This week’s WordPress security recap
One hundred forty-six new WordPress vulnerabilities were disclosed during the week of May 25–31, 2026, including 6 critical and 24 high-severity issues. The headline disclosure is an authenticated remote code execution flaw in WPCode (versions 2.3.5 and earlier) — a snippet manager installed on roughly three million sites — where a contributor-level account could push arbitrary PHP through XML-RPC. It’s patched in 2.3.6, and any site still on an older version should treat the update as a same-day task.
Plugins accounted for 97% of disclosures this week, and the combined install reach across the high and critical entries lands at roughly 11.7 million sites — one of the larger exposure weeks in recent memory. Beyond WPCode, the standouts are Spectra Gutenberg Blocks (1M installs, authenticated RCE) and LiteSpeed Cache (7M installs, unauthenticated stored XSS through QUIC.cloud endpoints). Three very popular plugins, three very different attack paths.
This week at a glance
- Total vulnerabilities: 146
- Critical (CVSS ≥ 9.0): 6
- High (CVSS 7.0–8.9): 24
- Medium (CVSS 4.0–6.9): 115
- Top affected category: plugins (97%)
- Combined install reach (high+critical): 11,746,500 sites
Critical and high-severity vulnerabilities
| Plugin / Theme | Affected | Patched in | CVSS | Type | More |
|---|---|---|---|---|---|
| WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager (3M+ installs) | *-2.3.5 | 2.3.6 | 8.8 (High) | Improper Control of Generation of Code (‘Code Injection’) | Details |
| Spectra Gutenberg Blocks – Website Builder for the Block Editor (1M+ installs) | *-2.19.25 | 2.19.26 | 8.8 (High) | Improper Privilege Management | Details |
| LiteSpeed Cache (7M+ installs) | *-7.7 | 7.8 | 7.2 (High) | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| Advanced Custom Fields: Extended (100K+ installs) | *-0.9.2.5 | 0.9.2.6 | 9.8 (Critical) | Improper Privilege Management | Details |
| Simple History – Track, Log, and Audit WordPress Changes (300K+ installs) | *-5.26.0 | 5.27.0 | 7.5 (High) | Weak Password Recovery Mechanism for Forgotten Password | Details |
| Media Library Assistant (70K+ installs) | *-3.35 | 3.36 | 8.1 (High) | Cross-Site Request Forgery (CSRF) | Details |
| Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin (60K+ installs) | *-1.6.11.8 | 1.6.11.9 | 7.5 (High) | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | Details |
| SlimStat Analytics (80K+ installs) | *-5.4.11 | 5.4.12 | 7.2 (High) | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| Frontend Admin by DynamiApps (10K+ installs) | *-3.29.2 | 3.29.3 | 8.8 (High) | Improper Privilege Management | Details |
| Frontend Admin by DynamiApps (10K+ installs) | *-3.29.2 | 3.29.3 | 8.8 (High) | Missing Authorization | Details |
| Login No Captcha reCAPTCHA (60K+ installs) | *-1.8.0 | 1.8.1 | 7.2 (High) | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| GutenBee – Gutenberg Blocks (7K+ installs) | *-2.20.1 | 2.20.2 | 8.8 (High) | Unrestricted Upload of File with Dangerous Type | Details |
| Link Whisper Free (30K+ installs) | *-0.9.0 | 0.9.1 | 7.2 (High) | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| GEO my WP (3K+ installs) | *-4.5.4 | 4.5.5 | 9.1 (Critical) | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | Details |
| OTP Login With Phone Number, OTP Verification (900 installs) | 1.8.50-1.8.60 | 1.8.61 | 9.8 (Critical) | Improper Authentication | Details |
Sorted by install-weighted severity, the three to patch first are WPCode 2.3.6, Spectra Gutenberg Blocks 2.19.26, and LiteSpeed Cache 7.8 — all patched, CVSS scores between 7.2 and 8.8, and combined install footprint over 11 million sites.
Worth knowing
The medium-severity table is unusually long this week (115 records) but most are bounded by authentication requirements or limited blast radius. The handful below are the ones worth a glance because they sit inside plugins with very large install bases.
| Plugin / Theme | Affected | Patched in | CVSS | Type | More |
|---|---|---|---|---|---|
| Unlimited Elements For Elementor | *-2.0.8 | 2.0.9 | 6.5 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | Details |
| Rank Math SEO – AI SEO Tools to Dominate SEO Rankings | *-1.0.271 | 1.0.271.1 | 5.3 | Missing Authorization | Details |
| Photo Gallery by 10Web – Mobile-Friendly Image Gallery | *-1.8.40 | 1.8.41 | 6.5 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | Details |
| Easy Updates Manager | *-9.0.20 | 9.0.21 | 6.1 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| Advanced Custom Fields (ACF®) | *-6.8.1 | 6.8.2 | 5.3 | Missing Authorization | Details |
What to do this week
- If WPCode (Insert Headers and Footers) is installed on any site, update to 2.3.6 today and audit recent contributor/author logins. The exploit path runs through XML-RPC, so also confirm XML-RPC is either disabled or restricted if you don’t need it.
- Update Spectra Gutenberg Blocks to 2.19.26 and LiteSpeed Cache to 7.8 — both are mass-install plugins with active exploitation risk this week.
- Audit every plugin on your site against this week’s table. Plugins accounted for 97% of disclosures, and install reach for the high/critical tier alone touched 11.7 million sites.
- Run all pending WordPress, plugin, and theme updates this week — even ones you’ve delayed for compatibility reasons. The longer a known flaw sits unpatched, the cheaper it gets for attackers to weaponize.
How CyberOptik handles this for you
CyberOptik watches the vulnerability feeds every day and patches the WordPress sites we manage as soon as fixes ship. On a week like this one — a 3M-install RCE plus a 7M-install XSS in the same seven days — our maintenance clients don’t read posts like this to find out what they need to do. The work is already handled by the time they sit down at their desk.
If you’d rather not spend Monday mornings triaging WordPress security advisories, our team can take it off your plate. Learn more on the WordPress maintenance page or get in touch for a quick fit conversation.
Frequently asked questions
How often are new WordPress vulnerabilities disclosed?
Dozens of new WordPress vulnerabilities are published every week across the plugin and theme ecosystem. The volume varies — some weeks bring 30, others over 140 — but the underlying pattern is constant: there is never a quiet week for long.
Should I update plugins immediately, or wait?
For anything in the critical or high tier, update right away after a quick backup. The risk of leaving a known authentication, code-injection, or file-upload flaw in place almost always outweighs the small chance of a compatibility issue, especially when the patch has been public for several days.
What if a vulnerable plugin doesn’t have a patch yet?
Deactivate the plugin until the developer ships a fix, and look for a maintained alternative if the project appears abandoned. Leaving an unpatched plugin active because it ‘still works’ is one of the most common ways WordPress sites get compromised.
Does CyberOptik handle this kind of patching for clients?
Yes. We monitor disclosures continuously, patch managed sites as soon as fixes are available, and run the regression checks that confirm nothing else broke. Plans start at $99 per month.
Severity scores combine CVSS with WordPress.org install counts where available.
