WordPress CVE-2026-48907 Added to CISA KEV Under Active Exploitation
CISA added one actively-exploited WordPress vulnerability to its Known Exploited Vulnerabilities catalog on June 16, 2026, requiring federal agencies to patch within three weeks.
Key findings
- CISA added WordPress CVE-2026-48907 to the Known Exploited Vulnerabilities catalog on June 16, 2026.
- The vulnerability is confirmed under active exploitation in the wild.
- No ransomware campaign association has been identified for this flaw.
- Federal agencies must remediate by July 7, 2026, under Binding Operational Directive 22-01.
- WordPress powers over 40% of websites, amplifying the urgency of patching this actively targeted flaw.
The U.S. Cybersecurity and Infrastructure Security Agency added a single WordPress vulnerability to its Known Exploited Vulnerabilities catalog on June 16, 2026, signaling that attackers are actively targeting the flaw in real-world operations. The addition places federal civilian agencies and, by extension, all security-conscious organizations on notice to remediate the issue on an accelerated timeline.
CVE-2026-48907 is the sole entry in this KEV update. While CISA's catalog entry confirms active exploitation in the wild, the agency did not associate this vulnerability with any known ransomware campaigns. The flaw affects the WordPress content management system, which powers over 40 percent of all websites globally, making any actively exploited WordPress vulnerability a high-priority concern for defenders across both public and private sectors.
The addition triggers Binding Operational Directive 22-01, which requires federal civilian executive branch agencies to apply vendor-supplied mitigations or remove the affected product from their networks by the remediation due date of July 7, 2026. Private-sector organizations and critical infrastructure operators are strongly encouraged to adopt the same deadline as a minimum security baseline.
Security teams should immediately inventory all WordPress installations in their environments, verify whether the affected versions are present, and apply the available patch or recommended workaround without delay. Given WordPress's ubiquity and the confirmed active exploitation, delaying remediation exposes organizations to compromise through a well-understood and actively weaponized attack vector.
Organizations that cannot patch immediately should implement compensating controls such as restricting access to WordPress administrative interfaces, deploying web application firewalls with rules tuned to the vulnerability, and increasing monitoring for indicators of compromise associated with exploitation attempts against CVE-2026-48907.