THREATNOIR
Subscribe
Back to Feed
VulnerabilitiesMay 1, 2026

Vulnerability & Patch Roundup — April 2026

April 2026 WordPress plugin vulnerability roundup covers XSS, access control, and data exposure flaws.

Read at source

Summary

Sucuri has compiled a monthly vulnerability report for the WordPress ecosystem, detailing nine critical plugin vulnerabilities including XSS, broken access control, and sensitive data exposure issues affecting millions of installations. The vulnerabilities span popular plugins like Elementor, ACF, ManageWP Worker, and W3 Total Cache, with patched versions available and virtual protection provided by Sucuri Firewall to existing clients.

Full text

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.PluginsElementor Website Builder – Cross Site Scripting (XSS)Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-14732 Number of Installations: 10,000,000+ Affected Software: Elementor Website Builder <= 3.35.5 Patched Versions: Elementor Website Builder 3.35.6Mitigation steps: Update to Elementor Website Builder version 3.35.6 or greater.Advanced Custom Fields (ACF®) – Broken Access ControlSecurity Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-4812 Number of Installations: 2,000,000+ Affected Software: Advanced Custom Fields (ACF®) <= 6.7.0 Patched Versions: Advanced Custom Fields (ACF®) 6.7.1Mitigation steps: Update to Advanced Custom Fields (ACF®) version 6.7.1 or greater.ElementsKit Elementor Addons – Cross Site Scripting (XSS)Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2600 Number of Installations: 2,000,000+ Affected Software: ElementsKit Elementor Addons <= 3.7.9 Patched Versions: ElementsKit Elementor Addons 3.8.0Mitigation steps: Update to ElementsKit Elementor Addons version 3.8.0 or greater.ManageWP Worker – Cross Site Scripting (XSS)Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-39463 Number of Installations: 1,000,000+ Affected Software: ManageWP Worker <= 4.9.31 Patched Versions: ManageWP Worker 4.9.32Mitigation steps: Update to ManageWP Worker version 4.9.32 or greater.WP-Optimize – Broken Access ControlSecurity Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-2712 Number of Installations: 1,000,000+ Affected Software: WP-Optimize <= 4.5.0 Patched Versions: WP-Optimize 4.5.1Mitigation steps: Update to WP-Optimize version 4.5.1 or greater.W3 Total Cache – Sensitive Data ExposureSecurity Risk: High Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-5032 Number of Installations: 900,000+ Affected Software: W3 Total Cache <= 2.9.3 Patched Versions: W3 Total Cache 2.9.4Mitigation steps: Update to W3 Total Cache version 2.9.4 or greater.Smart Slider 3 – Broken Access ControlSecurity Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-4065 Number of Installations: 800,000+ Affected Software: Smart Slider 3 <= 3.5.1.33 Patched Versions: Smart Slider 3 3.5.1.34Mitigation steps: Update to Smart Slider 3 version 3.5.1.34 or greater.Fluent Forms – Broken AuthenticationSecurity Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Authentication CVE: CVE-2026-4160 Number of Installations: 700,000+ Affected Software: Fluent Forms <= 6.1.9 Patched Versions: Fluent Forms 6.2.0Mitigation steps: Update to Fluent Forms version 6.2.0 or greater.Royal Addons for Elementor – Cross Site Scripting (XSS)Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-5162 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor <= 1.7.1056 Patched Versions: Royal Addons for Elementor 1.7.1057Mitigation steps: Update to Royal Addons for Elementor version 1.7.1057 or greater.Kadence Blocks – Broken Access ControlSecurity Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-2826 Number of Installations: 600,000+ Affected Software: Kadence Blocks <= 3.6.3 Patched Versions: Kadence Blocks 3.6.4Mitigation steps: Update to Kadence Blocks version 3.6.4 or greater.Royal Addons for Elementor – Cross Site Scripting (XSS)Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-0664 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor <= 1.7.1049 Patched Versions: Royal Addons for Elementor 1.7.1050Mitigation steps: Update to Royal Addons for Elementor version 1.7.1050 or greater.WP Statistics – Cross Site Scripting (XSS)Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-5231 Number of Installations: 600,000+ Affected Software: WP Statistics <= 14.16.4 Patched Versions: WP Statistics 14.16.5Mitigation steps: Update to WP Statistics version 14.16.5 or greater.BackWPup – Local File InclusionSecurity Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Local File Inclusion CVE: CVE-2026-6227 Number of Installations: 500,000+ Affected Software: BackWPup <= 5.6.6 Patched Versions: BackWPup 5.6.7Mitigation steps: Update to BackWPup version 5.6.7 or greater.Meta Box – Arbitrary File DeletionSecurity Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Arbitrary File Deletion CVE: CVE-2026-39468 Number of Installations: 500,000+ Affected Software: Meta Box <= 5.11.1 Patched Versions: Meta Box 5.11.2Mitigation steps: Update to Meta Box version 5.11.2 or greater.Ocean Extra – Broken Access ControlSecurity Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-34903 Number of Installations: 500,000+ Affected Software: Ocean Extra <= 2.5.3 Patched Versions: Ocean Extra 2.5.4Mitigation steps: Update to Ocean Extra version 2.5.4 or greater.YITH WooCommerce Wishlist – Insecure Direct Object References (IDOR)Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2026-4432 Number of Installations: 500,000+ Affected Software: YITH WooCommerce Wishlist <= 4.12.9 Patched Versions: YITH WooCommerce Wishlist 4.13.0Mitigation steps: Update to YITH WooCommerce Wishlist version 4.13.0 or greater.Slider, Gallery, and Carousel by MetaSlider – PHP Object InjectionSecurity Risk: High Exploitation Level: Requires Editor or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2026-39467 Number of Installations: 500,000+ Affected Software: MetaSlider <= 3.106.9 Patched Versions: MetaSlider 3.107.0Mitigation steps: Update to MetaSlider version 3.107.0 or greater.Slider, Gallery, and Carousel by MetaSlider – Remote Code Execution (RCE)Security Risk: Critical Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2026-39465 Number of Installations: 500,000+ Affected Software: MetaSlider <= 3.106.9 Patched Versions: MetaSlider 3.107.0Mitigation steps: Update to MetaSlider version 3.107.0 or greater.WP Shortcodes Plugin — Shortcodes Ultimate – Cross Site Scripting (XSS)Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-3885 Number of Installations: 400,000+ Affected Software: Shortcodes Ultimate <= 7.4.9 Patched Versions: Shortcodes Ultimate 7.5.0Mitigatio

Indicators of Compromise

  • cve — CVE-2025-14732
  • cve — CVE-2026-4812
  • cve — CVE-2026-2600
  • cve — CVE-2026-39463
  • cve — CVE-2026-2712
  • cve — CVE-2026-5032
  • cve — CVE-2026-4065
  • cve — CVE-2026-4160
  • cve — CVE-2026-5162

Entities

Elementor Website Builder (product)Advanced Custom Fields (ACF) (product)ManageWP Worker (product)W3 Total Cache (product)Fluent Forms (product)Sucuri (vendor)