Vulnerability & Patch Roundup — January 2026

January 2026 brought a string of confirmed security vulnerabilities across some of the most widely installed WordPress plugins on the market. If your site is running any of the affected versions and has not yet been updated, you are not facing a theoretical risk — you are facing an active one. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises, and attackers do not wait for site owners to catch up with their maintenance schedule.

The scale of exposure here is significant. All in One SEO — installed on over 3,000,000 WordPress sites — contained a Broken Access Control vulnerability (CVE-2025-14384) affecting versions up to and including 4.9.2. A patch was released in version 4.9.3. Broken Access Control means that users who should not have permission to perform certain actions on your site may be able to do so anyway. For a business, that translates directly to a loss of control over your own platform — content could be altered, settings changed, or restricted areas accessed without your knowledge.

Essential Addons for Elementor, installed on over 2,000,000 WordPress sites, was found to contain a Cross Site Scripting vulnerability (CVE-2025-69092) in versions up to and including 6.5.3, patched in version 6.5.4. Cross Site Scripting vulnerabilities allow malicious code to be injected into pages viewed by your visitors. The practical consequence for a business is that your website — your public face — could be used to attack the very people who visit it. The reputational damage from that kind of incident is not easily undone.

Two further plugins rounded out a troubling month. MetForm, used on over 600,000 WordPress sites, contained a Broken Authentication vulnerability (CVE-2026-0633) in versions up to and including 4.1.0 that requires no authentication whatsoever to exploit, patched in version 4.1.1. No authentication required means that any visitor to your site — or any automated scanner — could potentially trigger the vulnerability without needing to log in at all. Meanwhile, The Events Calendar, installed on over 700,000 sites, was found to contain two separate Broken Access Control vulnerabilities (CVE-2025-15043 and CVE-2025-69352), both exploitable by users with only Subscriber-level access. If your site allows public registration — common for membership sites, event platforms, or community-facing businesses — Subscriber-level access is trivially easy for an attacker to obtain.

Why Delaying Updates Is Not a Low-Risk Decision

There is a common assumption amongst business owners that plugin updates can wait — that vulnerabilities are mostly theoretical, and that an attack is unlikely to affect a site that is not particularly high-profile. That assumption no longer holds up. The median time to exploit a newly disclosed vulnerability is now under five days — significantly faster than most businesses review and apply software updates. By the time a vulnerability is publicly known, automated scanning tools are already looking for unpatched installations.

The plugins listed above are not obscure tools used by a handful of developers. All in One SEO alone is active on more than three million sites. These are mainstream business tools — for SEO, page building, contact forms, and event management — which is precisely why they attract attention from attackers. A widely installed plugin with a known vulnerability is an efficient target. The effort required to exploit it at scale is low; the potential yield is high.

The business consequences of a compromised WordPress site are rarely limited to a technical inconvenience. Depending on how a site is exploited, the outcomes can include:

• Unauthorised access to back-end functions, settings, or user data
• Injection of malicious content that affects visitors to your site
• Data exposure that may carry regulatory obligations under UK GDPR
• Search engine penalties if malicious code is detected by Google’s Safe Browsing systems
• Loss of customer trust that is disproportionately difficult to rebuild

None of these outcomes require a sophisticated, targeted attack. Many happen as the result of automated scripts sweeping the web for vulnerable installations.

What You Should Do Now

The immediate action is straightforward: audit your plugin versions. Log into your WordPress dashboard, go to your plugins list, and check whether you are running any of the affected tools — All in One SEO, Essential Addons for Elementor, MetForm, or The Events Calendar. If any of them are below the patched version numbers listed above, update them now, not at the end of the week.

Beyond this specific set of vulnerabilities, the deeper issue is process. If your site has no reliable update schedule — no regular review of plugin versions, no monitoring for new vulnerability disclosures — then this situation will repeat itself. The January 2026 roundup is not unusual. Vulnerabilities in widely-used plugins are disclosed every month. The question is whether your site is set up to respond quickly, or whether it is quietly falling behind whilst you focus on running your business.

Putting a proper update process in place does not need to be complicated, but it does need to be consistent. Whether you manage that internally or work with someone who can maintain it for you, the alternative — leaving a known vulnerability unpatched on a live business website — carries risks that are entirely avoidable.

If you are unsure where your site stands, or you want a professional review of your plugin versions and update process, get in touch with me at The WordPress Guy. I work directly with business owners and executives to make sure their WordPress sites are secure, current, and properly maintained — without the technical noise.