WordPress Vulnerability Roundup: May 2026

The first half of May 2026 carried four high-severity WordPress disclosures across plugins with a combined install footprint above five million sites. The headline is a 9.8 critical authentication bypass in Burst Statistics, but the more interesting story is the cluster of high-severity SQL injection and broken-access-control bugs that landed in the same two-week window: Avada Builder (1 million sites), MonsterInsights (3 million sites), and Form Maker by 10Web (60,000 sites). All four are patched as of May 12.

This roundup covers the critical and high-severity disclosures from May 1 through May 15, 2026, with prioritized remediation for each. It picks up where our April Week 4 roundup left off.

The Numbers So Far

Severity	Count	Patched	Notes
Critical (9.0+)	1	1	Burst Statistics (200K installs)
High (7.0-8.9)	3	3	Avada Builder, MonsterInsights, Form Maker
Medium (4.0-6.9)	38	31	Standard XSS, mid-tier disclosures
Low (0.1-3.9)	47	39	Edge-case info disclosure, minor issues

The 89% patched rate is high for the first half of a month, reflecting the speed with which the named vendors responded. The remaining unpatched items are mostly in small-install plugins where the maintainer has gone silent.

Critical Severity

Burst Statistics - CVE-2026-8181

CVSS: 9.8 | Affected: 3.4.0 to 3.4.1.1 | Patch: 3.4.2 | Installs: 200,000+

An incorrect return-value check in the plugin's MainWP authentication proxy lets unauthenticated attackers impersonate any administrator via the REST API. The attacker only needs to know the admin's username, supplies any password in a Basic Auth header, and the plugin treats the request as authenticated. Wordfence blocked more than 7,400 exploit attempts in the first 24 hours after disclosure.

The full technical writeup is in our dedicated post on CVE-2026-8181, including how to audit your admin accounts and what to do if you find a rogue one.

What to do: Update to Burst Statistics 3.4.2 immediately, rotate every admin password, and check for unfamiliar admin accounts created after April 23, 2026.

High Severity

Avada Builder - CVE-2026-4798 and CVE-2026-4782

CVSS: 7.5 (SQLi), 6.5 (File Read) | Affected: <= 3.15.1 | Patch: 3.15.3 | Installs: 1,000,000+

Two distinct vulnerabilities in the same release, both reported by Wordfence and disclosed together. The SQL injection (CVE-2026-4798) is time-based, triggered through the product_order parameter in unauthenticated requests. The plugin's authors called sanitize_text_field() on the input, which strips control characters but does nothing against SQLi, then concatenated the value directly into an ORDER BY clause without using $wpdb->prepare().

The arbitrary file read (CVE-2026-4782) is a path-traversal flaw in a related handler that exposes any file the web server can read, including wp-config.php with database credentials and authentication salts.

Important limitation on the SQLi: Exploitation requires WooCommerce to have been activated at some point and then deactivated. The vulnerable code path is wired up by WooCommerce hooks that stay registered after deactivation. Sites that never installed WooCommerce are not exposed. Sites that currently run WooCommerce are exposed through different code paths.

The vendor shipped a partial fix in 3.15.2 on April 13 (the SQLi) and the complete fix in 3.15.3 on May 12 (the file read, plus a backport of the SQLi patch). 3.15.2 is not sufficient.

What to do: Update to Avada Builder 3.15.3. If you found wp-config.php references in your access logs during the exposure window, rotate database credentials, regenerate salts, and follow the malware removal guide.

MonsterInsights - CVE-2026-5371

CVSS: 7.1 | Affected: <= 10.1.2 | Patch: 10.1.3 | Installs: 3,000,000+

Two AJAX handlers that exposed Google OAuth tokens check the WordPress nonce but never check the user's capability. A Subscriber-level account can scrape the nonce from profile.php, call the handler, and walk away with the site owner's live Google access token. The same handler family also lets a Subscriber reset the Google Ads integration, which delays detection.

Detailed writeup is in our CVE-2026-5371 post. The short version: WooCommerce stores, membership sites, and anywhere with public registration are the highest-risk surface.

What to do: Update MonsterInsights to 10.1.3, revoke the Google OAuth grant from the Google Account permissions page, reconnect to issue a fresh token, and audit your Google Ads campaigns for unfamiliar changes during the exposure window.

Form Maker by 10Web - CVE-2026-3359

CVSS: 7.5 | Affected: <= 1.15.42 | Patch: 1.15.43 | Installs: 60,000+

An unauthenticated SQL injection in the inputs parameter of Form Maker's form-submission handler. The user-supplied value is concatenated into the query without preparation, which makes UNION-based extraction straightforward. An attacker can pull WordPress user records, email addresses, and password hashes from a single crafted request.

The pattern is textbook. Form Maker had a similar SQLi disclosed in 2022 (CVE-2022-3300) in a different parameter. The 2026 bug is structurally identical: trust an external parameter, skip the prepare. Patching the same class of bug across different parameters one CVE at a time is a maintenance failure as much as a security one.

What to do: Update Form Maker to 1.15.43. If your site processes form submissions that store personal data (newsletter signups, support requests, lead capture), treat any data submitted during the exposure window as potentially exposed.

Notable Medium-Severity Picks

The medium bucket included 38 disclosures we won't dignify with full writeups, but a few are worth flagging:

WP Statistics stored XSS (continued). The bug we covered in April Week 4 saw broader patching in May. Sites that hadn't updated by the start of the month are still exposed.

LiteSpeed Cache critical disclosure (CVE-2026-5050). Authenticated stored XSS in the cache configuration UI. CVSS 6.4. Mostly an Editor-and-above attack, but LiteSpeed is on around 5 million sites.

Elementor Pro broken access control (CVE-2026-4901). Subscriber-level access to template export. Marketing-spam attractor more than a security catastrophe, but worth patching.

WPForms file upload (CVE-2026-4633). Authenticated arbitrary file upload restricted to users with upload_files capability. Real risk on multi-author sites; lower on solo-admin sites.

What May Tells Us So Far

Three patterns are visible in the May data:

AI-assisted research is compressing the disclose-to-fix cycle. The Burst Statistics CVE went from vulnerable code shipped (April 23) to patch released (May 12) in 19 days. Wordfence's PRISM platform found it on day 15. Two years ago, a comparable bug would have sat for 60 to 180 days before disclosure.

Authentication bugs are the dominant class. Three of the four high-severity disclosures this month were authentication or authorization failures, not classical memory-safety or code-execution bugs. The pattern reflects how WordPress plugins are written: most code is glue between an HTTP request and a database row, so most bugs are in the access-control glue.

Premium plugins are no longer safer than free ones. Avada Builder is a paid plugin from a major theme vendor. MonsterInsights has a paid tier from a well-funded company. Form Maker is sold through 10Web's commercial site. Premium pricing didn't prevent any of these bugs, and in the Avada case it didn't prevent a partial fix being released as a "complete" one.

Prioritized Action List

In order of urgency:

Burst Statistics - Update to 3.4.2. Critical auth bypass, actively exploited.
Avada Builder - Update to 3.15.3 (not 3.15.2). SQL injection + file read.
MonsterInsights - Update to 10.1.3, then revoke and reissue the Google OAuth grant.
Form Maker by 10Web - Update to 1.15.43. Unauthenticated SQL injection.
LiteSpeed Cache - Update to latest. Authenticated XSS on 5M-install plugin.
WPForms - Update to latest. Authenticated file upload on multi-author sites.

The Operational Question

If you manage more than a handful of WordPress sites, May 2026's pace makes the same operational point we keep making: manually tracking 90 vulnerability disclosures per month against your installed-plugin inventory is not realistic. A site you forgot you owned can be running a vulnerable version of MonsterInsights, leaking a Google Ads token to an attacker who registered as a customer, and you'd never know until the budget started draining.

Run automated security scans on every site you manage, on a weekly cadence, with vulnerability-database lookups against your active plugin versions. The job is too repetitive and too detail-heavy to do by hand.