This week’s WordPress security recap
54 new WordPress vulnerabilities were disclosed between May 4 and May 10, 2026, including three critical and 16 high-severity flaws. The week’s biggest practical concern is a path-traversal issue in WP-Optimize (versions through 4.5.2), which runs on roughly 1 million sites. Path-traversal bugs let attackers read or write files outside the directory they should be allowed to touch, which is bad in any plugin, but especially in a cache/optimization plugin that operates on the file system by design. WP-Optimize 4.5.3 is the patched release.
Plugins took 96% of this week’s disclosures, with a combined install reach of more than 2.3 million sites in the high-and-critical column alone. Form builders, Elementor add-ons, and cache plugins led the activity, with Forminator (600K installs) and Royal Addons for Elementor (600K installs) both shipping high-severity patches. Three plugins hit CVSS 9.8 — GeekyBot, Mentoring, and MoreConvert Pro — but their install counts are smaller, so most sites won’t be exposed.
This week at a glance
- Total vulnerabilities: 54
- Critical (CVSS ≥ 9.0): 3
- High (CVSS 7.0–8.9): 16
- Medium (CVSS 4.0–6.9): 35
- Top affected category: plugins (96%)
- Combined install reach (high+critical): 2,368,100 sites
Critical and high-severity vulnerabilities
| Plugin / Theme | Affected | Patched in | CVSS | Type | More |
|---|---|---|---|---|---|
| WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance (1M+ installs) | *-4.5.2 | 4.5.3 | 8.1 (High) | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | Details |
| Forminator Forms – Contact Form, Payment Form & Custom Form Builder (600K+ installs) | *-1.52.1 | 1.52.2 | 7.5 (High) | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | Details |
| Royal Addons for Elementor – Addons and Templates Kit for Elementor (600K+ installs) | *-1.7.1056 | 1.7.1057 | 7.2 (High) | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration (20K+ installs) | *-4.3.1 | 4.3.2 | 8.8 (High) | Deserialization of Untrusted Data | Details |
| GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content (6K+ installs) | *-1.2.2 | 1.2.3 | 9.8 (Critical) | Missing Authorization | Details |
| LatePoint – Calendar Booking Plugin for Appointments and Events (100K+ installs) | *-5.5.0 | 5.5.1 | 7.2 (High) | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder (30K+ installs) | *-1.15.42 | 1.15.43 | 7.5 (High) | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | Details |
| GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content (6K+ installs) | *-1.2.0 | 1.2.1 | 7.5 (High) | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | Details |
| AWP Classifieds (3K+ installs) | *-4.4.5 | not yet patched | 7.5 (High) | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | Details |
| Auto Affiliate Links (3K+ installs) | *-6.8.8 | 6.8.8.1 | 7.2 (High) | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce (100 installs) | *-4.09.1 | not yet patched | 7.5 (High) | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | Details |
| Mentoring | *-1.2.8 | 1.2.9 | 9.8 (Critical) | Improper Privilege Management | Details |
| MoreConvert Pro | *-1.9.14 | 1.9.15 | 9.8 (Critical) | Improper Authentication | Details |
| Betheme | *-28.4 | 28.4.1 | 8.8 (High) | Unrestricted Upload of File with Dangerous Type | Details |
| Slider Revolution | 7.0.0-7.0.10 | 7.0.11 | 8.8 (High) | Unrestricted Upload of File with Dangerous Type | Details |
Three flaws stand out: WP-Optimize through 4.5.2 (path traversal, CVSS 8.1, ~1M installs), Forminator Forms through 1.52.1 (path traversal, CVSS 7.5, ~600K installs), and Royal Addons for Elementor through 1.7.1056 (stored XSS, CVSS 7.2, ~600K installs).
Worth knowing
Medium-severity items don’t need same-day action, but two of them carry surprising weight this week. ElementsKit and Forminator both have medium-rated authorization flaws on plugins with 1M and 600K installs, respectively — meaning the practical exposure is closer to the high-severity items above. Treat anything in the table below as a one-week patching target.
| Plugin / Theme | Affected | Patched in | CVSS | Type | More |
|---|---|---|---|---|---|
| ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor | *-3.8.2 | 3.9.0 | 6.5 | Missing Authorization | Details |
| Forminator Forms – Contact Form, Payment Form & Custom Form Builder | *-1.53.0 | 1.53.0.1 | 6.5 | Missing Authorization | Details |
| Royal Addons for Elementor – Addons and Templates Kit for Elementor | *-1.7.1056 | 1.7.1057 | 6.4 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
| GenerateBlocks | *-2.2.0 | 2.2.1 | 6.5 | Authorization Bypass Through User-Controlled Key | Details |
| LatePoint – Calendar Booking Plugin for Appointments and Events | *-5.5.0 | 5.5.1 | 6.4 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Details |
What to do this week
- Patch WP-Optimize to 4.5.3 this week if you use it. Roughly 1 million sites run this plugin, and the path-traversal flaw is the kind of issue automated scanners pick up quickly. Test in staging if you have heavy caching customizations, but don’t sit on it.
- Update Forminator Forms to 1.53.0.1 and Royal Addons for Elementor to 1.7.1057. Both are high-severity, both have 600,000 installs, and both touch user-submitted data — exactly the surface attackers target.
- If you run any of the three critical-severity plugins (GeekyBot, Mentoring, or MoreConvert Pro), update or disable them today. Each is a CVSS 9.8 authentication or authorization flaw, which means an unpatched site is a direct path to admin access.
- Audit your Elementor add-ons and form-builder plugins this week. Royal Addons, ElementsKit, Forminator, and User Frontend all shipped patches — these plugin families dominated this week’s disclosures and they’re typically installed in stacks of three or four together.
- Run all pending WordPress, plugin, and theme updates this week — even ones you’ve delayed for compatibility reasons. The longer a known flaw sits unpatched, the cheaper it gets for attackers to weaponize.
How CyberOptik handles this for you
As a dedicated WordPress maintenance agency, we monitor every site we manage and apply patches the moment fixes are available — there’s no waiting on a maintenance window or a monthly cycle. We handle the tracking, testing, and deployment so site owners don’t have to read a weekly vulnerability report to stay safe.
If you’d rather spend your Monday on your business than on plugin updates, our maintenance team handles it. Get in touch for a quote — plans start at $99/month and cover unlimited plugin and theme patches across your site.
Frequently asked questions
How often are new WordPress vulnerabilities disclosed?
New WordPress plugin, theme, and core vulnerabilities are disclosed most business days, with 30 to 60 records per week being typical across the ecosystem. This week landed at 54. Volume tends to spike around plugin major-version releases and coordinated security researcher disclosure events.
Should I update plugins immediately, or wait?
For critical and high-severity flaws, update the same day if you can — these are the patches attackers actively scan for. For medium-severity flaws on plugins with very large install bases (like ElementsKit this week), still treat them as priority because the surface area is enormous. For other medium items, a 24 to 48-hour staging-environment test is reasonable.
What if a vulnerable plugin doesn’t have a patch yet?
Disable the plugin until the developer ships a fix, or replace it with an alternative that solves the same problem. If neither is feasible, restrict the affected functionality at the server or firewall level and add a virtual-patching layer until an official update lands.
Does CyberOptik handle this kind of patching for clients?
Yes — every CyberOptik WordPress maintenance plan includes ongoing vulnerability monitoring, applying patches to managed sites as soon as fixes are available, and a monthly report of what was patched. As a specialist WordPress maintenance agency, we handle this for more than 800 WordPress sites every month.
Severity scores combine CVSS with WordPress.org install counts where available.