In May 2026, security researchers disclosed over 500 WordPress plugin vulnerabilities, including 28 critical issues, 118 high-severity flaws, and 344 medium-risk vulnerabilities.

The high number of critical issues points to a clear pattern: attackers and researchers continue to uncover severe flaws in unauthenticated privilege escalation, arbitrary file uploads, and authentication bypass mechanisms.

Most vulnerabilities now have patches available. However, sites that fail to update remain exposed to full compromise without requiring valid credentials. Attackers actively target these outdated installations.

The most severe individual issue this month was a CVSS 9.8 remote code execution vulnerability in Avada (Fusion) Builder, which affects more than 1 million active installations. Alongside this, smaller plugins with limited install bases also introduced high-risk flaws, especially in form builders, OTP authentication plugins, and Elementor extensions.

Overall high-risk level

A combination of unauthenticated access paths, insecure file handling, and broken authentication logic continues to dominate the WordPress plugin ecosystem.

Key Statistics

• Total vulnerabilities disclosed: 500+
• Critical severity: 28
• High severity: 118
• Medium severity: 344
• Low severity: remainder

Critical vulnerabilities remain unusually concentrated in authentication systems, form plugins, and page builder extensions.

Key Incidents and Major Vulnerabilities

Burst Statistics — Active Exploitation

CVE-2026-8181 | CVSS 9.8

Researchers identified an authentication bypass in Burst Statistics (3.4.0–3.4.1.1). The plugin incorrectly validates admin identity in its REST API authentication flow.

Attackers used this flaw to impersonate administrator accounts by sending requests with valid usernames and arbitrary passwords.

Wordfence blocked more than 7,400 exploit attempts within 24 hours of disclosure.

Fix: Update to 3.4.2 and rotate all admin credentials. Review user accounts created after April 23, 2026.

Avada Builder — Remote Code Execution

CVE-2026-6279 | CVSS 9.8

Security Researchers discovered a PHP function injection flaw in Avada (Fusion) Builder. An attacker can trigger the vulnerability in the widget rendering logic through the render_logicsshortcode attribute without authentication.

Attackers can execute arbitrary PHP code on affected servers.

This issue affects more than 1 million WordPress sites.

Fix: Update to version 3.15.3 immediately.

OTP Authentication Plugin Failures

Three separate OTP plugins shipped critical authentication bypass vulnerabilities this month:

• OTP Login With Phone Number ≤ 1.8.60 (CVE-2026-3655)
• Login with OTP ≤ 1.6 (CVE-2026-8760)
• miniOrange OTP Login ≤ 5.4.9 (CVE-2026-42731)

Each plugin failed to properly enforce OTP validation or rate limiting. Attackers bypassed authentication entirely or brute-forced OTP codes at scale.

This pattern shows a systemic weakness in OTP-based authentication plugins.

Critical Vulnerabilities Disclosed

Week of May 28

• WP Maps Pro ≤ 6.1.0 (CVE-2026-8732)
• Attackers exploited an unauthenticated AJAX endpoint (wpgmp_temp_access_ajax) to create administrator accounts. Any visitor could escalate privileges without logging in.
• WP Travel Pro ≤ 10.6.0 (CVE-2026-4290)
• Attackers deleted user accounts, including administrators, through missing authorization checks.
• Advanced Custom Fields: Extended ≤ 0.9.2.5 (CVE-2026-8809)
• Attackers bypassed validation on _acf_post_id and escalated privileges without authentication.
• GEO my WP ≤ 4.5.4
• SQL injection affected geolocation parameters (lat, lng, distance) and allowed database extraction.

Week of May 19–26

• BookingPress Pro ≤ 5.6 (CVE-2026-6960)
• A file upload flaw allowed attackers to upload PHP shells through booking forms without authentication.
• Gift Cards for WooCommerce Pro ≤ 4.2.6 (CVE-2026-45444)
• Attackers uploaded malicious files through gift card redemption flows.
• Divi Form Builder ≤ 5.1.2 (CVE-2026-5118)
• Attackers assigned themselves administrator roles by manipulating the role parameter.
• Easy Elements for Elementor ≤ 1.4.4 (CVE-2026-7284)
• A privilege escalation flaw allowed attackers to create admin accounts.
• Boost ≤ 2.0.3 (CVE-2026-7637)
• PHP object injection occurred through an unsanitized cookie value.
• ProSolution WP Client ≤ 2.0.0 (CVE-2026-6555)
• Attackers uploaded arbitrary files through the frontend submission system.

Week of May 1–18 (Highlights)

• Piotnet Addons for Elementor Pro ≤ 7.1.70 (CVE-2026-4885) — File upload RCE
• Piotnet Forms ≤ 2.1.40 (CVE-2026-4883) — File upload RCE
• Contest Gallery Pro ≤ 29.0.1 (CVE-2026-42680) — Privilege escalation
• User Verification by PickPlugins ≤ 2.0.46 (CVE-2026-7458) — OTP bypass
• User Registration Advanced Fields ≤ 1.6.20 (CVE-2026-4882) — File upload
• Custom CSS-JS-PHP ≤ 2.0.7 (CVE-2026-6433) — Remote code execution
• GeekyBot ≤ 1.2.2 (CVE-2026-5294) — Unauthenticated plugin installation

Exploitation Trends

File upload vulnerabilities dominate critical issues

At least nine critical vulnerabilities in May involve arbitrary file uploads. Attackers consistently exploit front-end forms that accept files without strict validation.

Once uploaded, malicious PHP files often execute immediately or remain accessible as persistent backdoors.

OTP plugins consistently fail at authentication

Four separate OTP plugins failed to properly enforce authentication. Attackers bypassed OTP checks or brute-forced verification codes due to missing rate limits.

Sites that rely on OTP plugins for security may actually increase their attack surface when using vulnerable versions.

Elementor ecosystem remains high-risk

Multiple Elementor add-ons introduced privilege escalation or file upload flaws. The extensibility of the ecosystem increases attack surface, especially when third-party developers implement inconsistent security controls.

Privilege escalation through registration flows

Several plugins allowed attackers to assign administrator roles during registration or account creation. In most cases, plugins trusted user-supplied role parameters without validation.

Threat Actor Behavior

Attackers focus on unauthenticated endpoints because they scale easily across the internet.

More than 90% of critical vulnerabilities in May required no authentication. This allows automated scanners to exploit vulnerable sites without credentials.

File upload vulnerabilities remain especially dangerous because uploaded PHP files often survive plugin updates and provide long-term access.

OTP brute-force attacks also continue to scale. Attackers can exhaust weak numeric OTP systems in minutes when rate limits are missing.

The time between disclosure and exploitation continues to shrink. High-severity vulnerabilities often face scanning attempts within hours.

Risk Outlook for June 2026

Avada Builder RCE will likely see rapid exploitation due to its large install base.

Attackers will continue targeting OTP authentication bypass vulnerabilities at scale because multiple plugins share similar design flaws.

Sites that experienced file upload vulnerabilities in May should assume potential compromise unless they have verified file system integrity.

Manual vulnerability tracking is no longer sufficient for most site owners due to the volume of disclosures.

Recommended Actions

Patch immediately

• Avada Builder → 3.15.3
• Burst Statistics → 3.4.2
• WP Maps Pro → 6.1.1
• BookingPress Pro → 5.6.1
• Divi Form Builder → 5.1.3
• Piotnet Addons / Forms → latest patched versions
• OTP plugins → all listed versions must be updated or removed
• Custom CSS-JS-PHP → remove or replace immediately
• GEO my WP → 4.5.5

Check for compromise

• Scan wp-content/uploads for unexpected PHP files
• Review WordPress user accounts for unknown administrators
• Inspect wp_usermeta for unexpected role changes
• Check server logs for unusual POST requests and REST API activity

Reduce attack surface

• Disable public registration where unnecessary
• Block PHP execution in wp-content/uploads
• Restrict access to user creation endpoints
• Enable multi-factor authentication for admin accounts
• Monitor plugin vulnerability feeds continuously

Final note

WordPress security in May 2026 shows a clear shift toward unauthenticated exploitation paths. Attackers no longer rely on stolen credentials. They exploit design flaws in plugins that expose privileged actions without proper access control.

Sites that fail to patch quickly now face compromise within hours of vulnerability disclosure.