WPForms, WPvivid & Smart Slider 3 Vulnerabilities Patched
If your WordPress site is running WPForms, WPvivid, or Smart Slider 3, and those plugins have not been updated in the past few weeks, your site is exposed
Over 250 new WordPress plugin vulnerabilities are disclosed every week. This is the normal operating condition of the WordPress plugin ecosystem in 2026,
Over 250 new WordPress plugin vulnerabilities are disclosed every week. This is the normal operating condition of the WordPress plugin ecosystem in 2026, not a seasonal spike or the fallout from a single high-profile breach. Of those disclosures, 43% are exploitable without any login credentials whatsoever. An attacker needs only to find a site running a vulnerable plugin, and automated scanners do that work for them at scale.
If your business runs on WordPress, this is the environment your site exists in every single day.
Avada Builder is installed on approximately one million WordPress sites. In June 2026, Wordfence issued an advisory for CVE-2026-8713, a critical unauthenticated arbitrary file-deletion vulnerability in that plugin. No account, no session, no social engineering required. An attacker who knows the flaw exists can delete files on your server without ever touching a login form, and the consequences range from a broken site to complete loss of data, depending on which files are targeted and how quickly the attack is detected.
That single disclosure affected one in every million WordPress installations, and it is one of 87 vulnerabilities logged by Wordfence in just one week, April 27 to May 3, 2026. Your site is almost certainly running several plugins at any given moment, each with its own update cycle, its own development team, and its own exposure window between when a flaw is discovered and when a patch is installed. The volume of disclosures is almost beside the point.
Wordfence’s bug bounty programme pays researchers up to $1,200 per qualifying vulnerability submitted. That financial incentive keeps researchers looking, and the disclosures will keep coming.
Attackers actively target known, patched vulnerabilities because the gap between a patch being released and a site owner applying it is often days, weeks, or longer. The overwhelming majority of compromised WordPress sites are running outdated core, plugin, or theme versions at the time of attack, and this is no coincidence. Once a fix is published, the vulnerability it addresses is effectively documented for anyone who wants to reverse-engineer it, making unpatched sites the obvious targets.
A plugin update that breaks a payment gateway, a booking system, or a product configurator can take your site offline or corrupt a customer-facing workflow, which is why managed auto-updates are useful but incomplete. Auto-update systems do not validate compatibility before applying a patch, so the update itself becomes an incident if it is not tested first. There is a common assumption among business owners that plugin updates are a developer’s concern, something to handle when there is time, but the risk sits with the business owner regardless of who applies the patch.
The cost of a breach compounds quickly. Customer data exposed in an attack triggers notification obligations under UK GDPR, and the Information Commissioner’s Office has the power to issue fines. A domain flagged by Google’s Safe Browsing as distributing malware loses organic search rankings, and those rankings do not return the moment the problem is fixed. A site taken offline loses revenue for every hour it is down, and rebuilding trust with customers who received a phishing email sent from your compromised domain is a slower and more expensive problem than any of the technical remediation work.
Wordfence had already recorded 4,534 distinct new WordPress vulnerabilities across 2025 as of late April that year, and the pace has not slowed. Every plugin in your stack is a potential entry point. The realistic question is whether your site will be patched before an attacker scans it, and the answer depends entirely on whether someone is actively managing your WordPress installation or whether updates are being deferred, batched, or ignored.
One angle that rarely gets considered: third-party integrations compound the exposure. A plugin connecting your WordPress site to a CRM, a payment processor, or an email platform holds API credentials. A file-deletion vulnerability like the one in Avada Builder could remove configuration files that store those credentials in plain text, or destabilise the site enough that a secondary attack has room to operate, meaning the breach reaches into whatever your site connects to, well beyond WordPress itself.
This is the business continuity argument for treating plugin security as a standing operational responsibility rather than a periodic maintenance task.
Auditing your current plugin stack is the right place to start: identifying every active plugin and theme, checking each against current vulnerability databases, confirming that auto-updates are configured appropriately for your environment, and establishing a tested update process that catches compatibility problems before they reach your live site. Removing plugins that are no longer maintained by their developers matters too, because unmaintained plugins receive no patches regardless of what vulnerabilities emerge.
If you want me to audit your WordPress plugin stack and identify your current exposure, contact The WordPress Guy. Given that 43% of disclosed vulnerabilities require no login credentials to exploit, every week without a security review is a week your site is scanned by automated tools that already know what to look for. I offer a structured security hardening review specifically for business owners who need to know where they stand before an incident forces the question.
Related articles
If your WordPress site is running WPForms, WPvivid, or Smart Slider 3, and those plugins have not been updated in the past few weeks, your site is exposed
Attackers run automated scans continuously, and when a flaw is disclosed, exploitation attempts begin within hours. In June 2026, several critical
A PCI DSS certificate on the wall does not mean your WooCommerce checkout is secure. It means you have met a minimum standard for handling cardholder
Security issues need permanent fixes, not surface-level patches. This is exactly the work I specialise in.
View security services →
Jason Boyd
Specialist WordPress Engineer · Former W3C Invited Expert · 20+ years
I fix the WordPress problems other developers walk away from. Backed by a 1st Class degree in Computer Science, an MSc in Cybersecurity, and over 20 years of specialist WordPress work, I diagnose issues at their root cause and resolve them permanently — for businesses that cannot afford guesswork or repeat failures.
If this article describes your situation, I can diagnose the specifics and fix it properly. Send your brief and I'll respond the same working day.