Critical WordPress Plugin Vulnerabilities That Put Thousands of Sites at Risk
By WP Vanguard Team
The WordPress ecosystem saw a sharp wave of security disclosures over the past week. Multiple critical and high-severity vulnerabilities surfaced across popular plugins and themes, with one flaw actively exploited in the wild. Here is what happened, what it means for site owners, and what you should do right now.
The Headline: Unauthenticated Admin Account Creation (CVE-2026-1492)
The most severe vulnerability this cycle affects User Registration & Membership, a plugin installed on over 60,000 WordPress sites. Rated 9.8 out of 10 on the CVSS scale, this is about as critical as it gets.
The flaw allows an unauthenticated attacker - someone with no account at all - to create a new administrator account on your WordPress site. No login required. No social engineering. Just a crafted request to the registration endpoint, and the attacker has full control.
Why this matters
An admin account gives an attacker everything: the ability to install backdoors, modify existing plugins and themes, inject malicious code into your posts, redirect your visitors to phishing pages, exfiltrate your database, and pivot to other sites on the same server.
This vulnerability is actively exploited. Security researchers confirmed in-the-wild attacks within hours of the disclosure. If you run this plugin, update immediately or deactivate it until a patch is available.
What to check
- Log into your WordPress admin and go to Users > All Users
- Look for any admin accounts you do not recognize
- Check creation dates - anything from the past two weeks deserves scrutiny
- If you find a suspicious admin, scan your site immediately to check for backdoors they may have planted
Broken Access Control in Greenshift (CVE-2026-2371)
Greenshift - Animation and Page Builder Blocks received a patch in version 12.8.4 for a broken access control vulnerability. The flaw allowed attackers to access private and draft content that should be restricted.
While rated as medium severity, the impact depends on what you keep in draft posts. Many site owners store unreleased product details, pricing strategies, internal notes, or client information in drafts. An attacker reading those drafts could gain competitive intelligence or sensitive data.
Fix: Update to Greenshift 12.8.4 or later.
Stored XSS Without Authentication in WPBookit (CVE-2026-1945)
WPBookit, a booking plugin, has a stored cross-site scripting (XSS) vulnerability that unauthenticated users can exploit. The severity is rated high.
Stored XSS is particularly dangerous because the malicious script persists in the database. Every visitor who views the affected page executes the attacker's JavaScript in their browser. This can be used to:
- Steal admin session cookies and hijack the dashboard
- Redirect visitors to malicious sites
- Inject cryptocurrency miners
- Deface the website
- Capture form submissions including payment data
If your site uses WPBookit, check for a patch and apply it. If no patch is available yet, consider temporarily deactivating the plugin.
Deserialization Flaw in Au Pair Agency Theme (CVE-2026-27098)
The Au Pair Agency WordPress theme contains an 8.1-rated deserialization vulnerability. An unauthenticated attacker can exploit it by sending specially crafted serialized data to the server.
PHP deserialization attacks are severe because they can lead to remote code execution depending on what classes are available in memory. Even without achieving RCE, deserialization flaws often enable file deletion, database manipulation, or denial of service.
This is a niche theme, but it illustrates an important point: themes are attack surfaces too. Many site owners focus plugin security and forget that their theme runs PHP code with the same privileges as any plugin.
Fix: Check for a theme update. If the developer has not patched it, consider switching to a maintained theme.
Missing Authorization in Enable Media Replace (CVE-2026-2732)
Enable Media Replace, a widely used utility plugin for replacing media files, has a 5.4-rated missing authorization vulnerability. Users with the Author role or higher can replace any media file on the site, not just their own.
This sounds minor until you consider the scenarios:
- A disgruntled contributor could replace your logo with something inappropriate
- An attacker who compromises a low-privilege account could replace a JavaScript file served via the media library
- Legitimate media files could be swapped with files containing embedded malware
Fix: Update to the latest version. Review your user roles and remove Author access from anyone who does not need it.
SQL Injection in Email Subscribers by Icegram Express (CVE-2026-1651)
Email Subscribers by Icegram Express has a 6.5-rated SQL injection vulnerability. The good news: exploitation requires admin-level access. The bad news: SQL injection at any privilege level is a code quality red flag.
If an attacker already has admin access (perhaps via the User Registration vulnerability above), they could use this SQL injection to extract data directly from the database, bypassing any application-level restrictions. This includes reading password hashes, API keys stored in the options table, and data from other plugins.
Fix: Update to the patched version. Even admin-level SQLi should be taken seriously as part of defense in depth.
The Bigger Picture: 281 New Vulnerabilities in One Week
These six CVEs are just the tip of the iceberg. SolidWP reported 281 new vulnerabilities in a single week - 108 in plugins and 173 in themes. Of those, 225 remain unpatched at the time of disclosure.
Let that sink in: 225 out of 281 vulnerabilities had no fix available when they were publicly disclosed.
Patchstack's annual report paints an even broader picture. In 2025, they cataloged 11,334 new WordPress vulnerabilities - a 42% increase year over year. Perhaps more alarming: 20% of critical vulnerabilities were exploited within 6 hours of disclosure.
Six hours. That is the window between a vulnerability becoming public knowledge and attackers actively exploiting it on real sites.
What This Means for Your Security Strategy
Patching alone is not enough
If 225 out of 281 disclosed vulnerabilities have no patch, you cannot rely solely on keeping things updated. You need layers:
- A web application firewall (WAF) that can block exploit attempts even before a patch exists
- File integrity monitoring that alerts you when core files, plugin files, or theme files change unexpectedly
- Regular malware scanning to catch compromises that slipped through
- Login hardening including two-factor authentication and login attempt limiting
Monitor your attack surface
Most site owners do not know exactly which plugins and themes they run, let alone which versions. An outdated staging site, a forgotten test install, or a deactivated-but-not-deleted plugin can all be entry points.
Run a complete inventory:
- List every plugin (active and inactive)
- List every theme (active and inactive)
- Delete anything you are not actively using
- Check version numbers against known vulnerability databases
Speed matters more than ever
With a 6-hour exploitation window on critical flaws, weekly manual checks are not sufficient. You need automated scanning that runs continuously and alerts you the moment something is wrong.
This is exactly why we built WP Vanguard. Our scanner checks your WordPress site against a database of over 38,000 known vulnerabilities, inspects file integrity, detects malware patterns, and flags misconfigurations - all without requiring any plugin installation on your site.
How to Protect Your Site Right Now
Here is a practical checklist you can run through today:
Immediate actions (do these now):
- Update all plugins and themes to their latest versions
- Check your user list for accounts you do not recognize
- Delete any inactive plugins and themes
- Run a free security scan to check for known vulnerabilities
- Enable two-factor authentication for all admin accounts
This week:
- Review your backup strategy - can you restore from yesterday if needed?
- Check your hosting provider's security features (WAF, malware scanning)
- Set up automated monitoring so you know about issues before your visitors do
- Audit user roles - does everyone need the access level they have?
Ongoing:
- Subscribe to WordPress security newsletters or vulnerability feeds
- Run regular scans - at minimum weekly, ideally daily
- Keep an incident response plan so you know what to do if you are compromised
Scan Your Site Today
Every one of the vulnerabilities described in this article can be detected with a proper security scan. If you are not sure whether your site is affected, do not guess.
Scan your WordPress site now - it takes 30 seconds, requires no plugin installation, and gives you a clear picture of your security posture. For deeper analysis including file integrity checks and malware detection, our deep scan examines every file on your server.
The threat landscape is accelerating. Make sure your defenses keep pace.
Related reading
Check Your WordPress Site Security
Free scan, no login required. Find vulnerabilities before attackers do.
Scan Your Site FreeGet weekly WordPress security tips
Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.