injection
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2026-2363 Number of Installations: 50,000+ Affected Software: WP-Members Membership Plugin <= 3.5.5 Patched Versions: WP-Members Membership Plugin 3.5.6
Mitigation steps: Update to WP-Members Membership Plugin version 3.5.6 or greater.
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2433 Number of Installations: 50,000+ Affected Software: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.11 Patched Versions: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging 5.0.12
Mitigation steps: Update to RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging version 5.0.12 or greater.
Themes
Astra – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-3534 Number of Downloads: 21,720,242 Affected Software: Astra <= 4.12.3 Patched Versions: Astra 4.12.4
Mitigation steps: Update to Astra theme version 4.12.4 or greater.
Blocksy – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2583 Number of Downloads: 6,306,227 Affected Software: Blocksy <= 2.1.30 Patched Versions: Blocksy 2.1.31
Mitigation steps: Update to Blocksy theme version 2.1.31 or greater.
Nirvana – Local File Inclusion
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Local File Inclusion CVE: CVE-2026-28119 Number of Downloads: 773,853 Affected Software: Nirvana <= latest Patched Versions: No Fix
Mitigation steps: No patch available. Consider disabling or replacing the theme.
Education Zone – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-25009 Number of Downloads: 483,880 Affected Software: Education Zone <= 1.3.8 Patched Versions: Education Zone 1.3.9
Mitigation steps: Update to Education Zone theme version 1.3.9 or greater.
Ona – Arbitrary File Upload
Security Risk: Critical Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2026-32482 Number of Downloads: 243,101 Affected Software: Ona <= 1.23 Patched Versions: Ona 1.24
Mitigation steps: Update to Ona theme version 1.24 or greater.
News Magazine X – Broken Access Control
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-24382 Number of Downloads: 76,558 Affected Software: News Magazine X <= 1.2.50 Patched Versions: News Magazine X 1.2.51
Mitigation steps: Update to News Magazine X theme version 1.2.51 or greater.
Estate – PHP Object Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: PHP Object Injection CVE: CVE-2026-22475 Number of Downloads: 58,132 Affected Software: Estate <= latest Patched Versions: No Fix
Mitigation steps: No patch available. Consider disabling or replacing the theme.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Marc-Alexandre Montpas
Victor Santoyo
Antony Garand
Stephen Johnston
Denis Sinegubko
Sucuri Malware Research Team
Ben Martin
Cesar Anjos
Fernando Barbosa