THREATNOIR
Subscribe
Back to Feed
VulnerabilitiesApr 1, 2026

Vulnerability & Patch Roundup — March 2026

WordPress ecosystem plugins patched for multiple medium/critical vulnerabilities in March 2026.

Read at source

Summary

Sucuri published a vulnerability roundup for March 2026 covering 11 WordPress plugins with security flaws ranging from medium to critical severity. Vulnerabilities include sensitive data exposure, cross-site scripting (XSS), broken access control, arbitrary code execution, and arbitrary file download. Most plugins have patches available; W3 Total Cache remains unpatched with a critical arbitrary code execution vulnerability.

Full text

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.PluginsElementor Website Builder – more than just a page builder – Sensitive Data ExposureSecurity Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-1206 Number of Installations: 10,000,000+ Affected Software: Elementor Website Builder – more than just a page builder <= 3.35.7 Patched Versions: Elementor Website Builder – more than just a page builder 3.35.8Mitigation steps: Update to Elementor Website Builder – more than just a page builder version 3.35.8 or greater.Yoast SEO – Advanced SEO with real-time guidance and built-in AI – Cross Site Scripting (XSS)Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-3427 Number of Installations: 10,000,000+ Affected Software: Yoast SEO – Advanced SEO with real-time guidance and built-in AI <= 27.1 Patched Versions: Yoast SEO – Advanced SEO with real-time guidance and built-in AI 27.2Mitigation steps: Update to Yoast SEO – Advanced SEO with real-time guidance and built-in AI version 27.2 or greater.WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More – Sensitive Data ExposureSecurity Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-25339 Number of Installations: 6,000,000+ Affected Software: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More <= 1.9.9.1 Patched Versions: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More 1.9.9.2Mitigation steps: Update to WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More version 1.9.9.2 or greater.Yoast Duplicate Post – Broken Access ControlSecurity Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-1217 Number of Installations: 4,000,000+ Affected Software: Yoast Duplicate Post <= 4.5 Patched Versions: Yoast Duplicate Post 4.6Mitigation steps: Update to Yoast Duplicate Post version 4.6 or greater.Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) – Broken Access ControlSecurity Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-32461 Number of Installations: 3,000,000+ Affected Software: Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) <= 9.5.7 Patched Versions: Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) 9.5.8Mitigation steps: Update to Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) version 9.5.8 or greater.Complianz – GDPR/CCPA Cookie Consent – Cross Site Scripting (XSS)Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2389 Number of Installations: 1,000,000+ Affected Software: Complianz – GDPR/CCPA Cookie Consent <= 7.4.4 Patched Versions: Complianz – GDPR/CCPA Cookie Consent 7.4.5Mitigation steps: Update to Complianz – GDPR/CCPA Cookie Consent version 7.4.5 or greater.MC4WP: Mailchimp for WordPress – Broken Access ControlSecurity Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-1781 Number of Installations: 1,000,000+ Affected Software: MC4WP: Mailchimp for WordPress <= 4.11.9 Patched Versions: MC4WP: Mailchimp for WordPress 4.12.0Mitigation steps: Update to MC4WP: Mailchimp for WordPress version 4.12.0 or greater.Autoptimize – Cross Site Scripting (XSS)Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2430 Number of Installations: 900,000+ Affected Software: Autoptimize <= 3.1.14 Patched Versions: Autoptimize 3.1.15Mitigation steps: Update to Autoptimize version 3.1.15 or greater.Autoptimize – Cross Site Scripting (XSS)Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2352 Number of Installations: 900,000+ Affected Software: Autoptimize <= 3.1.14 Patched Versions: Autoptimize 3.1.15Mitigation steps: Update to Autoptimize version 3.1.15 or greater.W3 Total Cache – Arbitrary Code ExecutionSecurity Risk: Critical Exploitation Level: No authentication required. Vulnerability: Arbitrary Code Execution CVE: CVE-2026-27384 Number of Installations: 900,000+ Affected Software: W3 Total Cache <= latest Patched Versions: No FixMitigation steps: No patch available. Consider disabling or removing the plugin until a fix is released.Smart Slider 3 – Arbitrary File DownloadSecurity Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary File Download CVE: CVE-2026-3098 Number of Installations: 800,000+ Affected Software: Smart Slider 3 <= 3.5.1.33 Patched Versions: Smart Slider 3 3.5.1.34Mitigation steps: Update to Smart Slider 3 version 3.5.1.34 or greater.The Events Calendar – Arbitrary File DownloadSecurity Risk: High Exploitation Level: Requires Author or higher level authentication. Vulnerability: Arbitrary File Download CVE: CVE-2026-3585 Number of Installations: 700,000+ Affected Software: The Events Calendar <= 6.15.17 Patched Versions: The Events Calendar 6.15.17.1Mitigation steps: Update to The Events Calendar version 6.15.17.1 or greater.Ninja Forms – The Contact Form Builder That Grows With You – Sensitive Data ExposureSecurity Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-1307 Number of Installations: 600,000+ Affected Software: Ninja Forms – The Contact Form Builder That Grows With You <= 3.14.1 Patched Versions: Ninja Forms – The Contact Form Builder That Grows With You 3.14.2Mitigation steps: Update to Ninja Forms – The Contact Form Builder That Grows With You version 3.14.2 or greater.Royal Addons for Elementor – Addons and Templates Kit for Elementor – Broken Access ControlSecurity Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-2373 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 Patched Versions: Royal Addons for Elementor – Addons and Templates Kit for Elementor 1.7.1050Mitigation steps: Update to Royal Addons for Elementor – Addons and Templates Kit for Elementor version 1.7.1050 or greater.Royal Addons for Elementor – Addons and Templates Kit for Elementor – Arbitrary File UploadSecurity Risk: High Exploitation Level: Requires Author or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2025-13067 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 Patched Versions: Royal Addons for Elementor – Addons and Templates Kit for Elementor 1.7.1050Mitigation steps: Update to Royal Addons for Elementor – Addons and Templates Kit for Elementor version 1.

Indicators of Compromise

  • cve — CVE-2026-1206
  • cve — CVE-2026-3427
  • cve — CVE-2026-25339
  • cve — CVE-2026-1217
  • cve — CVE-2026-32461
  • cve — CVE-2026-2389
  • cve — CVE-2026-1781
  • cve — CVE-2026-2430
  • cve — CVE-2026-2352
  • cve — CVE-2026-27384
  • cve — CVE-2026-3098

Entities

Elementor (vendor)Yoast (vendor)WPForms (vendor)Sucuri (vendor)WordPress (technology)