This week’s WordPress security recap
105 new WordPress vulnerabilities were disclosed between May 11 and May 17, 2026 — nearly double last week’s volume and the busiest week we’ve tracked so far. Five are critical, and 25 are high-severity, with combined install reach across the high-and-critical column at roughly 5.3 million sites. The headline issue is Burst Statistics, a privacy-friendly analytics plugin on around 200,000 sites, where an authentication flaw rated CVSS 9.8 lets unauthenticated attackers gain access. Burst 3.4.2 is the patched release.
What makes this week different isn’t just the volume — it’s the install scale of the affected plugins. MonsterInsights (2 million installs), Essential Addons for Elementor (2 million installs), ManageWP Worker (1 million installs), and Fluent Forms (700,000 installs) all shipped patches this week. Even mid-severity flaws on plugins that big are practical priorities because the surface area is enormous. Plugins drove 99% of this week’s disclosures.
This week at a glance
- Total vulnerabilities: 105
- Critical (CVSS ≥ 9.0): 5
- High (CVSS 7.0–8.9): 25
- Medium (CVSS 4.0–6.9): 75
- Top affected category: plugins (99%)
- Combined install reach (high+critical): 5,277,130 sites
Critical and high-severity vulnerabilities
| Plugin / Theme | Affected | Patched in | CVSS | Type | More |
|---|---|---|---|---|---|
| Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) (200K+ installs) | 3.4.0-3.4.1.1 | 3.4.2 | 9.8 (Critical) | Improper Authentication | Details |
| Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder (700K+ installs) | *-6.1.21 | 6.2.0 | 8.2 (High) | Authorization Bypass Through User-Controlled Key | Details |
| Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder (700K+ installs) | *-6.2.0 | 6.2.1 | 8.2 (High) | Authorization Bypass Through User-Controlled Key | Details |
| MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) (2M+ installs) | *-10.1.2 | 10.1.3 | 7.1 (High) | Missing Authorization | Details |
| AI Engine – The Chatbot, AI Framework & MCP for WordPress (100K+ installs) | 3.4.9 | 3.5.0 | 8.8 (High) | Improper Privilege Management | Details |
| ManageWP Worker (1M+ installs) | *-4.9.31 | 4.9.32 | 7.2 (High) | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| RTMKit (50K+ installs) | *-2.0.2 | 2.0.3 | 8.8 (High) | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | Details |
| Database Backup for WordPress (70K+ installs) | *-2.5.2 | 2.5.3 | 8.1 (High) | Missing Authorization | Details |
| FOX – Currency Switcher Professional for WooCommerce (50K+ installs) | *-1.4.5 | 1.4.6 | 8.1 (High) | Missing Authorization | Details |
| OttoKit: All-in-One Automation Platform (90K+ installs) | [*, 1.1.23) | 1.1.23 | 7.5 (High) | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | Details |
| Database Backup for WordPress (70K+ installs) | *-2.5.2 | 2.5.3 | 7.5 (High) | Missing Authorization | Details |
| Database Backup for WordPress (70K+ installs) | *-2.5.2 | 2.5.3 | 7.5 (High) | Missing Authorization | Details |
| Custom Twitter Feeds – A Tweets Widget or X Feed Widget (100K+ installs) | *-2.5.4 | 2.5.5 | 7.2 (High) | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| Frontend Admin by DynamiApps (10K+ installs) | *-3.28.36 | 3.29.1 | 8.8 (High) | Improper Privilege Management | Details |
| Email Marketing for WooCommerce by Omnisend (50K+ installs) | *-1.18.0 | 1.18.1 | 7.5 (High) | Use of Insufficiently Random Values | Details |
Three flaws stand out: Burst Statistics through 3.4.1 (improper authentication, CVSS 9.8, ~200K installs), Fluent Forms through 6.1.x (authorization bypass, CVSS 8.2, ~700K installs), and MonsterInsights through 10.1.2 (missing authorization, CVSS 7.1, ~2M installs).
Worth knowing
Medium-severity items don’t need same-day action, but Essential Addons for Elementor is the exception this week. Its privilege-management flaw is rated CVSS 6.5, but with 2 million installs, the practical risk matches the high-severity column. Treat anything in the table below as a one-week patching target, with Essential Addons going to the front of the queue.
| Plugin / Theme | Affected | Patched in | CVSS | Type | More |
|---|---|---|---|---|---|
| Essential Addons for Elementor – Popular Elementor Templates & Widgets | *-6.5.13 | 6.6.0 | 6.5 | Improper Privilege Management | Details |
| Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | *-6.2.1 | 6.2.2 | 6.4 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| Royal Addons for Elementor – Addons and Templates Kit for Elementor | *-1.7.1058 | 1.7.1059 | 6.4 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| Unlimited Elements For Elementor | *-2.0.7 | 2.0.8 | 6.5 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | Details |
| Advanced Custom Fields: Extended | *-0.9.2.3 | 0.9.2.4 | 6.5 | Improper Control of Generation of Code (‘Code Injection’) | Details |
What to do this week
- Patch Burst Statistics to 3.4.2 immediately if you use it. The CVSS 9.8 authentication flaw on a plugin with 200,000 installs is the kind of issue automated scanners pick up within days, and there’s no staging-needed argument for an analytics plugin.
- Update Fluent Forms to 6.2.1, MonsterInsights to 10.1.3, and Essential Addons for Elementor to 6.6.0 this week. All four together account for more than 4.9 million WordPress installs — these are this week’s high-impact patches by sheer surface area.
- Patch ManageWP Worker to 4.9.32. The flaw is high-severity and the plugin is installed on roughly 1 million sites, often on sites managed at scale, which means a delayed patch can affect a portfolio of properties, not just one.
- If you run AI Engine, RTMKit, Database Backup for WordPress, or FOX Currency Switcher for WooCommerce, patch this week. All four are high-severity authorization or privilege-management flaws on plugins where unpatched access has direct admin or data-exposure implications.
- Audit your form-builder and analytics plugin stack. Fluent Forms, MonsterInsights, Burst, and AI Engine all shipped patches this week, which means most WordPress sites had at least one of these in their stack going into the week. If you’re managing more than a handful of sites, this is the week to confirm every property is current.
- Run all pending WordPress, plugin, and theme updates this week — even ones you’ve delayed for compatibility reasons. 105 disclosures in seven days is roughly where DIY tracking breaks down, and the gap between disclosure and active exploitation keeps shrinking.
How CyberOptik handles this for you
As a dedicated WordPress maintenance agency, we monitor every site we manage and apply patches the moment fixes are available — there’s no waiting on a maintenance window or a monthly cycle. We handle the tracking, testing, and deployment so site owners don’t have to read a weekly vulnerability report to stay safe.
If you’d rather spend your Monday on your business than on plugin updates, our maintenance team handles it. Get in touch for a quote — plans start at $99/month and cover unlimited plugin and theme patches across your site.
Frequently asked questions
How often are new WordPress vulnerabilities disclosed?
New WordPress plugin, theme, and core vulnerabilities are disclosed most business days, with 30 to 60 records per week being typical across the ecosystem. This week landed at 105, well above average. Volume tends to spike around plugin major-version releases and coordinated security-researcher disclosure events.
Should I update plugins immediately, or wait?
For critical and high-severity flaws, update the same day if you can — these are the patches attackers actively scan for. For medium-severity flaws on plugins with very large install bases (like Essential Addons for Elementor this week, on 2 million sites), still treat them as priority because the surface area is enormous. For other medium items, a 24 to 48 hour staging-environment test is reasonable.
What if a vulnerable plugin doesn’t have a patch yet?
Disable the plugin until the developer ships a fix, or replace it with an alternative that solves the same problem. If neither is feasible, restrict the affected functionality at the server or firewall level and add a virtual-patching layer until an official update lands.
Does CyberOptik handle this kind of patching for clients?
Yes — every CyberOptik WordPress maintenance plan includes ongoing vulnerability monitoring, applying patches to managed sites as soon as fixes are available, and a monthly report of what was patched. As a specialist WordPress maintenance agency, we handle this for more than 800 WordPress sites every month.
Severity scores combine CVSS with WordPress.org install counts where available.
