Back to Feed
VulnerabilitiesJul 2, 2026

Vulnerability & Patch Roundup — June 2026

June 2026 WordPress vulnerability roundup details critical flaws in popular plugins.

Summary

This June 2026 roundup highlights several critical and high-severity vulnerabilities affecting popular WordPress plugins, including Elementor, WPForms, Rank Math SEO, UpdraftPlus, and Essential Addons. Many of these issues stem from missing authorization or insufficient data verification, allowing for potential unauthorized access or information exposure. Sucuri has virtually patched these for its firewall clients, but users are advised to update affected plugins to the latest versions.

Full text

Running a website means a single unpatched vulnerability can take it offline, harm your reputation, or require cleanup. Most compromises begin with automated attacks exploiting known software flaws, usually reported and disclosed already.To keep you protected from these threats, we’ve compiled this month’s key security updates and vulnerability patches for the WordPress ecosystem.If you’re already using the Sucuri Firewall, you’re protected. These vulnerabilities are virtually patched for all clients. If not, consider putting a web application firewall in front of your site to block attacks before they reach your environment.PluginsElementor Website Builder – Missing AuthorizationSecurity Risk: Medium Vulnerability: Missing Authorization CVE: CVE-2026-49782 Number of Installations: 10,000,000+ Affected Software: Elementor Website Builder ≤ 4.1.0 Patched Versions: 4.1.1Mitigation steps: Update to Elementor Website Builder version 4.1.1 or greater.WPForms – Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook EndpointSecurity Risk: Medium Vulnerability: Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint CVE: CVE-2026-7792 Number of Installations: 6,000,000+ Affected Software: WPForms ≤ 1.10.0.4 Patched Versions: 1.10.0.5Mitigation steps: Update to WPForms version 1.10.0.5 or greater.Rank Math SEO – Missing AuthorizationSecurity Risk: Medium Vulnerability: Missing Authorization CVE: CVE-2026-34892 Number of Installations: 4,000,000+ Affected Software: Rank Math SEO ≤ 1.0.271 Patched Versions: 1.0.271.1Mitigation steps: Update to Rank Math SEO version 1.0.271.1 or greater.UpdraftPlus – Unauthenticated Authentication Bypass via UpdraftCentral udrpcSecurity Risk: Critical Vulnerability: Unauthenticated Authentication Bypass via UpdraftCentral udrpc CVE: CVE-2026-10795 Number of Installations: 3,000,000+ Affected Software: UpdraftPlus ≤ 1.26.4 Patched Versions: 1.26.5Mitigation steps: Update to UpdraftPlus version 1.26.5 or greater.Really Simple Security (formerly Really Simple SSL) – Missing AuthorizationSecurity Risk: Medium Vulnerability: Missing Authorization CVE: CVE-2026-48970 Number of Installations: 3,000,000+ Affected Software: Really Simple Security (formerly Really Simple SSL) ≤ 9.5.10 Patched Versions: 9.5.10.1Mitigation steps: Update to Really Simple Security (formerly Really Simple SSL) version 9.5.10.1 or greater.Really Simple Security (formerly Really Simple SSL) – Missing AuthorizationSecurity Risk: Medium Vulnerability: Missing Authorization CVE: CVE-2026-48969 Number of Installations: 3,000,000+ Affected Software: Really Simple Security (formerly Really Simple SSL) ≤ 9.5.9 Patched Versions: 9.5.10Mitigation steps: Update to Really Simple Security (formerly Really Simple SSL) version 9.5.10 or greater.Essential Addons for Elementor – Missing Authorization to Unauthenticated Information Exposure via ‘load_more’ AJAX HandlerSecurity Risk: High Vulnerability: Missing Authorization to Unauthenticated Information Exposure via 'load_more' AJAX Handler CVE: CVE-2026-7665 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor ≤ 6.6.4 Patched Versions: 6.6.5Mitigation steps: Update to Essential Addons for Elementor version 6.6.5 or greater.All-In-One Security (AIOS) – Unauthenticated Stored Cross-Site Scripting via REST API Request PathSecurity Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting via REST API Request Path CVE: CVE-2026-8438 Number of Installations: 1,000,000+ Affected Software: All-In-One Security (AIOS) ≤ 5.4.7 Patched Versions: 5.4.8Mitigation steps: Update to All-In-One Security (AIOS) version 5.4.8 or greater.WPvivid – Authenticated (Admin+) Arbitrary Directory DeletionSecurity Risk: Low Vulnerability: Authenticated (Admin+) Arbitrary Directory Deletion CVE: CVE-2025-12656 Number of Installations: 900,000+ Affected Software: WPvivid ≤ 0.9.128 Patched Versions: 0.9.129Mitigation steps: Update to WPvivid version 0.9.129 or greater.Smart Slider 3 – Authenticated (Administrator+) Path Traversal to Arbitrary File Read via ‘src’/’srcset’ Attribute in HTML ExportSecurity Risk: Low Vulnerability: Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'src'/'srcset' Attribute in HTML Export CVE: CVE-2026-9197 Number of Installations: 800,000+ Affected Software: Smart Slider 3 ≤ 3.5.1.36 Patched Versions: 3.5.1.37Mitigation steps: Update to Smart Slider 3 version 3.5.1.37 or greater.The Events Calendar – Unauthenticated SQL InjectionSecurity Risk: Critical Vulnerability: Unauthenticated SQL Injection CVE: CVE-2026-49772 Number of Installations: 700,000+ Affected Software: The Events Calendar 6.15.12 - 6.16.2 Patched Versions: 6.16.3Mitigation steps: Update to The Events Calendar version 6.16.3 or greater.WooCommerce Stripe Payment Gateway – Missing Authorization to Unauthenticated Order Status Manipulation via ‘order’ ParameterSecurity Risk: Medium Vulnerability: Missing Authorization to Unauthenticated Order Status Manipulation via 'order' Parameter CVE: CVE-2026-2381 Number of Installations: 700,000+ Affected Software: WooCommerce Stripe Payment Gateway ≤ 10.7.0 Patched Versions: 10.8.0Mitigation steps: Update to WooCommerce Stripe Payment Gateway version 10.8.0 or greater.Click to Chat – HoliThemes – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘num’ Shortcode ParameterSecurity Risk: Medium Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Parameter CVE: CVE-2026-7795 Number of Installations: 700,000+ Affected Software: Click to Chat – HoliThemes ≤ 4.39 Patched Versions: 4.40Mitigation steps: Update to Click to Chat – HoliThemes version 4.40 or greater.MainWP Child – Missing AuthorizationSecurity Risk: Medium Vulnerability: Missing Authorization CVE: CVE-2026-27366 Number of Installations: 700,000+ Affected Software: MainWP Child ≤ 6.1.1 Patched Versions: 6.1.2Mitigation steps: Update to MainWP Child version 6.1.2 or greater.Forminator Forms – Unauthenticated Stored Cross-Site ScriptingSecurity Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting CVE: CVE-2026-56071 Number of Installations: 600,000+ Affected Software: Forminator Forms ≤ 1.53.1 Patched Versions: 1.53.2Mitigation steps: Update to Forminator Forms version 1.53.2 or greater.WP Statistics – Unauthenticated Stored Cross-Site ScriptingSecurity Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting CVE: CVE-2026-48839 Number of Installations: 600,000+ Affected Software: WP Statistics ≤ 14.16.6 Patched Versions: 14.16.7Mitigation steps: Update to WP Statistics version 14.16.7 or greater.Royal Addons for Elementor – Authenticated (Contributor+) Arbitrary File Read via Data Table Widget CSV File SourceSecurity Risk: Medium Vulnerability: Authenticated (Contributor+) Arbitrary File Read via Data Table Widget CSV File Source CVE: CVE-2026-8118 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor 1.7.1058 - 1.7.1059 Patched Versions: 1.7.1060Mitigation steps: Update to Royal Addons for Elementor version 1.7.1060 or greater.Enable Media Replace – Authenticated (Author+) Stored Cross-Site Scripting via ‘location_dir’ ParameterSecurity Risk: Medium Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via 'location_dir' Parameter CVE: CVE-2026-5714 Number of Installations: 600,000+ Affected Software: Enable Media Replace ≤ 4.1.8 Patched Versions: 4.1.9Mitigation steps: Update to Enable Media Replace version 4.1.9 or greater.TablePress – Reflected Cross-Site ScriptingSecurity Risk: Low Vulnerability: Reflected Cross-Site Scripting CVE: CVE-2026-56051 Number of Installations: 600,000+ Affected Software: TablePress ≤ 3.3.1 Patched Versions: 3.3.2Mitigation steps: Update to TablePress version 3.3.2 or greater.Kadence Blocks – Authenticated (Contributor+) Sensitive Information Exposure via Block Editor proData

Indicators of Compromise

  • cve — CVE-2026-49782
  • cve — CVE-2026-7792
  • cve — CVE-2026-34892
  • cve — CVE-2026-10795
  • cve — CVE-2026-48970
  • cve — CVE-2026-48969
  • cve — CVE-2026-7665
  • cve — CVE-2026-8438
  • cve — CVE-2025-12656

Entities

Elementor Website Builder (product)WPForms (product)Rank Math SEO (product)UpdraftPlus (product)Really Simple Security (product)Essential Addons for Elementor (product)