25 CVEs Disclosed Across 20+ WordPress Plugins in Late May 2026 Batch, Including Three Critical Flaws
A coordinated disclosure of 25 vulnerabilities across more than 20 WordPress plugins between May 28–31, 2026, includes three critical-severity CVEs enabling unauthenticated admin account creation and authentication bypass.
A wave of 25 vulnerabilities spanning more than 20 distinct WordPress plugins was disclosed between May 28 and May 31, 2026, with three critical-severity CVEs — two carrying a CVSS score of 9.8 — and several high-severity bugs that include SQL injection, remote code execution, and privilege escalation. The batch, published primarily through the Wordfence Bug Bounty Program and other coordinated disclosure channels, underscores the persistent risk posed by third-party plugins in the WordPress ecosystem.
Three CVEs in the batch earned a Critical severity rating. The most severe is CVE-2026-3655 (CVSS 9.8), an authentication bypass in the OTP Login With Phone Number, OTP Verification plugin (versions 1.8.50 through 1.8.60). The Firebase verification flow in the lwp_ajax_register AJAX handler fails to bind the Firebase session to the phone number supplied in the request, allowing unauthenticated attackers to log in as any user.
CVE-2026-8732 (CVSS 9.8) affects the WP Maps Pro plugin (all versions up to 6.1.0) and enables unauthenticated administrator account creation. The wpgmp_temp_access_ajax AJAX action is registered with wp_ajax_nopriv_ and protected only by a static nonce (fc-call-nonce), making it trivially exploitable. According to Wordfence, the plugin has more than 15,000 sales, and researcher David Brown earned a $1,950 bounty for responsibly disclosing the flaw through the Wordfence Bug Bounty Program.
CVE-2026-8809 (CVSS 9.8) affects the Advanced Custom Fields: Extended plugin (all versions up to 0.9.2.5). The after_validate_save_post() function unconditionally trusts the attacker-controlled _acf_post_id POST parameter, enabling privilege escalation via validation bypass. A fourth critical-rated CVE, CVE-2026-4290 (CVSS 9.1), affects the WP Travel Pro plugin (all versions up to 10.6.0). The check_permission() callback on the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint unconditionally returns true, allowing unauthenticated attackers to delete arbitrary users.
High-severity bugs include CVE-2026-7465 (CVSS 8.8), a remote code execution vulnerability in the Spectra Gutenberg Blocks plugin (all versions up to 2.19.25). Authenticated attackers with Contributor-level access and above can execute code on the server — a particularly dangerous bug given the plugin's popularity among block-editor users. CVE-2026-9757 (CVSS 7.5) is a SQL injection flaw in the GEO my WP plugin (all versions up to 4.5.5). The swlatlng and nelatlng parameters are read from $_SERVER['QUERY_STRING'] via parse_str(), bypassing WordPress's wp_magic_quotes protection (which only covers $_POST, $_GET, $_COOKIE, and $_SERVER['REQUEST_URI']).
Other notable high-severity flaws include CVE-2026-7459 (CVSS 7.5), enabling authenticated (Subscriber+) account takeover in the Simple History plugin (all versions up to 5.26.0) via improperly enforced permission callbacks; CVE-2026-6075 (CVSS 8.1), a Cross-Site Request Forgery vulnerability in the Media Library Assistant plugin (all versions up to 3.35) due to missing nonce verification; CVE-2025-11993 (CVSS 8.8), a PHP Object Injection vulnerability in the WooCommerce Infinite Scroll and Ajax Pagination plugin (all versions up to 1.8) via deserialization of untrusted data; and CVE-2025-11262 (CVSS 7.2), a Stored Cross-Site Scripting vulnerability in the Link Whisper Free plugin (all versions up to 0.9.0).
The largest group of CVEs in this batch falls in the Medium severity range, spanning stored cross-site scripting, sensitive information exposure, and authorization bypass flaws across a dozen plugins. Stored XSS bugs were found in Plus Addons for Elementor (CVE-2026-9243), Simple Divi Shortcode (CVE-2026-9714), StatCounter (CVE-2026-6275), the Automotive Car Dealership theme (CVE-2025-14042), and Post Snippets (CVE-2026-7430). Authorization bypass or missing capability checks were disclosed in Advanced Custom Fields (CVE-2026-8382), Rank Math SEO (CVE-2025-12714), Equalize Digital Accessibility Checker (CVE-2026-9015), and Visualizer: Tables and Charts Manager (CVE-2026-8689). Sensitive information exposure flaws affect the Breeze cache plugin (CVE-2026-2128), Poll Maker (CVE-2026-8995), and PDF Embedder (CVE-2026-7526), among others.
This batch highlights the ongoing challenge of securing the WordPress plugin ecosystem, where third-party code often lacks rigorous security review. The involvement of the Wordfence Bug Bounty Program in several disclosures demonstrates the value of coordinated vulnerability disclosure, but the sheer volume of flaws — 25 CVEs in a single four-day window — underscores the need for site administrators to maintain strict plugin hygiene, apply updates promptly, and consider using web application firewalls to mitigate unpatched vulnerabilities.