Critical WordPress Plugin Flaws Enable Admin Takeover
Attackers run automated scans continuously, and when a flaw is disclosed, exploitation attempts begin within hours. In June 2026, several critical
If your WordPress site is running WPForms, WPvivid, or Smart Slider 3, and those plugins have not been updated in the past few weeks, your site is exposed
If your WordPress site is running WPForms, WPvivid, or Smart Slider 3, and those plugins have not been updated in the past few weeks, your site is exposed to vulnerabilities publicly disclosed in June 2026. Patches exist for all three. The question is whether you have applied them.
The scale here is worth taking seriously. WPForms alone is active on over 6,000,000 WordPress sites, WPvivid on more than 900,000, and Smart Slider 3 on more than 800,000. When a vulnerability is disclosed for plugins at that level of adoption, the number of unpatched sites running outdated versions runs into hundreds of thousands within days of disclosure. Attackers scan for known vulnerable versions automatically, and sites running outdated software become targets of opportunity without needing to be singled out.
WPForms (CVE-2026-7792) affects the PayPal Commerce Webhook Endpoint and carries a medium-severity rating. The vulnerability is unauthenticated, meaning an attacker needs no login or account on your site to attempt to exploit it. The patch landed in version 1.10.0.5. If your site uses WPForms to process payments or collect enquiries and is running an earlier version, check your plugin version now. The June 2026 vulnerability roundup from Sucuri confirms the details.
WPvivid (CVE-2025-12656) is a backup and migration plugin used on over 900,000 sites. The flaw is an authenticated arbitrary directory deletion vulnerability, patched in version 0.9.129. An authenticated attacker, meaning someone with even a low-level account on your site such as a subscriber or editor, could delete directories on your server. Backup plugins hold privileged access to your files by design, so a flaw in one exposes the entire file structure the plugin is authorised to touch.
Smart Slider 3 (CVE-2026-9197) contained a path traversal vulnerability in its HTML export function, specifically via the src and srcset attributes. Path traversal allows an attacker to read files outside the intended directory: in practice, private files on your server, including configuration files that contain database credentials. The patch is in version 3.5.1.37.
These three vulnerabilities sit across different categories of risk. One requires no login at all, one requires only a basic account, and one exposes your server’s file system to an authenticated user. Together they illustrate that the attack surface depends entirely on the plugin’s function and what permissions it holds.
If an attacker reads your WordPress configuration file through a path traversal flaw, they obtain your database credentials, which gives them access to every record in your database: customer details, order history, form submissions, user accounts. If your site runs WooCommerce, that includes the data stored against every customer order, from billing addresses to purchase history. The exposure is direct and immediate.
Directory deletion, as with the WPvivid flaw, can take your site offline entirely. If the backup plugin is the tool you planned to use for recovery, and an attacker deletes the directories it manages, both the site and the restore point disappear simultaneously.
The immediate action for all three is the same: update to the patched version. WPForms to 1.10.0.5, WPvivid to 0.9.129, Smart Slider 3 to 3.5.1.37. If you manage your own WordPress dashboard, go to Plugins, check the installed versions, and apply any pending updates. The version number appears next to each plugin name in the Plugins screen, so confirming where you stand takes under a minute.
What tends to catch business owners off guard is the gap between a patch being released and that patch being applied. Plugin updates do not install themselves unless you have automatic updates enabled, and many sites do not. A vulnerability can be publicly known, with a patch available, for weeks before an unmanaged site receives it, and that window is when exposure is highest because the vulnerability details are public but the fix has not landed.
There is also a consequence that rarely gets discussed: search engine penalties. Google’s Safe Browsing system flags sites that serve malicious content, including sites compromised and injected with spam or redirects without the owner’s knowledge. A compromised site can lose search rankings, trigger browser warnings for visitors, and damage the domain’s reputation in ways that persist long after the original infection is cleaned up. Recovering that standing takes time and deliberate effort, and it happens after the technical fix, as a separate process.
Keeping plugins updated is the same category of routine maintenance as renewing a domain or checking that your contact form still works. The difference is that a missed plugin update has a defined, exploitable consequence, and the timeline between disclosure and active exploitation is measured in days.
If managing plugin updates, monitoring for new disclosures, and verifying patch status is not something you have time to own personally, that is a legitimate reason to engage professional WordPress support. I offer ongoing maintenance and security monitoring through The WordPress Guy, with plugin updates applied promptly and version status tracked as a matter of course.
If your site runs any of the three plugins named in this post and you have not confirmed the patched versions are installed, contact me now at The WordPress Guy before your site becomes part of the next wave of compromised installations. The patches are available, and the risk of waiting is specific and documented.
Related articles
Attackers run automated scans continuously, and when a flaw is disclosed, exploitation attempts begin within hours. In June 2026, several critical
A PCI DSS certificate on the wall does not mean your WooCommerce checkout is secure. It means you have met a minimum standard for handling cardholder
Any WooCommerce store running a version below 7.1.0 is currently exposed to a vulnerability with no available fix. An attacker who successfully exploits
Security issues need permanent fixes, not surface-level patches. This is exactly the work I specialise in.
View security services →
Jason Boyd
Specialist WordPress Engineer · Former W3C Invited Expert · 20+ years
I fix the WordPress problems other developers walk away from. Backed by a 1st Class degree in Computer Science, an MSc in Cybersecurity, and over 20 years of specialist WordPress work, I diagnose issues at their root cause and resolve them permanently — for businesses that cannot afford guesswork or repeat failures.
If this article describes your situation, I can diagnose the specifics and fix it properly. Send your brief and I'll respond the same working day.