WordPress Vulnerability Roundup: May 2026 (Week 3)
By WP Vanguard Team
Week 3 of May 2026 (May 11 to May 17) added 78 new vulnerabilities to the WordPress ecosystem across 62 plugins and 2 themes. Of those, 66 are patched and 12 remain unpatched at time of writing. The headline this week isn't a single dramatic disclosure but the firewall rollout for the AI Engine MCP bearer-token leak. Wordfence pushed protection for CVE-2025-11749 to premium customers this week, which is a strong signal that the bug is being exploited in the wild.
This is the companion to our earlier May 2026 monthly roundup covering Burst Statistics, Avada Builder, and MonsterInsights from the first half of the month. Together they cover everything significant in May so far. Below is the week 3 snapshot with prioritized remediation.
The Numbers This Week
| Severity | Count |
|---|---|
| Critical (9.0+) | 3 |
| High (7.0-8.9) | 21 |
| Medium (4.0-6.9) | 54 |
| Total | 78 |
Patch status across all 78: 66 patched, 12 unpatched. That's an 85% patch rate, which is meaningfully better than April's 73% but still leaves a meaningful tail of unfixed disclosures concentrated in low-install plugins and one or two abandoned products.
The disclosure pace is also down from April's 200+ weekly peaks, partly because the supply-chain incidents earlier this year (Essential Plugins, Smart Slider 3 Pro) drove a temporary spike that has now settled. The medium-severity heavy distribution this week is closer to the long-run baseline.
CWE Breakdown: Why XSS Still Wins
What stood out in week 3 isn't a single plugin, it's the shape of the vulnerability types. Wordfence's CWE categorization:
| Vulnerability Type | Count |
|---|---|
| Cross-Site Scripting (XSS) | 23 |
| Missing Authorization | 17 |
| SQL Injection | 12 |
| Path Traversal | 6 |
| Cross-Site Request Forgery (CSRF) | 5 |
| Information Disclosure | 4 |
| Authorization Bypass via User-Controlled Key | 3 |
| Unrestricted File Upload | 2 |
| Deserialization / Improper Auth / SSRF / Weak Password Reset | 1 each |
Three things to call out here.
XSS at 29% of disclosures. Stored and reflected XSS is still the single most common WordPress plugin flaw and it's not getting better. The pattern is consistent: plugin accepts user input (a contact form field, a custom field, a shortcode parameter), saves it, then echoes it back to an admin or editor without esc_html(). The fix is usually one line. The fact that this category still tops every week's chart, year after year, is a comment on plugin code-review culture more than on PHP itself.
Missing Authorization at 17 disclosures (22%). This is the AI Engine pattern at scale: an AJAX endpoint or REST route checks the nonce but not current_user_can(). We covered why this is so common in What WordPress nonces actually protect. Nonces are CSRF tokens, not capability checks, and many plugin authors still treat them as the same thing. Week 3's count means roughly 2-3 of these missing-auth flaws shipped per day on average.
SQL Injection still landing 12 a week. With WordPress 7.0 nudging more plugins toward $wpdb->prepare(), the SQL injection counts have crept down compared to 2024 but they haven't disappeared. Most of this week's 12 are in older plugins that build queries with string concatenation in 2026 like it's 2014.
Critical Severity: AI Engine MCP Gets a Firewall Rule
The most newsworthy item of week 3 isn't a new disclosure. It's the deployment of firewall protection for AI Engine 3.4.9's authenticated privilege escalation via MCP OAuth bearer token leakage (CVE-2025-11749). Wordfence published the rule to premium customers on May 14, with free users getting it 30 days later.
This matters for two reasons. First, Wordfence only writes firewall rules for vulnerabilities they're seeing actively probed or exploited. A new rule on a known CVE means the bug has graduated from "disclosed" to "weaponized" in the attack telemetry. Second, AI Engine has roughly 80,000 active installations and the affected path requires only Subscriber-level access, which is the lowest practical bar for exploitation on any site that accepts public registration.
If you've ever enabled AI Engine's "No-Auth URL" feature, or you ran a version before 3.5.0, treat the site as having leaked an OAuth bearer token at some point. The remediation order is: update to 3.5.0 or later, then rotate every credential that the MCP server can reach (OpenAI key, Anthropic key, any model provider token, and any Google OAuth token tied to the same WordPress account).
The other two criticals this week were in lower-install plugins where the affected populations are small enough that targeted scanning will find them faster than mass exploitation. They followed the same pattern: missing authorization on an action that writes options.
What to do: Update AI Engine to 3.5.0+. Run a vulnerability scan against any other AI plugin you have installed. The WordPress AI Plugin Security Checklist covers what to look for.
High Severity: 21 Disclosures, Mostly Missing-Auth Flavored
The 21 high-severity items splits roughly into three buckets:
- Eight broken access control / missing authorization flaws in WooCommerce-adjacent plugins (marketplace, vendor, customer area type extensions).
- Five stored XSS in editor-targeted plugins where the attacker is a contributor or author role and the victim is an administrator viewing the edit screen.
- Four file-upload / path-traversal flaws in image, gallery, and backup plugins.
- Four SQL injection flaws where authentication is required but at low privilege (Subscriber or Customer).
If your site grants self-registration (membership, WooCommerce, LMS, BuddyPress, anything with an open signup form), the low-privilege-required items are the ones to prioritize. An attacker registering as a customer and immediately escalating is a far more realistic threat than one chaining together five sophisticated bugs.
The five stored XSS items targeting admins are the ones most likely to be embedded in scanner mass campaigns. A successful admin-targeted XSS in a popular plugin is the start of every credential theft narrative we cover in signs your WordPress site is hacked.
Medium Severity: The Background Noise
54 medium-severity items doesn't make headlines, but it's where the long tail of WordPress security lives. The medium bucket this week looked exactly like every other week:
- Information disclosure via verbose error messages or unprotected log files.
- Stored XSS in fields visible only to logged-in users in the same role.
- CSRF on actions that don't have lasting impact (toggling display preferences, dismissing notices).
- Path traversal in file-listing endpoints that don't expose dangerous files.
The reason medium-severity items are worth scanning for isn't that any individual one is dangerous, it's that they accumulate. A site with 30 active plugins is statistically likely to be running 1-2 of them with a known medium-severity flaw at any given time. That's tolerable when the site is otherwise hardened. It compounds when paired with weak password policy, an unpatched theme, and a forgotten admin account.
Prioritized Action List
In order of urgency, ranked by exploitation likelihood and blast radius:
- AI Engine. Update to 3.5.0+. Rotate AI API keys if you ran an earlier version with No-Auth enabled.
- Plugins with self-registration roles. Audit for any plugin handling Subscriber/Customer/Contributor actions and update any with disclosed missing-authorization flaws this week.
- WooCommerce-adjacent plugins. Update marketplace, vendor, and customer-area extensions to current versions.
- Image / gallery / backup plugins. Update anything handling file uploads or file paths.
- All other plugins. Run an automated scan against the full inventory. If you manage more than a handful of sites, manual tracking against 78 weekly vulnerabilities isn't realistic.
What This Means for the Month
May 2026 closes its third week looking calmer than April. The headline pattern isn't a single dramatic CVE, it's the slow accumulation of missing-authorization disclosures alongside the AI Engine firewall rollout that confirms what we said in the original AI Engine writeup: MCP-related bugs in WordPress AI plugins are the new attack surface and they're being exploited.
The CWE chart should be the takeaway for plugin authors more than site owners. If you're shipping any code that runs on WordPress this year, the highest-ROI security review you can do is grep your codebase for echo $_ patterns, AJAX handlers without current_user_can(), and any place you build SQL by concatenation. Those three patterns account for 64% of this week's disclosures.
For site owners, the answer is the same as every week: keep plugins updated, audit your inventory monthly, and run a free WordPress security scan before you discover the problem the way most people do, by Googling your own site.
References
Related reading
Check Your WordPress Site Security
Free scan, no login required. Find vulnerabilities before attackers do.
Scan Your Site FreeGet weekly WordPress security tips
Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.