If you run a website, you know that a single unpatched vulnerability can take your site offline, damage your reputation, or leave you cleaning up after an attack. Most compromises we see start with automated attacks targeting known software flaws, often the same ones that have already been reported and disclosed.

To help you stay ahead of these threats, we’ve put together this month’s roundup of critical security updates and vulnerability patches affecting the WordPress ecosystem.

If you’re already using the Sucuri Firewall, you’re protected. These vulnerabilities are virtually patched for all clients. If not, consider putting a web application firewall in front of your site to block attacks before they reach your environment.

Plugins

Yoast SEO – Insecure Direct Object Reference (IDOR)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Insecure Direct Object Reference (IDOR)
CVE: CVE-2025-14481
Number of Installations: 10,000,000+
Affected Software: Yoast SEO <= 26.5
Patched Versions: Yoast SEO 26.6

Mitigation steps: Update to Yoast SEO version 26.6 or greater.

LiteSpeed Cache – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-3375
Number of Installations: 7,000,000+
Affected Software: LiteSpeed Cache <= 7.7
Patched Versions: LiteSpeed Cache 7.8

Mitigation steps: Update to LiteSpeed Cache version 7.8 or greater.

WPForms – Broken Access Control

Security Risk: Medium
Exploitation Level: See vulnerability details for exploitation requirements.
Vulnerability: Broken Access Control
CVE: CVE-2026-48835
Number of Installations: 6,000,000+
Affected Software: WPForms <= 1.10.0.4
Patched Versions: WPForms 1.10.0.5

Mitigation steps: Update to WPForms version 1.10.0.5 or greater.

Rank Math SEO – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2025-12714
Number of Installations: 4,000,000+
Affected Software: Rank Math SEO <= 1.0.271
Patched Versions: Rank Math SEO 1.0.271.1

Mitigation steps: Update to Rank Math SEO version 1.0.271.1 or greater.

WPCode – Remote Code Execution

Security Risk: High
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Remote Code Execution
CVE: CVE-2026-8832
Number of Installations: 3,000,000+
Affected Software: WPCode <= 2.3.5
Patched Versions: WPCode 2.3.6

Mitigation steps: Update to WPCode version 2.3.6 or greater.

All in One SEO – Information Disclosure

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Information Disclosure
CVE: CVE-2026-5075
Number of Installations: 3,000,000+
Affected Software: All in One SEO <= 4.9.7
Patched Versions: All in One SEO 4.9.7.1

Mitigation steps: Update to All in One SEO version 4.9.7.1 or greater.

MonsterInsights – Broken Access Control

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-5371
Number of Installations: 2,000,000+
Affected Software: MonsterInsights <= 10.1.2
Patched Versions: MonsterInsights 10.1.3

Mitigation steps: Update to MonsterInsights version 10.1.3 or greater.

Essential Addons for Elementor – Privilege Escalation

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Privilege Escalation
CVE: CVE-2026-5193
Number of Installations: 2,000,000+
Affected Software: Essential Addons for Elementor <= 6.5.13
Patched Versions: Essential Addons for Elementor 6.6.0

Mitigation steps: Update to Essential Addons for Elementor version 6.6.0 or greater.

Advanced Custom Fields (ACF®) – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-8382
Number of Installations: 2,000,000+
Affected Software: Advanced Custom Fields (ACF®) <= 6.8.1
Patched Versions: Advanced Custom Fields (ACF®) 6.8.2

Mitigation steps: Update to Advanced Custom Fields (ACF®) version 6.8.2 or greater.

Spectra Gutenberg Blocks – Remote Code Execution

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Remote Code Execution
CVE: CVE-2026-7465
Number of Installations: 1,000,000+
Affected Software: Spectra Gutenberg Blocks <= 2.19.25
Patched Versions: Spectra Gutenberg Blocks 2.19.26

Mitigation steps: Update to Spectra Gutenberg Blocks version 2.19.26 or greater.

ManageWP Worker – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-3718
Number of Installations: 1,000,000+
Affected Software: ManageWP Worker <= 4.9.31
Patched Versions: ManageWP Worker 4.9.32

Mitigation steps: Update to ManageWP Worker version 4.9.32 or greater.

Hostinger Reach – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-2515
Number of Installations: 1,000,000+
Affected Software: Hostinger Reach <= 1.3.8
Patched Versions: Hostinger Reach 1.3.9

Mitigation steps: Update to Hostinger Reach version 1.3.9 or greater.

Loco Translate – Path Traversal

Security Risk: Medium
Exploitation Level: Requires authenticated access.
Vulnerability: Path Traversal
CVE: CVE-2026-1921
Number of Installations: 1,000,000+
Affected Software: Loco Translate <= 2.8.2
Patched Versions: Loco Translate 2.8.3

Mitigation steps: Update to Loco Translate version 2.8.3 or greater.

SVG Support – Broken Access Control

Security Risk: Medium
Exploitation Level: See vulnerability details for exploitation requirements.
Vulnerability: Broken Access Control
CVE: CVE-2026-48973
Number of Installations: 1,000,000+
Affected Software: SVG Support <= 2.5.14
Patched Versions: SVG Support 2.5.15

Mitigation steps: Update to SVG Support version 2.5.15 or greater.

WooCommerce PayPal Payments – Broken Access Control

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-9284
Number of Installations: 800,000+
Affected Software: WooCommerce PayPal Payments <= 4.0.1
Patched Versions: WooCommerce PayPal Payments 4.0.2

Mitigation steps: Update to WooCommerce PayPal Payments version 4.0.2 or greater.

Premium Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-4790
Number of Installations: 700,000+
Affected Software: Premium Addons for Elementor <= 4.11.70
Patched Versions: Premium Addons for Elementor 4.11.71

Mitigation steps: Update to Premium Addons for Elementor version 4.11.71 or greater.

Forminator Forms – Arbitrary File Read

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Arbitrary File Read
CVE: CVE-2026-5192
Number of Installations: 600,000+
Affected Software: Forminator Forms <= 1.52.1
Patched Versions: Forminator Forms 1.52.2

Mitigation steps: Update to Forminator Forms version 1.52.2 or greater.

WP Statistics – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-48839
Number of Installations: 600,000+
Affected Software: WP Statistics <= 14.16.6
Patched Versions: WP Statistics 14.16.7

Mitigation steps: Update to WP Statistics version 14.16.7 or greater.

Royal Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-4803
Number of Installations: 600,000+
Affected Software: Royal Addons for Elementor <= 1.7.1056
Patched Versions: Royal Addons for Elementor 1.7.1057

Mitigation steps: Update to Royal Addons for Elementor version 1.7.1057 or greater.

Forminator Forms – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-6214
Number of Installations: 600,000+
Affected Software: Forminator Forms <= 1.53.0
Patched Versions: Forminator Forms 1.53.0.1

Mitigation steps: Update to Forminator Forms version 1.53.0.1 or greater.

Royal Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-6504
Number of Installations: 600,000+
Affected Software: Royal Addons for Elementor <= 1.7.1058
Patched Versions: Royal Addons for Elementor 1.7.1059

Mitigation steps: Update to Royal Addons for Elementor version 1.7.1059 or greater.

Royal Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-27421
Number of Installations: 600,000+
Affected Software: Royal Addons for Elementor < 1.7.1053
Patched Versions: Royal Addons for Elementor 1.7.1053

Mitigation steps: Update to Royal Addons for Elementor version 1.7.1053 or greater.

Royal Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-5159
Number of Installations: 600,000+
Affected Software: Royal Addons for Elementor <= 1.7.1056
Patched Versions: Royal Addons for Elementor 1.7.1057

Mitigation steps: Update to Royal Addons for Elementor version 1.7.1057 or greater.

Royal Addons for Elementor – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-4024
Number of Installations: 600,000+
Affected Software: Royal Addons for Elementor <= 1.7.1056
Patched Versions: Royal Addons for Elementor 1.7.1057

Mitigation steps: Update to Royal Addons for Elementor version 1.7.1057 or greater.

Forminator Forms – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-2729
Number of Installations: 600,000+
Affected Software: Forminator Forms <= 1.52.0
Patched Versions: Forminator Forms 1.52.1

Mitigation steps: Update to Forminator Forms version 1.52.1 or greater.

Royal Addons for Elementor – Broken Access Control

Security Risk: Medium
Exploitation Level: See vulnerability details for exploitation requirements.
Vulnerability: Broken Access Control
CVE: CVE-2026-25436
Number of Installations: 600,000+
Affected Software: Royal Addons for Elementor < 1.7.1053
Patched Versions: Royal Addons for Elementor 1.7.1053

Mitigation steps: Update to Royal Addons for Elementor version 1.7.1053 or greater.

Forminator Forms – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-6222
Number of Installations: 600,000+
Affected Software: Forminator Forms <= 1.51.1
Patched Versions: Forminator Forms 1.52

Mitigation steps: Update to Forminator Forms version 1.52 or greater.

Kirki – Arbitrary File Read

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Arbitrary File Read
CVE: CVE-2026-8073
Number of Installations: 500,000+
Affected Software: Kirki <= 6.0.6
Patched Versions: Kirki 6.0.7

Mitigation steps: Update to Kirki version 6.0.7 or greater.

Kirki – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-8096
Number of Installations: 500,000+
Affected Software: Kirki <= 6.0.6
Patched Versions: Kirki 6.0.7

Mitigation steps: Update to Kirki version 6.0.7 or greater.

YITH WooCommerce Wishlist – Insecure Direct Object Reference (IDOR)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Insecure Direct Object Reference (IDOR)
CVE: CVE-2026-27329
Number of Installations: 400,000+
Affected Software: YITH WooCommerce Wishlist <= 4.12.0
Patched Versions: YITH WooCommerce Wishlist 4.13.0

Mitigation steps: Update to YITH WooCommerce Wishlist version 4.13.0 or greater.

Happy Addons for Elementor – Information Disclosure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Information Disclosure
CVE: CVE-2026-25468
Number of Installations: 400,000+
Affected Software: Happy Addons for Elementor <= 3.20.8
Patched Versions: Happy Addons for Elementor 3.21.0

Mitigation steps: Update to Happy Addons for Elementor version 3.21.0 or greater.

Meta for WooCommerce – Open Redirect

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Open Redirect
CVE: CVE-2026-49059
Number of Installations: 400,000+
Affected Software: Meta for WooCommerce <= 3.7.0
Patched Versions: Not available at time of publication

Mitigation steps: A patch is not yet available. Disable or remove the affected plugin until a fix is released.

Photo Gallery, Sliders, Proofing and Themes – Insecure Direct Object Reference (IDOR)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Insecure Direct Object Reference (IDOR)
CVE: CVE-2026-6566
Number of Installations: 400,000+
Affected Software: Photo Gallery, Sliders, Proofing and Themes <= 4.2.0
Patched Versions: Photo Gallery, Sliders, Proofing and Themes 4.2.1

Mitigation steps: Update to Photo Gallery, Sliders, Proofing and Themes version 4.2.1 or greater.

Simple History – Broken Access Control

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-7459
Number of Installations: 300,000+
Affected Software: Simple History <= 5.26.0
Patched Versions: Simple History 5.27.0

Mitigation steps: Update to Simple History version 5.27.0 or greater.

Post SMTP – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-48838
Number of Installations: 300,000+
Affected Software: Post SMTP <= 3.6.2
Patched Versions: Post SMTP 3.6.3

Mitigation steps: Update to Post SMTP version 3.6.3 or greater.

Unlimited Elements For Elementor – SQL Injection

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2026-48837
Number of Installations: 300,000+
Affected Software: Unlimited Elements For Elementor <= 2.0.8
Patched Versions: Unlimited Elements For Elementor 2.0.9

Mitigation steps: Update to Unlimited Elements For Elementor version 2.0.9 or greater.

Unlimited Elements For Elementor – SQL Injection

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2026-5486
Number of Installations: 300,000+
Affected Software: Unlimited Elements For Elementor <= 2.0.7
Patched Versions: Unlimited Elements For Elementor 2.0.8

Mitigation steps: Update to Unlimited Elements For Elementor version 2.0.8 or greater.

WP Activity Log – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-45435
Number of Installations: 300,000+
Affected Software: WP Activity Log <= 5.6.3
Patched Versions: WP Activity Log 5.6.3.1

Mitigation steps: Update to WP Activity Log version 5.6.3.1 or greater.

Jeg Kit for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-6916
Number of Installations: 300,000+
Affected Software: Jeg Kit for Elementor <= 3.1.0
Patched Versions: Jeg Kit for Elementor 3.1.1

Mitigation steps: Update to Jeg Kit for Elementor version 3.1.1 or greater.

PDF Embedder – Information Disclosure

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Information Disclosure
CVE: CVE-2026-7526
Number of Installations: 300,000+
Affected Software: PDF Embedder <= 4.9.3
Patched Versions: PDF Embedder 5.0.0

Mitigation steps: Update to PDF Embedder version 5.0.0 or greater.

Favicon by RealFaviconGenerator – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-42754
Number of Installations: 200,000+
Affected Software: Favicon by RealFaviconGenerator <= 1.3.46
Patched Versions: Favicon by RealFaviconGenerator 1.3.47

Mitigation steps: Update to Favicon by RealFaviconGenerator version 1.3.47 or greater.

Redirection for Contact Form 7 – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-23970
Number of Installations: 200,000+
Affected Software: Redirection for Contact Form 7 <= 3.2.8
Patched Versions: Redirection for Contact Form 7 3.2.9

Mitigation steps: Update to Redirection for Contact Form 7 version 3.2.9 or greater.

Photo Gallery by 10Web – SQL Injection

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2026-7048
Number of Installations: 200,000+
Affected Software: Photo Gallery by 10Web <= 1.8.40
Patched Versions: Photo Gallery by 10Web 1.8.41

Mitigation steps: Update to Photo Gallery by 10Web version 1.8.41 or greater.

GenerateBlocks – Insecure Direct Object Reference (IDOR)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Insecure Direct Object Reference (IDOR)
CVE: CVE-2026-3454
Number of Installations: 200,000+
Affected Software: GenerateBlocks <= 2.2.0
Patched Versions: GenerateBlocks 2.2.1

Mitigation steps: Update to GenerateBlocks version 2.2.1 or greater.

Gutenberg Essential Blocks – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-4658
Number of Installations: 200,000+
Affected Software: Gutenberg Essential Blocks <= 6.0.4
Patched Versions: Gutenberg Essential Blocks 6.1.0

Mitigation steps: Update to Gutenberg Essential Blocks version 6.1.0 or greater.

MW WP Form – Insecure Direct Object Reference (IDOR)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Insecure Direct Object Reference (IDOR)
CVE: CVE-2026-6206
Number of Installations: 200,000+
Affected Software: MW WP Form <= 5.1.2
Patched Versions: MW WP Form 5.1.3

Mitigation steps: Update to MW WP Form version 5.1.3 or greater.

GenerateBlocks – Information Disclosure

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Information Disclosure
CVE: CVE-2026-48877
Number of Installations: 200,000+
Affected Software: GenerateBlocks <= 2.1.0
Patched Versions: GenerateBlocks 2.1.1

Mitigation steps: Update to GenerateBlocks version 2.1.1 or greater.

Adminimize – Broken Access Control

Security Risk: Medium
Exploitation Level: See vulnerability details for exploitation requirements.
Vulnerability: Broken Access Control
CVE: CVE-2026-49045
Number of Installations: 200,000+
Affected Software: Adminimize <= 1.11.11
Patched Versions: Not available at time of publication

Mitigation steps: A patch is not yet available. Disable or remove the affected plugin until a fix is released.

Advanced Custom Fields: Extended – Privilege Escalation

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Privilege Escalation
CVE: CVE-2026-8809
Number of Installations: 100,000+
Affected Software: Advanced Custom Fields: Extended <= 0.9.2.5
Patched Versions: Advanced Custom Fields: Extended 0.9.2.6

Mitigation steps: Update to Advanced Custom Fields: Extended version 0.9.2.6 or greater.

AI Engine – Privilege Escalation

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Privilege Escalation
CVE: CVE-2026-8719
Number of Installations: 100,000+
Affected Software: AI Engine (see vulnerability details for affected versions)
Patched Versions: AI Engine 3.5.0

Mitigation steps: Update to AI Engine version 3.5.0 or greater.

LatePoint – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-7332
Number of Installations: 100,000+
Affected Software: LatePoint <= 5.5.0
Patched Versions: LatePoint 5.5.1

Mitigation steps: Update to LatePoint version 5.5.1 or greater.

AI Engine – Privilege Escalation

Security Risk: High
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: Privilege Escalation
CVE: CVE-2026-27407
Number of Installations: 100,000+
Affected Software: AI Engine <= 3.4.9
Patched Versions: AI Engine 3.5.0

Mitigation steps: Update to AI Engine version 3.5.0 or greater.

GiveWP – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-42678
Number of Installations: 100,000+
Affected Software: GiveWP <= 4.14.5
Patched Versions: GiveWP 4.14.6

Mitigation steps: Update to GiveWP version 4.14.6 or greater.

Custom Twitter Feeds – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-6177
Number of Installations: 100,000+
Affected Software: Custom Twitter Feeds <= 2.5.4
Patched Versions: Custom Twitter Feeds 2.5.5

Mitigation steps: Update to Custom Twitter Feeds version 2.5.5 or greater.

LatePoint – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-7448
Number of Installations: 100,000+
Affected Software: LatePoint <= 5.5.0
Patched Versions: LatePoint 5.5.1

Mitigation steps: Update to LatePoint version 5.5.1 or greater.

Advanced Custom Fields: Extended – Content Injection

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Content Injection
CVE: CVE-2025-15463
Number of Installations: 100,000+
Affected Software: Advanced Custom Fields: Extended <= 0.9.2.3
Patched Versions: Advanced Custom Fields: Extended 0.9.2.4

Mitigation steps: Update to Advanced Custom Fields: Extended version 0.9.2.4 or greater.

Independent Analytics – Server-Side Request Forgery (SSRF)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Server-Side Request Forgery (SSRF)
CVE: CVE-2026-5737
Number of Installations: 100,000+
Affected Software: Independent Analytics <= 2.14.9
Patched Versions: Independent Analytics 2.14.10

Mitigation steps: Update to Independent Analytics version 2.14.10 or greater.

The Plus Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-9243
Number of Installations: 100,000+
Affected Software: The Plus Addons for Elementor <= 6.4.15
Patched Versions: The Plus Addons for Elementor 6.4.16

Mitigation steps: Update to The Plus Addons for Elementor version 6.4.16 or greater.

The Plus Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-5243
Number of Installations: 100,000+
Affected Software: The Plus Addons for Elementor <= 6.4.11
Patched Versions: The Plus Addons for Elementor 6.4.12

Mitigation steps: Update to The Plus Addons for Elementor version 6.4.12 or greater.

Envira Gallery – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-5361
Number of Installations: 100,000+
Affected Software: Envira Gallery <= 1.12.4
Patched Versions: Envira Gallery 1.12.5

Mitigation steps: Update to Envira Gallery version 1.12.5 or greater.

Modula Image Gallery – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-42688
Number of Installations: 100,000+
Affected Software: Modula Image Gallery <= 2.14.23
Patched Versions: Modula Image Gallery 2.14.24

Mitigation steps: Update to Modula Image Gallery version 2.14.24 or greater.

LatePoint – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-7457
Number of Installations: 100,000+
Affected Software: LatePoint <= 5.5.0
Patched Versions: LatePoint 5.5.1

Mitigation steps: Update to LatePoint version 5.5.1 or greater.

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-5247
Number of Installations: 100,000+
Affected Software: Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.10.0
Patched Versions: Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories 4.10.1

Mitigation steps: Update to Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories version 4.10.1 or greater.

LatePoint – Broken Authentication

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Authentication
CVE: CVE-2026-7652
Number of Installations: 100,000+
Affected Software: LatePoint <= 5.5.0
Patched Versions: LatePoint 5.5.1

Mitigation steps: Update to LatePoint version 5.5.1 or greater.

The Ultimate Video Player For WordPress – Broken Access Control

Security Risk: Medium
Exploitation Level: See vulnerability details for exploitation requirements.
Vulnerability: Broken Access Control
CVE: CVE-2026-45442
Number of Installations: 100,000+
Affected Software: The Ultimate Video Player For WordPress <= 4.1.3
Patched Versions: The Ultimate Video Player For WordPress 4.1.4

Mitigation steps: Update to The Ultimate Video Player For WordPress version 4.1.4 or greater.

Mercado Pago payments for WooCommerce – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-3208
Number of Installations: 100,000+
Affected Software: Mercado Pago payments for WooCommerce <= 8.7.11
Patched Versions: Mercado Pago payments for WooCommerce 8.7.12

Mitigation steps: Update to Mercado Pago payments for WooCommerce version 8.7.12 or greater.

CloudSecure WP Security – Authentication Bypass

Security Risk: Medium
Exploitation Level: See vulnerability details for exploitation requirements.
Vulnerability: Authentication Bypass
CVE: CVE-2026-42411
Number of Installations: 100,000+
Affected Software: CloudSecure WP Security <= 1.4.7
Patched Versions: CloudSecure WP Security 1.4.8

Mitigation steps: Update to CloudSecure WP Security version 1.4.8 or greater.

Advanced Access Manager – Broken Access Control

Security Risk: Medium
Exploitation Level: See vulnerability details for exploitation requirements.
Vulnerability: Broken Access Control
CVE: CVE-2026-42674
Number of Installations: 100,000+
Affected Software: Advanced Access Manager <= 7.1.0
Patched Versions: Advanced Access Manager 7.1.1

Mitigation steps: Update to Advanced Access Manager version 7.1.1 or greater.

Simple CAPTCHA Alternative with Cloudflare Turnstile – Broken Authentication

Security Risk: Medium
Exploitation Level: See vulnerability details for exploitation requirements.
Vulnerability: Broken Authentication
CVE: CVE-2026-40799
Number of Installations: 100,000+
Affected Software: Simple CAPTCHA Alternative with Cloudflare Turnstile <= 1.38.0
Patched Versions: Simple CAPTCHA Alternative with Cloudflare Turnstile 1.38.1

Mitigation steps: Update to Simple CAPTCHA Alternative with Cloudflare Turnstile version 1.38.1 or greater.

The Post Grid – Broken Access Control

Security Risk: Medium
Exploitation Level: See vulnerability details for exploitation requirements.
Vulnerability: Broken Access Control
CVE: CVE-2026-49054
Number of Installations: 100,000+
Affected Software: The Post Grid <= 7.9.2
Patched Versions: Not available at time of publication

Mitigation steps: A patch is not yet available. Disable or remove the affected plugin until a fix is released.

Everest Forms – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-4888
Number of Installations: 100,000+
Affected Software: Everest Forms <= 3.4.7
Patched Versions: Everest Forms 3.4.8

Mitigation steps: Update to Everest Forms version 3.4.8 or greater.

Advanced Custom Fields: Font Awesome Field – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-49044
Number of Installations: 90,000+
Affected Software: Advanced Custom Fields: Font Awesome Field <= 5.0.2
Patched Versions: Advanced Custom Fields: Font Awesome Field 6.0.0

Mitigation steps: Update to Advanced Custom Fields: Font Awesome Field version 6.0.0 or greater.

Advanced Custom Fields: Font Awesome Field – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-6415
Number of Installations: 90,000+
Affected Software: Advanced Custom Fields: Font Awesome Field <= 5.0.2
Patched Versions: Advanced Custom Fields: Font Awesome Field 6.0.0

Mitigation steps: Update to Advanced Custom Fields: Font Awesome Field version 6.0.0 or greater.

a3 Lazy Load – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-6427
Number of Installations: 90,000+
Affected Software: a3 Lazy Load <= 2.7.6
Patched Versions: a3 Lazy Load 2.7.7

Mitigation steps: Update to a3 Lazy Load version 2.7.7 or greater.

ShopLentor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-6287
Number of Installations: 90,000+
Affected Software: ShopLentor <= 3.3.8
Patched Versions: ShopLentor 3.3.9

Mitigation steps: Update to ShopLentor version 3.3.9 or greater.

Event Tickets and Registration – Broken Access Control

Security Risk: Medium
Exploitation Level: See vulnerability details for exploitation requirements.
Vulnerability: Broken Access Control
CVE: CVE-2026-42662
Number of Installations: 90,000+
Affected Software: Event Tickets and Registration <= 5.27.5
Patched Versions: Event Tickets and Registration 5.27.6.1

Mitigation steps: Update to Event Tickets and Registration version 5.27.6.1 or greater.

Hustle – Broken Access Control

Security Risk: Medium
Exploitation Level: See vulnerability details for exploitation requirements.
Vulnerability: Broken Access Control
CVE: CVE-2026-25431
Number of Installations: 90,000+
Affected Software: Hustle <= 7.8.10.1
Patched Versions: Hustle 7.8.10.2

Mitigation steps: Update to Hustle version 7.8.10.2 or greater.

Booking for Appointments and Events Calendar – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-6449
Number of Installations: 90,000+
Affected Software: Booking for Appointments and Events Calendar <= 2.2.1
Patched Versions: Booking for Appointments and Events Calendar 2.3

Mitigation steps: Update to Booking for Appointments and Events Calendar version 2.3 or greater.

WP Meta and Date Remover – Broken Access Control

Security Risk: Medium
Exploitation Level: See vulnerability details for exploitation requirements.
Vulnerability: Broken Access Control
CVE: CVE-2026-49051
Number of Installations: 90,000+
Affected Software: WP Meta and Date Remover <= 2.3.6
Patched Versions: WP Meta and Date Remover 2.3.7

Mitigation steps: Update to WP Meta and Date Remover version 2.3.7 or greater.

SlimStat Analytics – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-7634
Number of Installations: 80,000+
Affected Software: SlimStat Analytics <= 5.4.11
Patched Versions: SlimStat Analytics 5.4.12

Mitigation steps: Update to SlimStat Analytics version 5.4.12 or greater.

Duplicate Page and Post – SQL Injection

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2026-49046
Number of Installations: 80,000+
Affected Software: Duplicate Page and Post <= 2.9.5
Patched Versions: Not available at time of publication

Mitigation steps: A patch is not yet available. Disable or remove the affected plugin until a fix is released.

Product Import Export for WooCommerce – Broken Access Control

Security Risk: Medium
Exploitation Level: See vulnerability details for exploitation requirements.
Vulnerability: Broken Access Control
CVE: CVE-2026-48971
Number of Installations: 80,000+
Affected Software: Product Import Export for WooCommerce <= 2.5.6
Patched Versions: Product Import Export for WooCommerce 2.5.7

Mitigation steps: Update to Product Import Export for WooCommerce version 2.5.7 or greater.

Import and export users and customers – Privilege Escalation

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Privilege Escalation
CVE: CVE-2026-7641
Number of Installations: 70,000+
Affected Software: Import and export users and customers <= 2.0.8
Patched Versions: Import and export users and customers 2.0.9

Mitigation steps: Update to Import and export users and customers version 2.0.9 or greater.

Database Backup for WordPress – Arbitrary File Read

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Arbitrary File Read
CVE: CVE-2026-4030
Number of Installations: 70,000+
Affected Software: Database Backup for WordPress <= 2.5.2
Patched Versions: Database Backup for WordPress 2.5.3

Mitigation steps: Update to Database Backup for WordPress version 2.5.3 or greater.

Database Backup for WordPress – Broken Access Control

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-4029
Number of Installations: 70,000+
Affected Software: Database Backup for WordPress <= 2.5.2
Patched Versions: Database Backup for WordPress 2.5.3

Mitigation steps: Update to Database Backup for WordPress version 2.5.3 or greater.

Database Backup for WordPress – Broken Access Control

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-4031
Number of Installations: 70,000+
Affected Software: Database Backup for WordPress <= 2.5.2
Patched Versions: Database Backup for WordPress 2.5.3

Mitigation steps: Update to Database Backup for WordPress version 2.5.3 or greater.

Brizy – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-5324
Number of Installations: 70,000+
Affected Software: Brizy <= 2.8.11
Patched Versions: Brizy 2.8.12

Mitigation steps: Update to Brizy version 2.8.12 or greater.

EmailKit – Arbitrary File Read

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Arbitrary File Read
CVE: CVE-2026-5957
Number of Installations: 70,000+
Affected Software: EmailKit <= 1.6.5
Patched Versions: EmailKit 1.6.6

Mitigation steps: Update to EmailKit version 1.6.6 or greater.

Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-4665
Number of Installations: 70,000+
Affected Software: Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel <= 2.7.10
Patched Versions: Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel 2.7.11

Mitigation steps: Update to Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel version 2.7.11 or greater.

StatCounter – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-6275
Number of Installations: 70,000+
Affected Software: StatCounter <= 2.1.1
Patched Versions: StatCounter 2.1.2

Mitigation steps: Update to StatCounter version 2.1.2 or greater.

LearnPress – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: See vulnerability details for exploitation requirements.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-48865
Number of Installations: 70,000+
Affected Software: LearnPress <= 4.3.6
Patched Versions: LearnPress 4.3.7

Mitigation steps: Update to LearnPress version 4.3.7 or greater.

LearnPress – Broken Authentication

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Authentication
CVE: CVE-2026-7648
Number of Installations: 70,000+
Affected Software: LearnPress <= 4.3.5
Patched Versions: LearnPress 4.3.6

Mitigation steps: Update to LearnPress version 4.3.6 or greater.

Appointment Booking Calendar – SQL Injection

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2026-7797
Number of Installations: 60,000+
Affected Software: Appointment Booking Calendar <= 1.6.11.8
Patched Versions: Appointment Booking Calendar 1.6.11.9

Mitigation steps: Update to Appointment Booking Calendar version 1.6.11.9 or greater.

Login No Captcha reCAPTCHA – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2374
Number of Installations: 60,000+
Affected Software: Login No Captcha reCAPTCHA <= 1.8.0
Patched Versions: Login No Captcha reCAPTCHA 1.8.1

Mitigation steps: Update to Login No Captcha reCAPTCHA version 1.8.1 or greater.

Appointment Booking Calendar – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-39447
Number of Installations: 60,000+
Affected Software: Appointment Booking Calendar <= 1.6.10.6
Patched Versions: Appointment Booking Calendar 1.6.11.0

Mitigation steps: Update to Appointment Booking Calendar version 1.6.11.0 or greater.

Appointment Booking Calendar – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-4807
Number of Installations: 60,000+
Affected Software: Appointment Booking Calendar <= 1.6.10.6
Patched Versions: Appointment Booking Calendar 1.6.11

Mitigation steps: Update to Appointment Booking Calendar version 1.6.11 or greater.

Master Slider – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-48968
Number of Installations: 60,000+
Affected Software: Master Slider <= 3.10.8
Patched Versions: Master Slider 3.10.9

Mitigation steps: Update to Master Slider version 3.10.9 or greater.

User Registration & Membership – Broken Access Control

Security Risk: Medium
Exploitation Level: See vulnerability details for exploitation requirements.
Vulnerability: Broken Access Control
CVE: CVE-2026-25425
Number of Installations: 60,000+
Affected Software: User Registration & Membership <= 5.1.2
Patched Versions: User Registration & Membership 5.1.3

Mitigation steps: Update to User Registration & Membership version 5.1.3 or greater.

User Registration & Membership – Insecure Direct Object Reference (IDOR)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Insecure Direct Object Reference (IDOR)
CVE: CVE-2026-7651
Number of Installations: 60,000+
Affected Software: User Registration & Membership <= 5.1.5
Patched Versions: User Registration & Membership 5.1.6

Mitigation steps: Update to User Registration & Membership version 5.1.6 or greater.

Appointment Booking Calendar – Denial of Service

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Denial of Service
CVE: CVE-2026-7493
Number of Installations: 60,000+
Affected Software: Appointment Booking Calendar <= 1.6.11.5
Patched Versions: Appointment Booking Calendar 1.6.11.7

Mitigation steps: Update to Appointment Booking Calendar version 1.6.11.7 or greater.

Appointment Booking Calendar – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-6937
Number of Installations: 60,000+
Affected Software: Appointment Booking Calendar <= 1.6.11.8
Patched Versions: Appointment Booking Calendar 1.6.11.9

Mitigation steps: Update to Appointment Booking Calendar version 1.6.11.9 or greater.

User Registration & Membership – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-6145
Number of Installations: 60,000+
Affected Software: User Registration & Membership <= 5.1.5
Patched Versions: User Registration & Membership 5.1.6

Mitigation steps: Update to User Registration & Membership version 5.1.6 or greater.

User Registration & Membership – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-3601
Number of Installations: 60,000+
Affected Software: User Registration & Membership <= 5.1.4
Patched Versions: User Registration & Membership 5.1.5

Mitigation steps: Update to User Registration & Membership version 5.1.5 or greater.

RTMKit – Local File Inclusion

Security Risk: High
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Local File Inclusion
CVE: CVE-2026-3425
Number of Installations: 50,000+
Affected Software: RTMKit <= 2.0.2
Patched Versions: RTMKit 2.0.3

Mitigation steps: Update to RTMKit version 2.0.3 or greater.

Email Marketing for WooCommerce by Omnisend – Broken Authentication

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Authentication
CVE: CVE-2026-42668
Number of Installations: 50,000+
Affected Software: Email Marketing for WooCommerce by Omnisend <= 1.18.0
Patched Versions: Email Marketing for WooCommerce by Omnisend 1.18.1

Mitigation steps: Update to Email Marketing for WooCommerce by Omnisend version 1.18.1 or greater.

Blog2Social: Social Media Auto Post & Scheduler – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-7051
Number of Installations: 50,000+
Affected Software: Blog2Social: Social Media Auto Post & Scheduler <= 8.9.0
Patched Versions: Blog2Social: Social Media Auto Post & Scheduler 8.9.1

Mitigation steps: Update to Blog2Social: Social Media Auto Post & Scheduler version 8.9.1 or greater.

WP Encryption – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-3829
Number of Installations: 50,000+
Affected Software: WP Encryption <= 7.8.5.10
Patched Versions: WP Encryption 7.8.5.11

Mitigation steps: Update to WP Encryption version 7.8.5.11 or greater.

RTMKit – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-3426
Number of Installations: 50,000+
Affected Software: RTMKit <= 2.0.2
Patched Versions: RTMKit 2.0.3

Mitigation steps: Update to RTMKit version 2.0.3 or greater.

Avada (Fusion) Builder – Remote Code Execution

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Remote Code Execution
CVE: CVE-2026-6279
Number of Installations: Premium plugin
Affected Software: Avada (Fusion) Builder <= 3.15.2
Patched Versions: Avada (Fusion) Builder 3.15.3

Mitigation steps: Update to Avada (Fusion) Builder version 3.15.3 or greater.

Gravity Forms – Arbitrary File Deletion

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Arbitrary File Deletion
CVE: CVE-2026-48866
Number of Installations: Premium plugin
Affected Software: Gravity Forms <= 2.10.0.1
Patched Versions: Gravity Forms 2.10.1

Mitigation steps: Update to Gravity Forms version 2.10.1 or greater.

Slider Revolution – Arbitrary File Upload

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: CVE-2026-6692
Number of Installations: Premium plugin
Affected Software: Slider Revolution (see vulnerability details for affected versions)
Patched Versions: Slider Revolution 7.0.11

Mitigation steps: Update to Slider Revolution version 7.0.11 or greater.

Avada (Fusion) Builder – SQL Injection

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2026-4798
Number of Installations: Premium plugin
Affected Software: Avada (Fusion) Builder <= 3.15.1
Patched Versions: Avada (Fusion) Builder 3.15.2

Mitigation steps: Update to Avada (Fusion) Builder version 3.15.2 or greater.

PixelYourSite Pro – Server-Side Request Forgery (SSRF)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Server-Side Request Forgery (SSRF)
CVE: CVE-2026-7049
Number of Installations: Premium plugin
Affected Software: PixelYourSite Pro <= 12.5.0.1
Patched Versions: PixelYourSite Pro 12.5.0.2

Mitigation steps: Update to PixelYourSite Pro version 12.5.0.2 or greater.

Avada (Fusion) Builder – Arbitrary File Read

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Arbitrary File Read
CVE: CVE-2026-4782
Number of Installations: Premium plugin
Affected Software: Avada (Fusion) Builder <= 3.15.2
Patched Versions: Avada (Fusion) Builder 3.15.3

Mitigation steps: Update to Avada (Fusion) Builder version 3.15.3 or greater.

Avada (Fusion) Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-1543
Number of Installations: Premium plugin
Affected Software: Avada (Fusion) Builder <= 3.15.2
Patched Versions: Avada (Fusion) Builder 3.15.3

Mitigation steps: Update to Avada (Fusion) Builder version 3.15.3 or greater.

Slider Revolution – Information Disclosure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Information Disclosure
CVE: CVE-2026-6728
Number of Installations: Premium plugin
Affected Software: Slider Revolution <= 7.0.9
Patched Versions: Slider Revolution 6.7.55, 7.0.10

Mitigation steps: Update to Slider Revolution version 6.7.55, 7.0.10 or greater.

WPBakery Page Builder – Broken Access Control

Security Risk: Medium
Exploitation Level: See vulnerability details for exploitation requirements.
Vulnerability: Broken Access Control
CVE: CVE-2026-45436
Number of Installations: Premium plugin
Affected Software: WPBakery Page Builder <= 8.7.2
Patched Versions: WPBakery Page Builder 8.7.3

Mitigation steps: Update to WPBakery Page Builder version 8.7.3 or greater.

Themes

Total – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-5077
Number of Installations: Premium theme
Affected Software: Total <= 2.2.1
Patched Versions: Total 2.2.2

Mitigation steps: Update to Total version 2.2.2 or greater.

Betheme – Remote Code Execution

Security Risk: High
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Remote Code Execution
CVE: CVE-2026-6261
Number of Installations: Premium theme
Affected Software: Betheme <= 28.4
Patched Versions: Betheme 28.4.1

Mitigation steps: Update to Betheme version 28.4.1 or greater.

Roneous – Local File Inclusion

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Local File Inclusion
CVE: CVE-2025-69177
Number of Installations: Premium theme
Affected Software: Roneous <= 2.1.5
Patched Versions: Not available at time of publication

Mitigation steps: A patch is not yet available. Disable or remove the affected plugin until a fix is released.

Betheme – Arbitrary File Deletion

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Arbitrary File Deletion
CVE: CVE-2026-6262
Number of Installations: Premium theme
Affected Software: Betheme <= 28.4
Patched Versions: Betheme 28.4.1

Mitigation steps: Update to Betheme version 28.4.1 or greater.

The7 – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-6646
Number of Installations: Premium theme
Affected Software: The7 <= 14.3.2
Patched Versions: The7 14.3.3

Mitigation steps: Update to The7 version 14.3.3 or greater.

avante – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: See vulnerability details for exploitation requirements.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-68524
Number of Installations: Premium theme
Affected Software: avante < 3.0.5
Patched Versions: avante 3.0.5

Mitigation steps: Update to avante version 3.0.5 or greater.

Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.