This week’s WordPress security recap
66 new WordPress vulnerabilities were disclosed between April 27 and May 3, 2026 — more than double last week’s volume. Three are critical and 28 are high-severity, with one of the week’s most consequential issues sitting in Elementor (versions through 4.0.4), which runs on roughly 10 million sites. Elementor’s flaw is rated medium on CVSS but earns extra attention purely on install count: even a small percentage of unpatched sites is millions of exposed installs.
Plugins drove 94% of this week’s disclosures, with the headline critical going to the Temporary Login plugin (versions through 1.0.0) — an unauthenticated authentication bypass affecting around 40,000 sites that’s already been patched in 1.1.0. Booking, page-builder, and user-management plugins took the brunt of the high-severity column. Combined install reach for high and critical items this week tops 1.3 million sites, so the practical answer is the same as always: patch this week, don’t wait.
This week at a glance
- Total vulnerabilities: 66
- Critical (CVSS ≥ 9.0): 3
- High (CVSS 7.0–8.9): 28
- Medium (CVSS 4.0–6.9): 35
- Top affected category: plugins (94%)
- Combined install reach (high+critical): 1,388,070 sites
Critical and high-severity vulnerabilities
| Plugin / Theme | Affected | Patched in | CVSS | Type | More |
|---|---|---|---|---|---|
| Temporary Login (40K+ installs) | *-1.0.0 | 1.1.0 | 9.8 (Critical) | Authentication Bypass Using an Alternate Path or Channel | Details |
| LatePoint – Calendar Booking Plugin for Appointments and Events (100K+ installs) | *-5.4.1 | 5.4.2 | 8.8 (High) | Improper Privilege Management | Details |
| Import and export users and customers (70K+ installs) | *-2.0.8 | 2.0.9 | 8.8 (High) | Improper Privilege Management | Details |
| Royal Addons for Elementor – Addons and Templates Kit for Elementor (600K+ installs) | *-1.7.1057 | 1.7.1058 | 7.2 (High) | Server-Side Request Forgery (SSRF) | Details |
| Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE (300K+ installs) | *-3.1.4 | 3.1.5 | 7.5 (High) | Improper Authorization | Details |
| WP Editor (20K+ installs) | *-1.2.9.2 | 1.2.9.3 | 8.8 (High) | Cross-Site Request Forgery (CSRF) | Details |
| User Verification by PickPlugins (5K+ installs) | *-2.0.46 | 2.0.47 | 9.8 (Critical) | Authentication Bypass Using an Alternate Path or Channel | Details |
| Check & Log Email – Easy Email Testing & Mail logging (100K+ installs) | [*, 2.0.13) | 2.0.13 | 7.2 (High) | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| Brizy – Page Builder (70K+ installs) | *-2.8.11 | 2.8.12 | 7.2 (High) | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| WCFM – Frontend Manager for WooCommerce (20K+ installs) | *-6.7.25 | 6.7.26 | 8.1 (High) | Authorization Bypass Through User-Controlled Key | Details |
| FunnelKit – Funnel Builder for WooCommerce Checkout (40K+ installs) | *-3.15.0.1 | 3.15.0.2 | 7.5 (High) | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | Details |
| Order Delivery Date for WooCommerce (10K+ installs) | *-4.5.1 | 4.5.2 | 7.5 (High) | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | Details |
| NEX-Forms – Ultimate Forms Plugin for WordPress (7K+ installs) | *-9.1.11 | 9.1.12 | 7.2 (High) | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| Salon Booking System – Free Version (3K+ installs) | *-10.30.25 | 10.30.26 | 7.5 (High) | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | Details |
| Geo Mashup (1K+ installs) | *-1.13.18 | 1.13.19 | 7.5 (High) | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | Details |
Three flaws stand out: Temporary Login (auth bypass, CVSS 9.8, ~40K installs), Elementor through 4.0.4 (XSS, CVSS 6.4 but ~10M installs), and LatePoint Booking through 5.4.1 (privilege escalation, CVSS 8.8, ~100K installs).
Worth knowing
Medium-severity items don’t need same-day action, but they’re worth running through staging this week. Most are easier for attackers to chain with other flaws than to weaponize alone, so one to seven days is the right window — not one to four weeks.
| Plugin / Theme | Affected | Patched in | CVSS | Type | More |
|---|---|---|---|---|---|
| Elementor Website Builder – more than just a page builder | *-4.0.4 | 4.0.5 | 6.4 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress | *-3.1.0 | 3.1.1 | 6.4 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns | *-6.0.4 | 6.1.0 | 6.4 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| Complianz – GDPR/CCPA Cookie Consent | *-7.4.5 | 7.4.6 | 5.3 | Missing Authorization | Details |
| Premium Addons for Elementor – Powerful Elementor Templates & Widgets | *-4.11.70 | 4.11.71 | 5.4 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
What to do this week
- Update Elementor to 4.0.5 immediately if you run it. Even though the CVE is rated medium, the install base makes this the single most-attacked plugin patch of the week. Test in staging if you have major customizations, but don’t sit on it.
- Patch the three critical plugins right away if any are installed: Temporary Login (1.1.0), User Verification by PickPlugins (2.0.47), and User Registration Advanced Fields (check the developer’s site for the patched version). All three are authentication- or upload-related, which means an unpatched site is a direct path to admin access.
- Audit your booking, e-commerce, and user-management plugins. LatePoint, Import and export users and customers, WCFM Frontend Manager, and WP Mail Gateway all shipped patches this week — these are the categories attackers favor because they touch billing, customer data, and admin roles.
- Run all pending WordPress, plugin, and theme updates this week — even ones you’ve delayed for compatibility reasons. With 66 new disclosures in seven days, the math on staying current isn’t a debate anymore.
How CyberOptik handles this for you
As a dedicated WordPress maintenance agency, we monitor every site we manage and apply patches the moment fixes are available — there’s no waiting on a maintenance window or a monthly cycle. We handle the tracking, testing, and deployment so site owners don’t have to read a weekly vulnerability report to stay safe.
If you’d rather spend your Monday on your business than on plugin updates, our maintenance team handles it. Get in touch for a quote — plans start at $99/month and cover unlimited plugin and theme patches across your site.
Frequently asked questions
How often are new WordPress vulnerabilities disclosed?
New WordPress plugin, theme, and core vulnerabilities are disclosed most business days, with 30 to 60 records per week being typical across the ecosystem. This week was on the high end at 66 — volume tends to spike around plugin major-version releases and coordinated security researcher disclosure events.
Should I update plugins immediately, or wait?
For critical and high-severity flaws, update the same day if you can — these are the patches attackers actively scan for. For medium-severity flaws on plugins with very large install bases (like Elementor this week), still treat them as a priority because the surface area is enormous. For other medium items, a 24 to 48-hour staging-environment test is reasonable.
What if a vulnerable plugin doesn’t have a patch yet?
Disable the plugin until the developer ships a fix, or replace it with an alternative that solves the same problem. If neither is feasible, restrict the affected functionality at the server or firewall level and add a virtual-patching layer until an official update lands.
Does CyberOptik handle this kind of patching for clients?
Yes — every CyberOptik WordPress maintenance plan includes ongoing vulnerability monitoring, applying patches to managed sites as soon as fixes are available, and a monthly report of what was patched. As a specialist WordPress maintenance agency, we handle this for more than 800 WordPress sites every month.