Popular WordPress Plugins Are Being Actively Exploited to Take Over Sites

Attackers are breaking into WordPress sites right now, and they are doing it without a username or password. The plugins being exploited are mainstream, widely trusted tools that thousands of businesses run on live sites today.

Take WP Maps Pro. A critical flaw in WP Maps Pro means that every page of an affected site publicly exposes a small security token called a nonce. That token is supposed to be private, used to confirm that a legitimate request came from a legitimate user. Because it sits embedded in the frontend of every page, an attacker can read it, use it to pass the plugin’s access check, and instruct the plugin to create a fresh WordPress administrator account, complete with a ready-made login link. No credentials needed. The site is theirs.

Everest Forms Pro, used by businesses to handle contact forms, payment forms, and job applications, carried a vulnerability that worked to the same effect. Active exploitation began on 13 April, and the attack volume was substantial: over 29,300 exploitation attempts were blocked, with more than 17,900 recorded on a single day, 16 May. That figure represents automated scanners hitting affected sites at scale, finding the flaw and taking over any site that had not yet patched.

The pattern in both cases is the same: a flaw in how the plugin checks whether the person making a request is allowed to do so. When that check can be bypassed, the attacker gets the same access as someone who had just logged in as an administrator. From that position, they can redirect your site to a malware distribution page, install a backdoor that survives a password reset, extract your customer data, or simply delete everything.

The 30-Day Window That Separates Protected Sites from Exposed Ones

On 8 May 2026, the Wordfence security platform disclosed a critical vulnerability in a widely used plugin. Over 200,000 sites were exposed to full account takeover. Wordfence pushed a firewall rule to its Premium, Care, and Response customers immediately, while free users were not scheduled to receive that same protection until 7 June 2026, a full 30 days later.

That gap is not a footnote. For a month, a business running the free tier of Wordfence had no automated protection against a known, actively exploited vulnerability. The only thing standing between your site and a takeover was whether you had noticed the update and applied it yourself, before the attack arrived. If an attacker scanned your site during those 30 days and found the flaw, the firewall would not have stopped them. The free tier of a security tool is simply a different product from the paid tier: the meaningful difference is the time between a vulnerability being known and your site being protected against it.

The Avada (Fusion) Builder plugin, versions 3.15.2 and prior, carried a separate risk: a remote code execution vulnerability that allowed an unauthenticated attacker to inject PHP functions and run arbitrary code on the server. An attacker with that access can interact with the underlying server, potentially affecting every site hosted on the same account, well beyond your WordPress database.

The Wordfence weekly vulnerability report for 18 to 24 May 2026 covered 100 newly disclosed vulnerabilities across 87 plugins and one theme, affecting roughly 11.9 million active plugin installs. Wordfence pays researchers up to £31,200 per vulnerability submitted through its bug bounty programme, which signals how much commercial value sits in an undiscovered WordPress plugin flaw and why the incentive to find them, on both sides, remains significant.

Why Plugin Updates Cannot Wait Until the Next Scheduled Maintenance Window

Most businesses treat plugin updates as routine housekeeping, something to batch together once a month or delegate to whoever manages the site. That approach assumes the gap between a vulnerability being published and an attacker exploiting it is measured in weeks. The Everest Forms Pro data shows it is measured in days, meaning the attack may already have happened by the time a monthly maintenance window arrives.

A site with no monitoring, no automated vulnerability scanning, and no security audit process has no way of knowing that a plugin installed two years ago has just become the vector for a mass exploitation campaign. Applying updates promptly is the first and most direct control, but it only works if someone is watching.

The practical starting point is a plugin audit: a full list of every plugin installed on your site, cross-referenced against current vulnerability disclosures. That audit will also surface plugins that are no longer maintained by their developers. Abandoned plugins receive no security patches regardless of how severe the flaw is, so they carry their own persistent risk.

One consequence that business owners rarely consider is what happens after a takeover if the site has been used to distribute malware. Google’s Safe Browsing system flags domains that serve malicious content, and once flagged, your domain displays a browser warning to every visitor while your search rankings drop. Cleaning the site removes the malware, but the domain flag takes time to clear, and the reputational damage runs past the moment the attacker is removed.

If you want me to audit the plugins on your site, identify anything currently flagged as vulnerable, and confirm your security setup would have protected you during that 30-day exposure window, get in touch at The WordPress Guy. Given that exploitation of known vulnerabilities begins within days of disclosure, waiting until your next scheduled review carries a specific risk: the attack arrives before the audit does.