WordPress Vulnerability Roundup: April 2026 (Week 1)
By WP Vanguard Team
The first week of April 2026 brought 225 new WordPress vulnerabilities across 203 plugins and 22 themes. Of those, 134 have patches available and 91 remain unpatched. The headline story is a cluster of path traversal and file manipulation vulnerabilities affecting plugins with large install bases, two of which allow attackers to delete arbitrary files on the server and one that allows unauthenticated file uploads leading to remote code execution.
This roundup covers the most critical disclosures from April 1 through April 7, 2026, with prioritized action items for each.
The Numbers This Week
| Severity | Count | Patched | Unpatched |
|---|---|---|---|
| Critical (9.0+) | 3 | 2 | 1 |
| High (7.0-8.9) | 14 | 8 | 6 |
| Medium (4.0-6.9) | 87 | 58 | 29 |
| Low (0.1-3.9) | 121 | 66 | 55 |
| Total | 225 | 134 | 91 |
The 40% unpatched rate is concerning but consistent with recent weeks. Most unpatched vulnerabilities are in plugins with small install bases or those that have been abandoned by their developers. The critical and high severity vulnerabilities in major plugins are the ones that demand immediate attention.
Critical and High Severity
wpForo Forum -- CVE-2026-3666
CVSS: 8.8 | Affected: wpForo Forum <= 2.4.16 | Patch: 2.4.17
The wpForo Forum plugin is vulnerable to arbitrary file deletion via path traversal. The flaw is in the file name and path validation logic, which fails to prevent directory traversal sequences in forum post handling. Authenticated attackers with subscriber-level access can delete arbitrary files on the server, including wp-config.php.
The attack pattern is identical to the Perfmatters vulnerability below: delete wp-config.php, force the installation wizard, and take over the site. The CVSS score is slightly higher at 8.8 because the scope assessment differs in the vector.
wpForo has patched this in version 2.4.17. The patch adds proper path validation and authorization checks.
What to do: Update wpForo Forum to version 2.4.17 or later immediately. If you cannot update, deactivate the plugin until you can. Audit your subscriber accounts for any that look suspicious.
Perfmatters -- CVE-2026-4350
CVSS: 8.1 | Affected: Perfmatters <= 2.5.9.1 | Patch: 2.6.0
The Perfmatters performance plugin contains an arbitrary file deletion vulnerability via path traversal in the PMCS::action_handler() method. The $_GET['delete'] parameter is passed to unlink() without sanitization, authorization checks, or nonce verification. Subscriber-level users can delete any file on the server. More than 200,000 sites are affected.
We published a detailed analysis of CVE-2026-4350 covering the technical root cause, exploitation scenarios, and comprehensive remediation steps.
What to do: Update Perfmatters to version 2.6.0. Disable public registration if not required. Audit subscriber accounts.
Ninja Forms File Upload -- Unauthenticated Arbitrary File Upload
CVSS: High | Affected: Ninja Forms - File Upload (check advisory for versions) | Patch: Available
Wordfence disclosed an unauthenticated arbitrary file upload vulnerability in the Ninja Forms File Upload addon on April 6, 2026. The plugin's file type validation can be bypassed, allowing attackers to upload PHP files without authentication. With approximately 50,000 active installations, and no login required for exploitation, this is one of the most critical disclosures of the week.
We published a full writeup on the Ninja Forms File Upload vulnerability with detection guidance and remediation steps.
What to do: Update to the latest patched version. If you cannot update, deactivate the File Upload addon. Check your uploads directory for unexpected PHP files. Add PHP execution blocking in .htaccess for the uploads directory.
ProfilePress -- CVE-2026-3309 (UNPATCHED)
CVSS: 6.5 | Affected: ProfilePress <= 4.16.11 | Patch: None available
ProfilePress, a membership and user registration plugin with over 100,000 active installations, is vulnerable to arbitrary shortcode execution. User-supplied billing field values from the checkout process are interpolated into shortcode template strings without sanitization. Unauthenticated attackers can execute arbitrary WordPress shortcodes by submitting crafted billing field values.
The impact depends on which shortcodes are registered on the site. At minimum, it allows information disclosure. On sites with shortcodes that perform administrative actions, privilege escalation or data modification is possible.
This vulnerability has no patch as of April 7, 2026. The plugin developers have been notified but have not released a fix.
What to do: If you use ProfilePress with a checkout or billing flow, consider disabling the checkout functionality or restricting access to the billing forms until a patch is available. Monitor the plugin for updates. Do not install or activate ProfilePress on new sites until the patch ships.
Export All URLs -- CVE-2026-2696
CVSS: 5.3 | Affected: Export All URLs < 5.1 | Patch: 5.1
The Export All URLs plugin generates CSV files containing site URLs, including private post URLs, and stores them in the wp-content/uploads/ directory with predictable filenames based on a random 6-digit number. Unauthenticated attackers can brute-force the filenames to access these exports, potentially revealing private content URLs, author emails, and metadata.
What to do: Update to version 5.1. Check your wp-content/uploads/ directory for any existing CSV exports and delete them.
Medium Severity
The following medium-severity vulnerabilities affect plugins with notable install counts or present interesting attack patterns worth monitoring.
| Plugin / Theme | CVSS | Type | Affected | Patched |
|---|---|---|---|---|
| Starter Sites (starter-templates) | 6.4 | Stored XSS | <= 4.4.9 | 4.5.0 |
| LatePoint | 6.4 | SQL Injection | <= 5.2.7 | 5.2.8 |
| Login/Signup Popup | 6.1 | Open Redirect | <= 2.8.5 | 2.8.6 |
| Essential Addons for Elementor | 5.4 | Stored XSS | <= 6.1.8 | 6.1.9 |
| UserPro | 5.3 | Info Disclosure | <= 5.1.14 | No patch |
LatePoint SQL Injection deserves a brief callout. LatePoint is an appointment booking plugin popular with service businesses. The SQL injection affects the booking search functionality and is exploitable by authenticated users with subscriber-level access. While rated medium severity because of the authentication requirement, SQL injection in a booking system can expose customer names, emails, phone numbers, and appointment details. Update to 5.2.8.
WordPress 7.0: RC2 and What to Watch
WordPress 7.0 Release Candidate 2 was released during this period, with the full release scheduled for April 9, 2026. The major version introduces significant changes, and as with any major WordPress release, security researchers will be examining the new code paths closely.
If you are running WordPress 7.0 RC2 on a staging environment, keep it updated as release candidates may contain security fixes not present in earlier betas. Do not run release candidates on production sites.
For production sites, WordPress 6.9.x remains the stable branch. Ensure you are on the latest 6.9.x point release, which includes security patches from the WordPress core team.
Prioritized Action List
In order of urgency:
- Ninja Forms File Upload -- Update or deactivate. Unauthenticated RCE is the highest practical risk.
- wpForo Forum -- Update to 2.4.17. Arbitrary file deletion at subscriber level.
- Perfmatters -- Update to 2.6.0. Arbitrary file deletion at subscriber level.
- ProfilePress -- Monitor for patch. Disable checkout if feasible. No fix available yet.
- LatePoint -- Update to 5.2.8. SQL injection with customer data exposure.
- Export All URLs -- Update to 5.1. Delete existing CSV exports.
- Essential Addons for Elementor -- Update to 6.1.9. Stored XSS.
- Starter Sites -- Update to 4.5.0. Stored XSS.
How to Check Your Sites
Manually reviewing 225 vulnerabilities against your plugin list is time-consuming but necessary. A faster path is to run a surface scan that checks your installed plugin and theme versions against a vulnerability database.
WP Vanguard's free scanner checks your site against 38,000+ CVEs in under two minutes. No login required, no server access needed. Enter your domain and get a report that flags every outdated plugin with known vulnerabilities, along with severity scores and patch availability.
For agencies and hosting providers managing multiple sites, our Partner API supports bulk scanning across your entire portfolio.
About This Report
This report is compiled from vulnerability disclosures published by Wordfence, Patchstack, the National Vulnerability Database (NVD), and plugin vendor advisories during the reporting period. We prioritize vulnerabilities by CVSS score, install count, authentication requirements, and whether a patch is available.
Vulnerability counts and patch status are accurate as of April 7, 2026. Vendors may release patches after this report is published. Always check the specific plugin page in your WordPress dashboard for the latest available version.
The goal of this report is not to be exhaustive but to highlight the vulnerabilities that matter most. The 225 total includes many low-severity issues in plugins with minimal install bases. The critical and high severity sections above cover the ones that demand immediate action from the largest number of site owners.
Scan your site for free | View pricing | Perfmatters CVE-2026-4350 deep dive | Ninja Forms file upload vulnerability
Related reading
Check Your WordPress Site Security
Free scan, no login required. Find vulnerabilities before attackers do.
Scan Your Site FreeGet weekly WordPress security tips
Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.