← All articles Security

Critical WordPress Plugin Flaws Enable Admin Takeover

Attackers run automated scans continuously, and when a flaw is disclosed, exploitation attempts begin within hours. In June 2026, several critical

Published Jason Boyd

Attackers run automated scans continuously, and when a flaw is disclosed, exploitation attempts begin within hours. In June 2026, several critical vulnerabilities in widely used WordPress plugins gave those attackers exactly what they needed: a path to full administrative control, with no password required.

The WP Maps Pro flaw illustrates how serious this gets. An attacker can call a publicly accessible AJAX action on any site running the plugin, bypass its ineffective nonce check (the nonce itself is embedded in every frontend page, visible to anyone), and instruct WordPress to create a new administrator account. The site then sends the attacker a magic login URL. No brute force, no phishing, no social engineering — one unpatched plugin, and someone else owns your site. The Hacker News covered the active exploitation of this flaw in detail.

Gravity SMTP, a plugin used to manage transactional email, carried a flaw that triggered more than 17 million attacks, with live API keys stolen from more than 100,000 WordPress sites. Depending on the service connected, a stolen API key hands an attacker access to your email provider, your CRM, or your payment processor’s API. The damage extends well beyond the WordPress site itself.

CVE-2026-8713 is an unauthenticated arbitrary file-deletion vulnerability in the Avada Builder plugin, which is installed on approximately one million WordPress sites. Deleting arbitrary files without authentication can trigger a WordPress reinstallation state, allowing an attacker to set up a new administrator account from scratch. The Next Web reported the scale of this exposure across those million sites.

Plugins and Themes Are Where Attacks Land, Not WordPress Core

Only 36.7% of hacked WordPress sites were compromised through outdated WordPress core — plugins and themes account for the dominant share of successful attacks. Business owners sometimes assume that keeping WordPress itself updated is sufficient, but the data says otherwise. The practical problem is that most site owners update WordPress core promptly and then treat plugin updates as lower priority, or leave them to auto-update without any monitoring to confirm the updates actually ran.

In a single week between 18 and 24 May 2026, Wordfence’s weekly disclosure report covered 100 newly disclosed vulnerabilities across 87 plugins and one theme, affecting roughly 11.9 million active plugin installs. That is one week. Across a year, the volume of new plugin vulnerabilities is substantial, and any site running a plugin from that list without an active monitoring arrangement is exposed from the moment the vulnerability is published.

The sequence is consistent: a flaw is disclosed, Wordfence and similar services publish details, and automated scanners begin probing for unpatched sites within hours. Sites without a web application firewall receive those probes directly; sites without active monitoring may not know the probes are happening at all. More than 29,300 exploitation attempts against a single plugin vulnerability were blocked in one monitored period, with over 17,900 attacks recorded in a single day. The volume is real.

What a Compromised Site Actually Costs a Business

A rogue administrator account gives an attacker the same access you have. They can install plugins, modify files, export your customer database, redirect your checkout, or use your server to send spam. If your site runs WooCommerce, the exposure is direct: order data, customer email addresses, billing details, and any stored payment tokens are all accessible. Google may flag your domain if malicious code is injected, your hosting provider may suspend the account, and customers who receive phishing emails traced to your domain lose confidence in your business.

Recovery from a full compromise is slow and expensive. Forensic cleanup, credential resets across every connected service, and a security audit take time and money, and if customer data was accessed, you may have notification obligations under UK GDPR. The cost of prevention is a fraction of the cost of that process.

There is one angle that business owners rarely consider until it is too late. Zero-day exploitation, where attackers use a flaw before it is patched or published, is a real risk for popular plugins, meaning that by the time a CVE number is assigned and Wordfence publishes its report, some sites are already compromised. Active monitoring that watches for behavioural indicators, such as unexpected new administrator accounts or unusual file changes, catches intrusions that patch management alone misses — which is why the more useful question about your WordPress site is whether you would know if an attack had already succeeded, and whether anything is in place to stop the next attempt before it does.


If you are running a WordPress or WooCommerce site and you are not certain whether your plugins are patched, whether a web application firewall is active, or whether anyone is watching for signs of compromise, I offer a focused security review at The WordPress Guy. Given that exploitation of June 2026 vulnerabilities is already underway and attackers are scanning for unpatched sites now, the window to act before an incident is narrow. Book a security review and I will tell you exactly where your site stands.

Related articles

All articles →

Security issues need permanent fixes, not surface-level patches. This is exactly the work I specialise in.

View security services →
Jason Boyd

Jason Boyd

Specialist WordPress Engineer · Former W3C Invited Expert · 20+ years

I fix the WordPress problems other developers walk away from. Backed by a 1st Class degree in Computer Science, an MSc in Cybersecurity, and over 20 years of specialist WordPress work, I diagnose issues at their root cause and resolve them permanently — for businesses that cannot afford guesswork or repeat failures.

Need hands-on help?

If this article describes your situation, I can diagnose the specifics and fix it properly. Send your brief and I'll respond the same working day.