VYPR
Vypr IntelligenceAI-generatedMay 31, 2026· 25 CVEs

WordPress Plugin Batch: 25 CVEs Across 20+ Plugins Disclosed in Late May 2026

A batch of 25 CVEs spanning more than 20 WordPress plugins was disclosed between May 28–31, 2026, including three critical-severity flaws enabling privilege escalation and authentication bypass.

Key findings

  • Three critical-severity CVEs (CVSS 9.8) disclosed: CVE-2026-3655, CVE-2026-8732, CVE-2026-8809
  • WP Maps Pro (CVE-2026-8732) allows unauthenticated admin account creation; 15,000+ sales affected
  • Spectra Gutenberg Blocks (CVE-2026-7465, CVSS 8.8) enables RCE for Contributor-level users
  • GEO my WP (CVE-2026-9757) SQLi bypasses WordPress's wp_magic_quotes protection
  • Batch spans 20+ plugins with bug classes including XSS, SQLi, RCE, auth bypass, and info disclosure

A wave of 25 vulnerabilities across more than 20 distinct WordPress plugins was disclosed between May 28 and May 31, 2026, with three critical-severity CVEs — two of them carrying a CVSS score of 9.8 — and several high-severity bugs that include SQL injection, remote code execution, and privilege escalation. The batch, published primarily through the Wordfence Bug Bounty Program and other coordinated disclosure channels, underscores the persistent risk posed by third-party plugins in the WordPress ecosystem.

Critical-severity flaws: privilege escalation and authentication bypass

Three CVEs in the batch earned a Critical severity rating. The most severe is CVE-2026-3655 (CVSS 9.8), an authentication bypass in the OTP Login With Phone Number, OTP Verification plugin (versions 1.8.50 through 1.8.60). The Firebase verification flow in the lwp_ajax_register AJAX handler fails to bind the Firebase session to the phone number supplied in the request, allowing unauthenticated attackers to log in as any user.

CVE-2026-8732 (CVSS 9.8) affects the WP Maps Pro plugin (all versions up to 6.1.0) and enables unauthenticated administrator account creation. The wpgmp_temp_access_ajax AJAX action is registered with wp_ajax_nopriv_ and protected only by a static nonce (fc-call-nonce), making it trivially exploitable. According to Wordfence, the plugin has more than 15,000 sales, and researcher David Brown earned a $1,950 bounty for responsibly disclosing the flaw through the Wordfence Bug Bounty Program.

CVE-2026-8809 (CVSS 9.8) affects the Advanced Custom Fields: Extended plugin (all versions up to 0.9.2.5). The after_validate_save_post() function unconditionally trusts the attacker-controlled _acf_post_id POST parameter, enabling privilege escalation via validation bypass.

A fourth critical-rated CVE, CVE-2026-4290 (CVSS 9.1), affects the WP Travel Pro plugin (all versions up to 10.6.0). The check_permission() callback on the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint unconditionally returns true, allowing unauthenticated attackers to delete arbitrary users.

High-severity bugs: RCE, SQLi, and object injection

CVE-2026-7465 (CVSS 8.8) is a remote code execution vulnerability in the Spectra Gutenberg Blocks plugin (all versions up to 2.19.25). Authenticated attackers with Contributor-level access and above can execute code on the server — a particularly dangerous bug given the plugin's popularity among block-editor users.

CVE-2026-9757 (CVSS 7.5) is a SQL injection flaw in the GEO my WP plugin (all versions up to 4.5.5). The swlatlng and nelatlng parameters are read from $_SERVER['QUERY_STRING'] via parse_str(), bypassing WordPress's wp_magic_quotes protection (which only covers $_POST, $_GET, $_COOKIE, and $_SERVER['REQUEST_URI']).

CVE-2026-7459 (CVSS 7.5) enables authenticated (Subscriber+) account takeover in the Simple History plugin (all versions up to 5.26.0) via the event reaction endpoints react_to_event() and unreact_to_event(), which register get_items_permissions_check() as the permission callback but fail to enforce it properly.

CVE-2026-6075 (CVSS 8.1) is a Cross-Site Request Forgery vulnerability in the Media Library Assistant plugin (all versions up to 3.35) due to missing nonce verification on bulk action handlers in the settings tab, allowing attackers to trick administrators into performing unintended actions.

CVE-2025-11993 (CVSS 8.8) is a PHP Object Injection vulnerability in the WooCommerce Infinite Scroll and Ajax Pagination plugin (all versions up to 1.8) via deserialization of untrusted data in the import_settings function's settings parameter.

CVE-2025-11262 (CVSS 7.2) is a Stored Cross-Site Scripting vulnerability in the Link Whisper Free plugin (all versions up to 0.9.0) via the user_id parameter, exploitable by unauthenticated attackers.

CVE-2026-5343 (CVSS 7.4) affects the Drupal SAML SSO - Service Provider module (before 3.1.4) and allows privilege escalation through improper handling of exceptional conditions.

Medium-severity cluster: XSS, information disclosure, and authorization gaps

The largest group of CVEs in this batch falls in the Medium severity range, spanning stored cross-site scripting, sensitive information exposure, and authorization bypass flaws across a dozen plugins:

  • Stored XSS: CVE-2026-9243 (Plus Addons for Elementor, up to 6.4.15), CVE-2026-9714 (Simple Divi Shortcode, up to 1.2), CVE-2026-6275 (StatCounter, up to 2.1.1), CVE-2025-14042 (Automotive Car Dealership theme, up to 13.4.1), and CVE-2026-7430 (Post Snippets, up to 4.0.19).
  • Authorization bypass / missing capability checks: CVE-2026-8382 (Advanced Custom Fields, up to 6.8.1), CVE-2025-12714 (Rank Math SEO, up to 1.0.271), CVE-2026-9015 (Equalize Digital Accessibility Checker, up to 1.42.0), and CVE-2026-8689 (Visualizer: Tables and Charts Manager, up to 3.11.14).
  • Sensitive information exposure: CVE-2026-2128 (Breeze cache plugin, up to 2.5.2) exposes cached pages due to improper cookie verification; CVE-2026-8995 (Poll Maker, up to 6.3.7) leaks complete WP_User objects via an AJAX action with insufficient access controls; and CVE-2026-7526 (PDF Embedder, up to 4.9.3) exposes configuration data including license keys to authenticated attackers with Contributor-level access.
  • SQL injection: CVE-2026-10039 (Frontend Admin by DynamiApps, up to 3.28.28) is a generic SQLi via the order parameter.
  • Payment bypass: CVE-2026-9189 (Contact Form 7 – PayPal & Stripe Add-on, up to 2.4.9) allows payment bypass due to insufficient verification of data authenticity in the IPN handler.

Response and patch status

The affected plugin vendors have been notified through coordinated disclosure. Several plugins have already released patched versions: WP Maps Pro users should update beyond version 6.1.0; Advanced Custom Fields: Extended users should update beyond 0.9.2.5; and the Drupal SAML SSO module is fixed in version 3.1.4. For the remaining plugins, administrators should check for updates from each respective vendor and apply patches as they become available.

Why this batch matters

This disclosure event highlights a structural challenge in the WordPress ecosystem: a single batch of 25 CVEs touches more than 20 distinct plugins, each maintained by a different developer or team. The diversity of bug classes — from authentication bypass and SQL injection to stored XSS and deserialization — reflects the varying security maturity levels across the plugin landscape. Site administrators running multiple plugins from this batch should prioritize the three critical-severity flaws (CVE-2026-3655, CVE-2026-8732, and CVE-2026-8809) and the RCE in Spectra (CVE-2026-7465) for immediate remediation.

AI-written article. Grounded in 25 CVE records listed below.