WP-Safety
vulnerabilitiesCVEauthentication-bypassRCEXSSSQLiroundup

WordPress CVE Roundup: Critical & High Severity Vulns From the Last 7 Days

Mika Sipilä
ByMika Sipilä·Founder, WP-Safety.org
May 5, 2026 6 min read

It's been a busy week in WordPress security. Our database picked up 6 critical and 20+ high severity CVEs in the last 7 days, covering everything from full authentication bypass to remote code execution available to any Contributor-level user. Several of these affect plugins with tens or hundreds of thousands of active installs, so let's get into it.

Critical Severity

Royal Addons for Elementor — Unauthenticated Stored XSS (CVSS 7.2 / High, but worth leading with)

Royal Elementor Addons

With 600,000 active installs, Royal Addons for Elementor is the biggest plugin in this week's roundup by a wide margin, and it dropped two new CVEs simultaneously. The more serious one for most sites is CVE-2026-4803: unauthenticated stored XSS via the status parameter in the wpr_update_form_action_meta function. Anyone who can hit that endpoint can plant malicious scripts without needing a login.

The second is CVE-2026-6229, a Contributor-level SSRF via a CSV URL parameter, also CVSS 7.2. Both are patched in 1.7.1058.

This isn't an isolated slip. The plugin now has 72 CVEs on record. The developer (WP Royal) averages 98 days to patch, which is not great. If you're running this plugin, update immediately and keep an eye on it.

Temporary Login — Authentication Bypass to Account Takeover (CVSS 9.8)

Temporary Login

Temporary Login has around 40,000 installs and does exactly what the name says: creates time-limited admin URLs. CVE-2026-7567 is a full authentication bypass that can lead to account takeover, and it sits at a 9.8 CVSS. The vulnerability existed in version 1.0.0 and is patched in 1.1.0.

The irony here is hard to miss. A plugin built to hand out secure temporary access had an auth bypass in its only release version. The patch arrived within a day, which is good. Still, check your version.

User Verification by PickPlugins — OTP Bypass via REST API (CVSS 9.8)

User Verification

CVE-2026-7458 affects User Verification by PickPlugins (5,000 installs). An attacker can bypass OTP verification through an unprotected REST API endpoint and take over accounts without any credentials. Patched in 2.0.47.

What makes this worse is the pattern. This same plugin had a critical auth bypass (CVE-2025-12374) just five months ago, and another critical privilege escalation back in 2022. Three critical auth failures across a plugin whose entire job is authentication. PickPlugins' developer trust score is 67/100, the lowest of any developer in this week's batch.

GeekyBot — Unauthenticated Arbitrary Plugin Installation (CVSS 9.8)

Geeky Bot

GeekyBot is an AI chatbot plugin with around 6,000 installs, and CVE-2026-5294 is bad. Through the geekybot_frontendajax AJAX action, anyone (unauthenticated) can install arbitrary plugins on your site. That's effectively a root-level takeover vector.

Dropped at the same time was CVE-2026-3456, an unauthenticated SQL injection via the attributekey parameter (CVSS 7.5). Both are patched, and the developer (ahmadgb) actually has a developer trust score of 91 and an average patch time of just 5 days. The code has serious structural issues with 13 unprotected AJAX handlers, but at least the team moves fast when bugs are found.

High Severity

Widget Options — Contributor-Level Remote Code Execution (CVSS 8.8)

Widget Options

CVE-2026-2052 gives any Contributor on a site the ability to execute arbitrary code through the Display Logic feature in Widget Options (100,000 installs). Patched in 4.2.3 with a one-day turnaround.

The deeper problem: this is the third time Widget Options has shipped a Contributor-level RCE via the same Display Logic mechanism. CVE-2026-27984 was patched in March 2026 after sitting open for 44 days, and CVE-2025-22630 came before that. If you run a multi-author site and have Widget Options installed, you have a recurring problem. This isn't a one-off; it's an architectural issue with how Display Logic evaluates user-supplied input.

Import and Export Users and Customers — Subscriber Privilege Escalation (CVSS 8.8)

Import Users From Csv With Meta

With 70,000 installs, Import and export users and customers got a high-severity hit this week. CVE-2026-7641 lets a logged-in subscriber escalate their own privileges by manipulating multisite capability meta fields. Patched in 2.0.9.

This is particularly relevant for membership sites and WooCommerce stores running multisite. Any registered user could quietly promote themselves. Update now.

WP Editor — CSRF to Remote Code Execution (CVSS 8.8)

Wp Editor

CVE-2026-3772 affects WP Editor, a plugin with 30,000 installs that lets admins edit plugin and theme files directly from the dashboard. The vulnerability chains a CSRF flaw into full RCE: trick an admin into clicking a crafted link and an attacker can write arbitrary code to your theme or plugin files. Patched in 1.2.9.3.

This one's a good argument for disabling file editing in wp-config.php with define('DISALLOW_FILE_EDIT', true) regardless of whether you run this plugin.

Otter Blocks — Unauthenticated Purchase Verification Bypass (CVSS 7.5)

Otter Blocks

Otter Blocks has 300,000 installs and generally has a solid security track record (security score: 89/100). CVE-2026-2892 is a bit of an odd one: an attacker can forge a cookie to bypass the purchase verification system, essentially unlocking premium features without a valid license. It's annoying more than catastrophic for most users, but it's worth patching. Fixed in 3.1.5.

Unpatched: AWP Classifieds SQLi (CVSS 7.5)

Another Wordpress Classifieds Plugin

One to flag with no fix yet: CVE-2026-5100 is an unauthenticated SQL injection in AWP Classifieds via the regions parameter. It has 3,000 installs and no patch as of this writing. If you run this plugin, consider disabling it until an update lands.

What to Do Right Now

The shortest path through this list:

  • Royal Addons for Elementor (600k installs): update to 1.7.1058 or later
  • Otter Blocks (300k installs): update to 3.1.5 or later
  • Widget Options (100k installs): update to 4.2.3, and seriously audit Contributor-level roles on your site
  • Import and Export Users and Customers (70k installs): update to 2.0.9
  • Temporary Login (40k installs): update to 1.1.0
  • WP Editor (30k installs): update to 1.2.9.3, and consider setting DISALLOW_FILE_EDIT in wp-config.php
  • User Verification by PickPlugins (5k installs): update to 2.0.47. Given the track record, vet whether this plugin belongs in your stack at all
  • GeekyBot (6k installs): update to 1.2.3
  • AWP Classifieds (3k installs): no patch yet — deactivate until one is available

If you're on a managed host with auto-updates turned on, most of these are already taken care of. If you're managing sites manually, this is a decent week to run through your plugin update queue.

About the author
Mika Sipilä
ByMika Sipilä·Founder, WP-Safety.org

I'm a Systems Architect and full-stack developer, a maker at heart. WP-Safety started as a side-project and grew into what you see now, built solo end-to-end. If something on the site looks off, the docs are unclear, or you spot a bug I didn't, I'd rather hear about it than miss it - that's what support@wp-safety.org is for.

GitHubLinkedIn
Back to blog