Research · 8 min read

WordPress Vulnerability Roundup: April 2026 (Week 4)

By WP Vanguard Team

WordPress Vulnerability Roundup: April 2026 (Week 4)

The fourth week of April 2026 added 216 new vulnerabilities to the WordPress ecosystem across 187 plugins and 29 themes. Of those, 187 have patches available and 29 remain unpatched. The headline story is a critical RCE in MetaSlider that exposes 500,000 sites, but the week's most-attacked vulnerability is the Breeze Cache file upload we covered separately, with Wordfence blocking nearly 4,000 attempts in a single day.

This roundup covers the critical and high-severity disclosures from April 22 through April 28, 2026, with prioritized remediation for each. It's the companion to our Week 1 roundup, and together they cover the month.

The Numbers This Week

Severity Count Patched Unpatched
Critical (9.0+) 4 3 1
High (7.0-8.9) 21 17 4
Medium (4.0-6.9) 94 84 10
Low (0.1-3.9) 97 83 14
Total 216 187 29

The 13% unpatched rate is meaningfully better than week 1's 40%, reflecting faster vendor response after the supply-chain incidents earlier in the month. The remaining unpatched items are concentrated in two product families (Riaxe Product Customizer and a cluster of small-install slider/gallery plugins).

Critical Severity

MetaSlider Slider, Gallery and Carousel -- CVE-2026-39465

CVSS: 9.8 | Affected: MetaSlider <= 3.106.x | Patch: 3.107.0

The MetaSlider plugin, with more than 500,000 active installations, contains an unauthenticated remote code execution vulnerability in the slider import functionality. The import handler accepts a serialized blob from POST data and passes it through unserialize() without validating the source. PHP object injection via a known POP gadget chain in the plugin's own classes leads to arbitrary code execution.

This is one of the larger blast-radius RCEs of 2026 to date. MetaSlider ships free on WordPress.org and is bundled with several premium themes, which means many sites have it installed without anyone actively using it. A site with the plugin enabled but no live sliders is just as vulnerable as a heavily configured one.

What to do: Update to MetaSlider 3.107.0 immediately. If you can't update, deactivate the plugin. After patching, audit the signs of compromise for any indicators that exploitation already happened: unfamiliar admin accounts, modified core files, unexpected scheduled tasks.

Breeze Cache -- CVE-2026-3844

CVSS: 9.8 | Affected: Breeze <= 2.4.4 | Patch: 2.4.5

The Breeze caching plugin, bundled by default on Cloudways-managed WordPress sites and installed on more than 400,000 sites, has an unauthenticated arbitrary file upload vulnerability in its Gravatar fetcher. Wordfence reported nearly 4,000 blocked exploitation attempts in the 24 hours after disclosure.

We published a full writeup of CVE-2026-3844 covering the technical root cause in fetch_gravatar_from_remote(), why the "not default" mitigation is weaker than it sounds, and step-by-step remediation.

What to do: Update Breeze to 2.4.5. Disable "Host Files Locally - Gravatars" until you've confirmed the patch is in place. Check wp-content/uploads/breeze/gravatar/ for unexpected file types.

Riaxe Product Customizer -- CVE-2026-3599 and CVE-2026-3596 (UNPATCHED)

CVSS: 9.1 | Affected: All current versions | Patch: None available

The Riaxe Product Customizer plugin contains two distinct critical vulnerabilities: an SQL injection (CVE-2026-3599) in the customization save handler, and a broken access control flaw (CVE-2026-3596) that lets unauthenticated users trigger administrative actions. Both have been disclosed without coordinated patches.

The vendor has been contacted but has not shipped fixes as of April 28. Estimated installs are unknown but the plugin is sold through several WooCommerce extension marketplaces, so the population is likely larger than the WordPress.org count suggests.

What to do: Deactivate Riaxe Product Customizer until a patch is released. If your store relies on it, route customization through an alternative plugin in the meantime. Monitor the vendor's changelog daily.

Plugin Backdoor Cluster -- Multiple CVEs

CVSS: Varies | Affected: Accordion Slider, Album Gallery, Blog Designer, Countdown Timer, others | Patch: Required immediately

A cluster of plugins from a shared authorship lineage shipped backdoor code in late-April updates. The pattern follows the Essential Plugins supply-chain attack earlier in the month: legitimate plugins acquired by a new owner, dormant backdoor inserted, activated weeks later. The WordPress.org plugin review team has been removing affected plugins as they're identified.

What to do: If you have any of the listed plugins active, treat the site as potentially compromised. Run a malware removal sweep. Replace the affected plugin with an alternative from a different author.

High Severity

LearnPress LMS -- CVE-2026-4365

CVSS: 8.8 | Affected: LearnPress <= 4.3.2 | Patch: 4.3.3

The LearnPress LMS plugin, with roughly 80,000 active installations, has a broken access control flaw that lets students with course-instructor capabilities bypass course-level restrictions and modify content owned by other instructors. On multi-instructor LMS sites, this allows one instructor to corrupt or steal another instructor's course material.

What to do: Update LearnPress to 4.3.3. Audit recent course changes for any modifications you don't recognize.

BackWPup -- Local File Inclusion

CVSS: 8.1 | Affected: BackWPup (check advisory) | Patch: Available

BackWPup is a backup plugin with more than 500,000 active installations. The disclosed flaw is a local file inclusion vulnerability in the backup-job handler that lets authenticated users include arbitrary local PHP files. On servers with predictable PHP file paths (most servers), this provides a stepping stone to code execution.

What to do: Update BackWPup to the latest version. Audit your backup logs for unexpected job entries.

WP Statistics -- Stored XSS

CVSS: 7.6 | Affected: WP Statistics (check advisory) | Patch: Available

WP Statistics tracks visitor analytics on more than 600,000 sites. The plugin stores incoming User-Agent and Referer strings without escaping them on output in the admin dashboard. An attacker can craft a request with a malicious User-Agent header that becomes JavaScript when an admin views the stats page, executing in the admin's browser context.

This is the highest-impact XSS of the week because the audience is administrators by definition. Successful exploitation can pivot through a CSRF token theft to a full admin takeover.

What to do: Update WP Statistics to the latest patched version. Check the admin dashboard pages for unfamiliar referrers; any with HTML markup are exploit attempts.

Product Filter for WooCommerce by WBW -- CVE-2026-3830 and CVE-2026-39494

CVSS: 7.5 | Affected: <= 3.1.2 | Patch: 3.1.3

Two SQL injection vulnerabilities in the WBW Product Filter plugin, used on around 60,000 WooCommerce stores. Both are exploitable through filter parameters in the front-end product listing. The first allows authenticated users to extract data from the products table; the second is unauthenticated but limited to read access on a subset of tables.

What to do: Update to 3.1.3. If you process customer data through this plugin, treat any current month's data as potentially exposed.

WP Customer Area -- CVE-2026-3464

CVSS: 8.8 | Affected: WP Customer Area <= 8.3.4 | Patch: Available

A path traversal vulnerability in WP Customer Area's file-download handler lets authenticated subscribers retrieve files outside the intended customer-area directory, including wp-config.php if directory layout is predictable.

What to do: Update WP Customer Area. Audit subscriber accounts for unfamiliar registrations from the last 30 days.

Optimole -- Multiple Stored XSS

CVSS: 7.2 | Affected: Optimole (check advisory) | Patch: Available

The Optimole image-optimization plugin (200,000+ installs) has multiple stored XSS vulnerabilities in its image-meta handlers. Authenticated contributors can inject scripts that fire when admins view media library pages.

What to do: Update Optimole to the latest version.

Medium Severity

Plugin CVSS Type Affected Patched
Categories Images 6.4 Stored XSS <= 3.3.1 3.3.2
GeoDirectory 6.5 SQL Injection <= 2.3.71 2.3.72
Easy Appointments 6.5 Broken Access Control <= 3.11.7 3.11.8
GeekyBot 5.4 Stored XSS via chat <= 1.1.7 1.1.8
WP Customer Area 5.3 Info Disclosure <= 8.3.4 8.3.5

The GeekyBot entry is worth flagging because it intersects with the AI chatbot security trend we covered in Prompt Injection in WordPress AI Chatbots. The XSS lives in the chat-message field itself, meaning a hostile visitor's chat input can run JavaScript when an admin reviews the conversation log. That's a prompt-injection-adjacent attack: the input that reaches the model also reaches the admin's browser.

AI Engine MCP Bearer Token Disclosure

The week's most architecturally interesting flaw isn't a new April disclosure but is being actively exploited: the AI Engine plugin MCP token leak (CVE-2025-11749) continues to surface in attack telemetry. If you run AI Engine and ever enabled "No-Auth URL," patch to 3.1.4 or later and rotate every credential. The plugin has 22 disclosed vulnerabilities to date, and the pattern of MCP-related findings hasn't slowed.

Prioritized Action List

In order of urgency:

  1. MetaSlider -- Update to 3.107.0. Unauthenticated RCE on 500K sites.
  2. Breeze Cache -- Update to 2.4.5 or deactivate. Unauthenticated file upload, actively exploited.
  3. Plugin Backdoor Cluster -- Audit for the named plugins, deactivate, run a malware sweep.
  4. Riaxe Product Customizer -- Deactivate. No patch available.
  5. WP Statistics -- Update. Stored XSS targeting administrators.
  6. BackWPup -- Update. Local file inclusion.
  7. LearnPress -- Update to 4.3.3. Broken access control.
  8. WBW Product Filter -- Update to 3.1.3. SQL injection.
  9. WP Customer Area -- Update. Path traversal at subscriber level.
  10. Optimole -- Update. Stored XSS.

What This Means for the Month

April 2026 closes as one of the worst single months for WordPress plugin security in recent memory. The total picture: two supply-chain attacks (Essential Plugins, Smart Slider 3 Pro), four critical unauthenticated RCEs in plugins with 50K+ installs each (Ninja Forms, Kali Forms, Breeze, MetaSlider), and an AI-plugin trend of MCP-related disclosures that is unlikely to slow.

If you manage more than a handful of sites, manually tracking 400+ April vulnerabilities against your plugin inventory is not realistic. Run an automated security scan at least weekly. The cost of missing one of these is measured in cleanup time, customer trust, and Google's index -- all of which take longer to recover than the attack took to land.

References

vulnerability-report april-2026 wordpress-security weekly-roundup metaslider breeze-cache wp-statistics

Related reading

Check Your WordPress Site Security

Free scan, no login required. Find vulnerabilities before attackers do.

Scan Your Site Free

Get weekly WordPress security tips

Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.

WP Vanguard is built by Wbcom Designs, makers of Reign, Jetonomy, Listora, and more. Explore our WordPress products →
← Back to Blog