Research · 7 min read

Critical WordPress Plugin Vulnerabilities That Put Thousands of Sites at Risk

By WP Vanguard Team

Critical WordPress Plugin Vulnerabilities That Put Thousands of Sites at Risk

The WordPress ecosystem saw a sharp wave of security disclosures over the past week. Multiple critical and high-severity vulnerabilities surfaced across popular plugins and themes, with one flaw actively exploited in the wild. Here is what happened, what it means for site owners, and what you should do right now.

The Headline: Unauthenticated Admin Account Creation (CVE-2026-1492)

The most severe vulnerability this cycle affects User Registration & Membership, a plugin installed on over 60,000 WordPress sites. Rated 9.8 out of 10 on the CVSS scale, this is about as critical as it gets.

The flaw allows an unauthenticated attacker - someone with no account at all - to create a new administrator account on your WordPress site. No login required. No social engineering. Just a crafted request to the registration endpoint, and the attacker has full control.

Why this matters

An admin account gives an attacker everything: the ability to install backdoors, modify existing plugins and themes, inject malicious code into your posts, redirect your visitors to phishing pages, exfiltrate your database, and pivot to other sites on the same server.

This vulnerability is actively exploited. Security researchers confirmed in-the-wild attacks within hours of the disclosure. If you run this plugin, update immediately or deactivate it until a patch is available.

What to check

  1. Log into your WordPress admin and go to Users > All Users
  2. Look for any admin accounts you do not recognize
  3. Check creation dates - anything from the past two weeks deserves scrutiny
  4. If you find a suspicious admin, scan your site immediately to check for backdoors they may have planted

Broken Access Control in Greenshift (CVE-2026-2371)

Greenshift - Animation and Page Builder Blocks received a patch in version 12.8.4 for a broken access control vulnerability. The flaw allowed attackers to access private and draft content that should be restricted.

While rated as medium severity, the impact depends on what you keep in draft posts. Many site owners store unreleased product details, pricing strategies, internal notes, or client information in drafts. An attacker reading those drafts could gain competitive intelligence or sensitive data.

Fix: Update to Greenshift 12.8.4 or later.

Stored XSS Without Authentication in WPBookit (CVE-2026-1945)

WPBookit, a booking plugin, has a stored cross-site scripting (XSS) vulnerability that unauthenticated users can exploit. The severity is rated high.

Stored XSS is particularly dangerous because the malicious script persists in the database. Every visitor who views the affected page executes the attacker's JavaScript in their browser. This can be used to:

If your site uses WPBookit, check for a patch and apply it. If no patch is available yet, consider temporarily deactivating the plugin.

Deserialization Flaw in Au Pair Agency Theme (CVE-2026-27098)

The Au Pair Agency WordPress theme contains an 8.1-rated deserialization vulnerability. An unauthenticated attacker can exploit it by sending specially crafted serialized data to the server.

PHP deserialization attacks are severe because they can lead to remote code execution depending on what classes are available in memory. Even without achieving RCE, deserialization flaws often enable file deletion, database manipulation, or denial of service.

This is a niche theme, but it illustrates an important point: themes are attack surfaces too. Many site owners focus plugin security and forget that their theme runs PHP code with the same privileges as any plugin.

Fix: Check for a theme update. If the developer has not patched it, consider switching to a maintained theme.

Missing Authorization in Enable Media Replace (CVE-2026-2732)

Enable Media Replace, a widely used utility plugin for replacing media files, has a 5.4-rated missing authorization vulnerability. Users with the Author role or higher can replace any media file on the site, not just their own.

This sounds minor until you consider the scenarios:

Fix: Update to the latest version. Review your user roles and remove Author access from anyone who does not need it.

SQL Injection in Email Subscribers by Icegram Express (CVE-2026-1651)

Email Subscribers by Icegram Express has a 6.5-rated SQL injection vulnerability. The good news: exploitation requires admin-level access. The bad news: SQL injection at any privilege level is a code quality red flag.

If an attacker already has admin access (perhaps via the User Registration vulnerability above), they could use this SQL injection to extract data directly from the database, bypassing any application-level restrictions. This includes reading password hashes, API keys stored in the options table, and data from other plugins.

Fix: Update to the patched version. Even admin-level SQLi should be taken seriously as part of defense in depth.

The Bigger Picture: 281 New Vulnerabilities in One Week

These six CVEs are just the tip of the iceberg. SolidWP reported 281 new vulnerabilities in a single week - 108 in plugins and 173 in themes. Of those, 225 remain unpatched at the time of disclosure.

Let that sink in: 225 out of 281 vulnerabilities had no fix available when they were publicly disclosed.

Patchstack's annual report paints an even broader picture. In 2025, they cataloged 11,334 new WordPress vulnerabilities - a 42% increase year over year. Perhaps more alarming: 20% of critical vulnerabilities were exploited within 6 hours of disclosure.

Six hours. That is the window between a vulnerability becoming public knowledge and attackers actively exploiting it on real sites.

What This Means for Your Security Strategy

Patching alone is not enough

If 225 out of 281 disclosed vulnerabilities have no patch, you cannot rely solely on keeping things updated. You need layers:

Monitor your attack surface

Most site owners do not know exactly which plugins and themes they run, let alone which versions. An outdated staging site, a forgotten test install, or a deactivated-but-not-deleted plugin can all be entry points.

Run a complete inventory:

Speed matters more than ever

With a 6-hour exploitation window on critical flaws, weekly manual checks are not sufficient. You need automated scanning that runs continuously and alerts you the moment something is wrong.

This is exactly why we built WP Vanguard. Our scanner checks your WordPress site against a database of over 38,000 known vulnerabilities, inspects file integrity, detects malware patterns, and flags misconfigurations - all without requiring any plugin installation on your site.

How to Protect Your Site Right Now

Here is a practical checklist you can run through today:

Immediate actions (do these now):

  1. Update all plugins and themes to their latest versions
  2. Check your user list for accounts you do not recognize
  3. Delete any inactive plugins and themes
  4. Run a free security scan to check for known vulnerabilities
  5. Enable two-factor authentication for all admin accounts

This week:

  1. Review your backup strategy - can you restore from yesterday if needed?
  2. Check your hosting provider's security features (WAF, malware scanning)
  3. Set up automated monitoring so you know about issues before your visitors do
  4. Audit user roles - does everyone need the access level they have?

Ongoing:

  1. Subscribe to WordPress security newsletters or vulnerability feeds
  2. Run regular scans - at minimum weekly, ideally daily
  3. Keep an incident response plan so you know what to do if you are compromised

Scan Your Site Today

Every one of the vulnerabilities described in this article can be detected with a proper security scan. If you are not sure whether your site is affected, do not guess.

Scan your WordPress site now - it takes 30 seconds, requires no plugin installation, and gives you a clear picture of your security posture. For deeper analysis including file integrity checks and malware detection, our deep scan examines every file on your server.

The threat landscape is accelerating. Make sure your defenses keep pace.

wordpress-security plugin-vulnerabilities CVE security-research vulnerability-disclosure

Related reading

Check Your WordPress Site Security

Free scan, no login required. Find vulnerabilities before attackers do.

Scan Your Site Free

Get weekly WordPress security tips

Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.

WP Vanguard is built by Wbcom Designs, makers of Reign, Jetonomy, Listora, and more. Explore our WordPress products →
← Back to Blog