Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Plugins
Elementor Website Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-14732 Number of Installations: 10,000,000+ Affected Software: Elementor Website Builder <= 3.35.5 Patched Versions: Elementor Website Builder 3.35.6
Mitigation steps: Update to Elementor Website Builder version 3.35.6 or greater.
Advanced Custom Fields (ACF®) – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-4812 Number of Installations: 2,000,000+ Affected Software: Advanced Custom Fields (ACF®) <= 6.7.0 Patched Versions: Advanced Custom Fields (ACF®) 6.7.1
Mitigation steps: Update to Advanced Custom Fields (ACF®) version 6.7.1 or greater.
ElementsKit Elementor Addons – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2600 Number of Installations: 2,000,000+ Affected Software: ElementsKit Elementor Addons <= 3.7.9 Patched Versions: ElementsKit Elementor Addons 3.8.0
Mitigation steps: Update to ElementsKit Elementor Addons version 3.8.0 or greater.
ManageWP Worker – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-39463 Number of Installations: 1,000,000+ Affected Software: ManageWP Worker <= 4.9.31 Patched Versions: ManageWP Worker 4.9.32
Mitigation steps: Update to ManageWP Worker version 4.9.32 or greater.
WP-Optimize – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-2712 Number of Installations: 1,000,000+ Affected Software: WP-Optimize <= 4.5.0 Patched Versions: WP-Optimize 4.5.1
Mitigation steps: Update to WP-Optimize version 4.5.1 or greater.
W3 Total Cache – Sensitive Data Exposure
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-5032 Number of Installations: 900,000+ Affected Software: W3 Total Cache <= 2.9.3 Patched Versions: W3 Total Cache 2.9.4
Mitigation steps: Update to W3 Total Cache version 2.9.4 or greater.
Smart Slider 3 – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-4065 Number of Installations: 800,000+ Affected Software: Smart Slider 3 <= 3.5.1.33 Patched Versions: Smart Slider 3 3.5.1.34
Mitigation steps: Update to Smart Slider 3 version 3.5.1.34 or greater.
Fluent Forms – Broken Authentication
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Authentication CVE: CVE-2026-4160 Number of Installations: 700,000+ Affected Software: Fluent Forms <= 6.1.9 Patched Versions: Fluent Forms 6.2.0
Mitigation steps: Update to Fluent Forms version 6.2.0 or greater.
Royal Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-5162 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor <= 1.7.1056 Patched Versions: Royal Addons for Elementor 1.7.1057
Mitigation steps: Update to Royal Addons for Elementor version 1.7.1057 or greater.
Kadence Blocks – Broken Access Control
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-2826 Number of Installations: 600,000+ Affected Software: Kadence Blocks <= 3.6.3 Patched Versions: Kadence Blocks 3.6.4
Mitigation steps: Update to Kadence Blocks version 3.6.4 or greater.
Royal Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-0664 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor <= 1.7.1049 Patched Versions: Royal Addons for Elementor 1.7.1050
Mitigation steps: Update to Royal Addons for Elementor version 1.7.1050 or greater.
WP Statistics – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-5231 Number of Installations: 600,000+ Affected Software: WP Statistics <= 14.16.4 Patched Versions: WP Statistics 14.16.5
Mitigation steps: Update to WP Statistics version 14.16.5 or greater.
BackWPup – Local File Inclusion
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Local File Inclusion CVE: CVE-2026-6227 Number of Installations: 500,000+ Affected Software: BackWPup <= 5.6.6 Patched Versions: BackWPup 5.6.7
Mitigation steps: Update to BackWPup version 5.6.7 or greater.
Meta Box – Arbitrary File Deletion
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Arbitrary File Deletion CVE: CVE-2026-39468 Number of Installations: 500,000+ Affected Software: Meta Box <= 5.11.1 Patched Versions: Meta Box 5.11.2
Mitigation steps: Update to Meta Box version 5.11.2 or greater.
Ocean Extra – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-34903 Number of Installations: 500,000+ Affected Software: Ocean Extra <= 2.5.3 Patched Versions: Ocean Extra 2.5.4
Mitigation steps: Update to Ocean Extra version 2.5.4 or greater.
YITH WooCommerce Wishlist – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2026-4432 Number of Installations: 500,000+ Affected Software: YITH WooCommerce Wishlist <= 4.12.9 Patched Versions: YITH WooCommerce Wishlist 4.13.0
Mitigation steps: Update to YITH WooCommerce Wishlist version 4.13.0 or greater.
Slider, Gallery, and Carousel by MetaSlider – PHP Object Injection
Security Risk: High Exploitation Level: Requires Editor or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2026-39467 Number of Installations: 500,000+ Affected Software: MetaSlider <= 3.106.9 Patched Versions: MetaSlider 3.107.0
Mitigation steps: Update to MetaSlider version 3.107.0 or greater.
Slider, Gallery, and Carousel by MetaSlider – Remote Code Execution (RCE)
Security Risk: Critical Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2026-39465 Number of Installations: 500,000+ Affected Software: MetaSlider <= 3.106.9 Patched Versions: MetaSlider 3.107.0
Mitigation steps: Update to MetaSlider version 3.107.0 or greater.
WP Shortcodes Plugin — Shortcodes Ultimate – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-3885 Number of Installations: 400,000+ Affected Software: Shortcodes Ultimate <= 7.4.9 Patched Versions: Shortcodes Ultimate 7.5.0
Mitigation steps: Update to Shortcodes Ultimate version 7.5.0 or greater.
WP Shortcodes Plugin — Shortcodes Ultimate – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-0738 Number of Installations: 400,000+ Affected Software: Shortcodes Ultimate <= 7.4.8 Patched Versions: Shortcodes Ultimate 7.4.9
Mitigation steps: Update to Shortcodes Ultimate version 7.4.9 or greater.
WP Shortcodes Plugin — Shortcodes Ultimate – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-0737 Number of Installations: 400,000+ Affected Software: Shortcodes Ultimate <= 7.4.7 Patched Versions: Shortcodes Ultimate 7.4.8
Mitigation steps: Update to Shortcodes Ultimate version 7.4.8 or greater.
Pagelayer – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2509 Number of Installations: 400,000+ Affected Software: Pagelayer <= 2.0.8 Patched Versions: Pagelayer 2.0.9
Mitigation steps: Update to Pagelayer version 2.0.9 or greater.
Page Builder Gutenberg Blocks – CoBlocks – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-4801 Number of Installations: 300,000+ Affected Software: CoBlocks <= 3.1.16 Patched Versions: CoBlocks 3.1.17
Mitigation steps: Update to CoBlocks version 3.1.17 or greater.
ShortPixel Image Optimizer – PHP Object Injection
Security Risk: High Exploitation Level: Requires Author or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2026-39471 Number of Installations: 300,000+ Affected Software: ShortPixel Image Optimizer <= 6.4.3 Patched Versions: ShortPixel Image Optimizer 6.4.4
Mitigation steps: Update to ShortPixel Image Optimizer version 6.4.4 or greater.
Cart Abandonment Recovery for WooCommerce – Privilege Escalation
Security Risk: High Exploitation Level: Requires Shop Manager or higher level authentication. Vulnerability: Privilege Escalation CVE: CVE-2026-39470 Number of Installations: 300,000+ Affected Software: Cart Abandonment Recovery for WooCommerce <= 2.0.9 Patched Versions: Cart Abandonment Recovery for WooCommerce 2.1.0
Mitigation steps: Update to Cart Abandonment Recovery for WooCommerce version 2.1.0 or greater.
Unlimited Elements For Elementor – Arbitrary File Download
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Arbitrary File Download CVE: CVE-2026-4659 Number of Installations: 300,000+ Affected Software: Unlimited Elements For Elementor <= 2.0.6 Patched Versions: Unlimited Elements For Elementor 2.0.7
Mitigation steps: Update to Unlimited Elements For Elementor version 2.0.7 or greater.
PDF Invoices & Packing Slips for WooCommerce – PHP Object Injection
Security Risk: High Exploitation Level: Requires Shop Manager or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2026-39472 Number of Installations: 300,000+ Affected Software: PDF Invoices & Packing Slips for WooCommerce <= 5.8.9 Patched Versions: PDF Invoices & Packing Slips for WooCommerce 5.9.0
Mitigation steps: Update to PDF Invoices & Packing Slips for WooCommerce version 5.9.0 or greater.
CMP – Coming Soon & Maintenance Plugin – Arbitrary File Upload
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2026-6518 Number of Installations: 200,000+ Affected Software: CMP – Coming Soon & Maintenance Plugin <= 4.1.16 Patched Versions: CMP – Coming Soon & Maintenance Plugin 4.1.17
Mitigation steps: Update to CMP – Coming Soon & Maintenance Plugin version 4.1.17 or greater.
MW WP Form – Directory Traversal
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Directory Traversal CVE: CVE-2026-5436 Number of Installations: 200,000+ Affected Software: MW WP Form <= 5.1.1 Patched Versions: MW WP Form 5.1.2
Mitigation steps: Update to MW WP Form version 5.1.2 or greater.
Optimole – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-5217 Number of Installations: 200,000+ Affected Software: Optimole <= 4.2.2 Patched Versions: Optimole 4.2.3
Mitigation steps: Update to Optimole version 4.2.3 or greater.
Optimole – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-5226 Number of Installations: 200,000+ Affected Software: Optimole <= 4.2.3 Patched Versions: Optimole 4.2.4
Mitigation steps: Update to Optimole version 4.2.4 or greater.
Post Duplicator – PHP Object Injection
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2026-39474 Number of Installations: 200,000+ Affected Software: Post Duplicator <= 3.0.10 Patched Versions: Post Duplicator 3.0.11
Mitigation steps: Update to Post Duplicator version 3.0.11 or greater.
MW WP Form – Directory Traversal
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Directory Traversal CVE: CVE-2026-4347 Number of Installations: 200,000+ Affected Software: MW WP Form <= 5.1.0 Patched Versions: MW WP Form 5.1.1
Mitigation steps: Update to MW WP Form version 5.1.1 or greater.
Ultimate Member – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-15064 Number of Installations: 200,000+ Affected Software: Ultimate Member <= 2.11.1 Patched Versions: Ultimate Member 2.11.2
Mitigation steps: Update to Ultimate Member version 2.11.2 or greater.
JetBackup – Path Traversal
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Path Traversal CVE: CVE-2026-4853 Number of Installations: 100,000+ Affected Software: JetBackup <= 3.1.20.2 Patched Versions: JetBackup 3.1.20.3
Mitigation steps: Update to JetBackup version 3.1.20.3 or greater.
Everest Forms – Directory Traversal
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Directory Traversal CVE: CVE-2026-5478 Number of Installations: 100,000+ Affected Software: Everest Forms <= 3.4.4 Patched Versions: Everest Forms 3.4.5
Mitigation steps: Update to Everest Forms version 3.4.5 or greater.
Anti-Malware Security and Brute-Force Firewall – PHP Object Injection
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2026-39478 Number of Installations: 100,000+ Affected Software: Anti-Malware Security and Brute-Force Firewall <= 4.23.87 Patched Versions: Anti-Malware Security and Brute-Force Firewall 4.23.88
Mitigation steps: Update to Anti-Malware Security and Brute-Force Firewall version 4.23.88 or greater.
Kubio AI Page Builder – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-5427 Number of Installations: 100,000+ Affected Software: Kubio <= 2.7.2 Patched Versions: Kubio 2.7.3
Mitigation steps: Update to Kubio version 2.7.3 or greater.
LatePoint – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-5234 Number of Installations: 100,000+ Affected Software: LatePoint <= 5.3.9 Patched Versions: LatePoint 5.4.0
Mitigation steps: Update to LatePoint version 5.4.0 or greater.
Modula Image Gallery – PHP Object Injection
Security Risk: High Exploitation Level: Requires Author or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2026-39481 Number of Installations: 100,000+ Affected Software: Modula Image Gallery <= 2.14.18 Patched Versions: Modula Image Gallery 2.14.19
Mitigation steps: Update to Modula Image Gallery version 2.14.19 or greater.
Tutor LMS – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-40743 Number of Installations: 100,000+ Affected Software: Tutor LMS <= 3.9.7 Patched Versions: Tutor LMS 3.9.8
Mitigation steps: Update to Tutor LMS version 3.9.8 or greater.
Tutor LMS – SQL Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2026-6080 Number of Installations: 100,000+ Affected Software: Tutor LMS <= 3.9.8 Patched Versions: Tutor LMS 3.9.9
Mitigation steps: Update to Tutor LMS version 3.9.9 or greater.
Tutor LMS – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-5502 Number of Installations: 100,000+ Affected Software: Tutor LMS <= 3.9.8 Patched Versions: Tutor LMS 3.9.9
Mitigation steps: Update to Tutor LMS version 3.9.9 or greater.
Element Pack – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-4655 Number of Installations: 100,000+ Affected Software: Element Pack <= 8.4.9 Patched Versions: Element Pack 8.5.0
Mitigation steps: Update to Element Pack version 8.5.0 or greater.
Prime Slider – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-4341 Number of Installations: 100,000+ Affected Software: Prime Slider <= 4.1.10 Patched Versions: Prime Slider 4.1.11
Mitigation steps: Update to Prime Slider version 4.1.11 or greater.
Beaver Builder Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2481 Number of Installations: 100,000+ Affected Software: Beaver Builder <= 2.10.1.1 Patched Versions: Beaver Builder 2.10.1.2
Mitigation steps: Update to Beaver Builder version 2.10.1.2 or greater.
Download Manager – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-4057 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.3.51 Patched Versions: Download Manager 3.3.52
Mitigation steps: Update to Download Manager version 3.3.52 or greater.
Download Manager – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-5357 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.3.52 Patched Versions: Download Manager 3.3.53
Mitigation steps: Update to Download Manager version 3.3.53 or greater.
Everest Forms – PHP Object Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: PHP Object Injection CVE: CVE-2026-3296 Number of Installations: 100,000+ Affected Software: Everest Forms <= 3.4.3 Patched Versions: Everest Forms 3.4.4
Mitigation steps: Update to Everest Forms version 3.4.4 or greater.
LatePoint – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-4785 Number of Installations: 100,000+ Affected Software: LatePoint <= 5.3.0 Patched Versions: LatePoint 5.3.1
Mitigation steps: Update to LatePoint version 5.3.1 or greater.
MainWP Child Reports – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-4299 Number of Installations: 100,000+ Affected Software: MainWP Child Reports <= 2.2 Patched Versions: MainWP Child Reports 2.3
Mitigation steps: Update to MainWP Child Reports version 2.3 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-3311 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor <= 6.4.9 Patched Versions: The Plus Addons for Elementor 6.4.10
Mitigation steps: Update to The Plus Addons for Elementor version 6.4.10 or greater.
Tutor LMS – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2026-3371 Number of Installations: 100,000+ Affected Software: Tutor LMS <= 3.9.7 Patched Versions: Tutor LMS 3.9.8
Mitigation steps: Update to Tutor LMS version 3.9.8 or greater.
Tutor LMS – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-3358 Number of Installations: 100,000+ Affected Software: Tutor LMS <= 3.9.7 Patched Versions: Tutor LMS 3.9.8
Mitigation steps: Update to Tutor LMS version 3.9.8 or greater.
Tutor LMS – Broken Access Control
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-3360 Number of Installations: 100,000+ Affected Software: Tutor LMS – eLearning and online course solution <= 3.9.7 Patched Versions: Tutor LMS – eLearning and online course solution 3.9.8
Mitigation steps: Update to Tutor LMS – eLearning and online course solution version 3.9.8 or greater.
ProfilePress – Content Injection
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Content Injection CVE: CVE-2026-3309 Number of Installations: 100,000+ Affected Software: ProfilePress <= 4.16.11 Patched Versions: ProfilePress 4.16.12
Mitigation steps: Update to ProfilePress version 4.16.12 or greater.
ProfilePress – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-4949 Number of Installations: 100,000+ Affected Software: ProfilePress <= 4.16.12 Patched Versions: ProfilePress 4.16.13
Mitigation steps: Update to ProfilePress version 4.16.13 or greater.
Amelia – Insecure Direct Object References (IDOR)
Security Risk: High Exploitation Level: Requires Employee or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2026-5465 Number of Installations: 90,000+ Affected Software: Amelia <= 2.1 Patched Versions: Amelia 2.2
Mitigation steps: Update to Amelia version 2.2 or greater.
BackupBliss – Sensitive Data Exposure
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-39480 Number of Installations: 90,000+ Affected Software: BackupBliss <= 2.1.1 Patched Versions: BackupBliss 2.1.2
Mitigation steps: Update to BackupBliss version 2.1.2 or greater.
BackupBliss – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-14944 Number of Installations: 90,000+ Affected Software: BackupBliss <= 2.0.9 Patched Versions: BackupBliss 2.1.0
Mitigation steps: Update to BackupBliss version 2.1.0 or greater.
Email Encoder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-7083 Number of Installations: 90,000+ Affected Software: Email Encoder <= 2.3.3 Patched Versions: Email Encoder 2.3.4
Mitigation steps: Update to Email Encoder version 2.3.4 or greater.
Email Encoder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2840 Number of Installations: 90,000+ Affected Software: Email Encoder <= 2.4.4 Patched Versions: Email Encoder 2.4.5
Mitigation steps: Update to Email Encoder version 2.4.5 or greater.
Download Monitor – Arbitrary File Download
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Arbitrary File Download CVE: CVE-2026-39489 Number of Installations: 90,000+ Affected Software: Download Monitor <= 5.1.9 Patched Versions: Download Monitor 5.1.10
Mitigation steps: Update to Download Monitor version 5.1.10 or greater.
Strong Testimonials – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-3239 Number of Installations: 90,000+ Affected Software: Strong Testimonials <= 3.2.21 Patched Versions: Strong Testimonials 3.2.22
Mitigation steps: Update to Strong Testimonials version 3.2.22 or greater.
ShopLentor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-4059 Number of Installations: 90,000+ Affected Software: ShopLentor <= 3.3.5 Patched Versions: ShopLentor 3.3.6
Mitigation steps: Update to ShopLentor version 3.3.6 or greater.
Hustle – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-2263 Number of Installations: 90,000+ Affected Software: Hustle <= 7.8.10 Patched Versions: Hustle 7.8.11
Mitigation steps: Update to Hustle version 7.8.11 or greater.
Customer Reviews for WooCommerce – Broken Authentication
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Authentication CVE: CVE-2026-4664 Number of Installations: 80,000+ Affected Software: Customer Reviews for WooCommerce <= 5.103.9 Patched Versions: Customer Reviews for WooCommerce 5.104.0
Mitigation steps: Update to Customer Reviews for WooCommerce version 5.104.0 or greater.
Jupiter X Core – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-39491 Number of Installations: 80,000+ Affected Software: Jupiter X Core <= 4.14.1 Patched Versions: Jupiter X Core 4.14.2
Mitigation steps: Update to Jupiter X Core version 4.14.2 or greater.
LearnPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-4333 Number of Installations: 80,000+ Affected Software: LearnPress <= 4.3.3 Patched Versions: LearnPress 4.3.4
Mitigation steps: Update to LearnPress version 4.3.4 or greater.
List category posts – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-3005 Number of Installations: 80,000+ Affected Software: List category posts <= 0.94.9 Patched Versions: List category posts 0.95.0
Mitigation steps: Update to List category posts version 0.95.0 or greater.
Customer Reviews for WooCommerce – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-3355 Number of Installations: 80,000+ Affected Software: Customer Reviews for WooCommerce <= 5.101.9 Patched Versions: Customer Reviews for WooCommerce 5.102.0
Mitigation steps: Update to Customer Reviews for WooCommerce version 5.102.0 or greater.
3D FlipBook – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-1314 Number of Installations: 80,000+ Affected Software: 3D FlipBook <= 1.16.17 Patched Versions: 3D FlipBook 1.16.18
Mitigation steps: Update to 3D FlipBook version 1.16.18 or greater.
Jupiter X Core – Broken Access Control
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-39490 Number of Installations: 80,000+ Affected Software: Jupiter X Core <= 4.14.1 Patched Versions: Jupiter X Core 4.14.2
Mitigation steps: Update to Jupiter X Core version 4.14.2 or greater.
LearnPress – Broken Access Control
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-4365 Number of Installations: 80,000+ Affected Software: LearnPress <= 4.3.2 Patched Versions: LearnPress 4.3.3
Mitigation steps: Update to LearnPress version 4.3.3 or greater.
OneSignal – Broken Access Control
Security Risk: Low Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-3155 Number of Installations: 70,000+ Affected Software: OneSignal <= 3.8.0 Patched Versions: OneSignal 3.8.1
Mitigation steps: Update to OneSignal version 3.8.1 or greater.
Germanized for WooCommerce – Content Injection
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Content Injection CVE: CVE-2026-2582 Number of Installations: 70,000+ Affected Software: Germanized for WooCommerce <= 3.20.5 Patched Versions: Germanized for WooCommerce 3.20.6
Mitigation steps: Update to Germanized for WooCommerce version 3.20.6 or greater.
wpDataTables – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-5721 Number of Installations: 70,000+ Affected Software: wpDataTables <= 6.5.0.4 Patched Versions: wpDataTables 6.5.0.5
Mitigation steps: Update to wpDataTables version 6.5.0.5 or greater.
Advanced Contact form 7 DB – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-0814 Number of Installations: 70,000+ Affected Software: Advanced Contact form 7 DB <= 2.0.9 Patched Versions: Advanced Contact form 7 DB 2.1.0
Mitigation steps: Update to Advanced Contact form 7 DB version 2.1.0 or greater.
Bookly – Content Injection
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Content Injection CVE: CVE-2026-2519 Number of Installations: 70,000+ Affected Software: Bookly <= 27.0 Patched Versions: Bookly 27.1
Mitigation steps: Update to Bookly version 27.1 or greater.
Greenshift – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-4895 Number of Installations: 70,000+ Affected Software: Greenshift <= 12.8.9 Patched Versions: Greenshift 12.9.0
Mitigation steps: Update to Greenshift 12.9.0 or greater.
Database for Contact Form 7, WPforms, Elementor forms – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-3831 Number of Installations: 70,000+ Affected Software: Database for Contact Form 7, WPforms, Elementor forms <= 1.4.9 Patched Versions: Database for Contact Form 7, WPforms, Elementor forms 1.5.0
Mitigation steps: Update to Database for Contact Form 7, WPforms, Elementor forms version 1.5.0 or greater.
Media Library Assistant – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-34897 Number of Installations: 70,000+ Affected Software: Media Library Assistant <= 3.34 Patched Versions: Media Library Assistant 3.35
Mitigation steps: Update to Media Library Assistant version 3.35 or greater.
Media Library Assistant – SQL Injection
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2026-34885 Number of Installations: 70,000+ Affected Software: Media Library Assistant <= 3.34 Patched Versions: Media Library Assistant 3.35
Mitigation steps: Update to Media Library Assistant version 3.35 or greater.
CTX Feed – PHP Object Injection
Security Risk: High Exploitation Level: Requires Shop Manager or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2026-39434 Number of Installations: 70,000+ Affected Software: CTX Feed <= 6.6.26 Patched Versions: CTX Feed 6.6.27
Mitigation steps: Update to CTX Feed version 6.6.27 or greater.
Drag and Drop Multiple File Upload for Contact Form 7 – Arbitrary File Upload
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Arbitrary File Upload CVE: CVE-2026-5718 Number of Installations: 60,000+ Affected Software: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 Patched Versions: Drag and Drop Multiple File Upload for Contact Form 7 1.3.9.7
Mitigation steps: Update to Drag and Drop Multiple File Upload for Contact Form 7 version 1.3.9.7 or greater.
Drag and Drop Multiple File Upload for Contact Form 7 – Arbitrary File Download
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Arbitrary File Download CVE: CVE-2026-5710 Number of Installations: 60,000+ Affected Software: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 Patched Versions: Drag and Drop Multiple File Upload for Contact Form 7 1.3.9.7
Mitigation steps: Update to Drag and Drop Multiple File Upload for Contact Form 7 version 1.3.9.7 or greater.
Product Filter for WooCommerce – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2026-3830 Number of Installations: 60,000+ Affected Software: Product Filter for WooCommerce <= 3.1.2 Patched Versions: Product Filter for WooCommerce 3.1.3
Mitigation steps: Update to Product Filter for WooCommerce version 3.1.3 or greater.
Contextual Related Posts – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2986 Number of Installations: 60,000+ Affected Software: Contextual Related Posts <= 4.2.1 Patched Versions: Contextual Related Posts 4.2.2
Mitigation steps: Update to Contextual Related Posts version 4.2.2 or greater.
Appointment Booking Calendar – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2026-39493 Number of Installations: 60,000+ Affected Software: Appointment Booking Calendar <= 1.6.9.28 Patched Versions: Appointment Booking Calendar 1.6.9.29
Mitigation steps: Update to Appointment Booking Calendar version 1.6.9.29 or greater.
User Registration & Membership – Open Redirection
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Open Redirection CVE: CVE-2026-6203 Number of Installations: 60,000+ Affected Software: User Registration & Membership <= 5.1.4 Patched Versions: User Registration & Membership 5.1.5
Mitigation steps: Update to User Registration & Membership version 5.1.5 or greater.
User Registration & Membership – SQL Injection
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2026-1865 Number of Installations: 60,000+ Affected Software: User Registration & Membership <= 5.1.2 Patched Versions: User Registration & Membership 5.1.3
Mitigation steps: Update to User Registration & Membership version 5.1.3 or greater.
Product Filter for WooCommerce – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2026-39494 Number of Installations: 60,000+ Affected Software: Product Filter for WooCommerce <= 3.1.2 Patched Versions: Product Filter for WooCommerce 3.1.3
Mitigation steps: Update to Product Filter for WooCommerce version 3.1.3 or greater.
WP Maps – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-13364 Number of Installations: 60,000+ Affected Software: WP Maps <= 4.8.7 Patched Versions: WP Maps 4.8.8
Mitigation steps: Update to WP Maps version 4.8.8 or greater.
WP Maps – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2026-39492 Number of Installations: 60,000+ Affected Software: WP Maps <= 4.9.1 Patched Versions: WP Maps 4.9.2
Mitigation steps: Update to WP Maps version 4.9.2 or greater.
Advanced Product Fields (Product Addons) for WooCommerce – PHP Object Injection
Security Risk: High Exploitation Level: Requires Shop Manager or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2026-39499 Number of Installations: 50,000+ Affected Software: Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.19 Patched Versions: Advanced Product Fields (Product Addons) for WooCommerce 1.6.20
Mitigation steps: Update to Advanced Product Fields (Product Addons) for WooCommerce version 1.6.20 or greater.
Categories Images – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2505 Number of Installations: 50,000+ Affected Software: Categories Images <= 3.3.1 Patched Versions: Categories Images 3.3.2
Mitigation steps: Update to Categories Images version 3.3.2 or greater.
Better Find and Replace – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-3369 Number of Installations: 50,000+ Affected Software: Better Find and Replace <= 1.7.9 Patched Versions: Better Find and Replace 1.8.0
Mitigation steps: Update to Better Find and Replace version 1.8.0 or greater.
Export All URLs – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-2696 Number of Installations: 50,000+ Affected Software: Export All URLs <= 5.0 Patched Versions: Export All URLs 5.1
Mitigation steps: Update to Export All URLs version 5.1 or greater.
Popup Box – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-15611 Number of Installations: 50,000+ Affected Software: Popup Box <= 5.4.9 Patched Versions: Popup Box 5.5.0
Mitigation steps: Update to Popup Box version 5.5.0 or greater.
Blog2Social – Broken Authentication
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Authentication CVE: CVE-2026-4330 Number of Installations: 50,000+ Affected Software: Blog2Social <= 8.8.3 Patched Versions: Blog2Social 8.8.4
Mitigation steps: Update to Blog2Social version 8.8.4 or greater.
YayMail – PHP Object Injection
Security Risk: High Exploitation Level: Requires Shop Manager or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2026-39498 Number of Installations: 50,000+ Affected Software: YayMail <= 4.3.3 Patched Versions: YayMail 4.3.4
Mitigation steps: Update to YayMail version 4.3.4 or greater.
Themes
Vantage – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-5070 Number of Downloads: 3,232,270 Affected Software: Vantage <= 1.20.32 Patched Versions: Vantage 1.20.33
Mitigation steps: Update to Vantage theme version 1.20.33 or greater.
Charity Zone – Arbitrary File Upload
Security Risk: Critical Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2026-40749 Number of Downloads: 112,126 Affected Software: Charity Zone <= 1.1.1 Patched Versions: Charity Zone 1.1.2
Mitigation steps: Update to Charity Zone theme version 1.1.2 or greater.
Ecommerce Zone – Arbitrary File Upload
Security Risk: Critical Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2026-40747 Number of Downloads: 89,443 Affected Software: Ecommerce Zone <= 0.9.7 Patched Versions: Ecommerce Zone 0.9.8
Mitigation steps: Update to Ecommerce Zone theme version 0.9.8 or greater.
Kids Online Store – Arbitrary File Upload
Security Risk: Critical Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2026-40750 Number of Downloads: 53,065 Affected Software: Kids Online Store <= 0.8.9 Patched Versions: Kids Online Store 0.9.0
Mitigation steps: Update to Kids Online Store theme version 0.9.0 or greater.
Restaurant Zone – Arbitrary File Upload
Security Risk: Critical Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2026-40746 Number of Downloads: 80,108 Affected Software: Restaurant Zone <= 0.7.8 Patched Versions: Restaurant Zone 0.7.9
Mitigation steps: Update to Restaurant Zone theme version 0.7.9 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Denis Sinegubko
Peter Gramantik
Marc-Alexandre Montpas
Sucuri Malware Research Team
Puja Srivastava
Ben Martin
Krasimir Konov
Bruno Zanelato
Rianna MacLeod