WordPress Plugin Vulnerabilities Putting Your Business Website at Risk This Week

One hundred new WordPress vulnerabilities were disclosed in a single week. Spanning 87 plugins and one theme and affecting roughly 11.9 million active plugin installs, that single week’s report covers May 18 to May 24, 2026 alone. If your business runs a WordPress site, the odds that at least one plugin in your stack appeared somewhere in that list are uncomfortably real.

Most business owners think of plugin updates as a housekeeping task — something to do when there is time. The actual risk profile is different: a single unpatched plugin can hand an attacker full administrative control of your site, your customer data, and your business reputation, with no password required.

When an Attacker Can Create Their Own Admin Account

The WP Maps Pro vulnerability is a precise example of what “critical” means in practice. The flaw allows an unauthenticated attacker to create a new WordPress user with administrator-level access and receive a magic login URL that fully authenticates them. No brute-force attempt, no stolen credentials. An attacker who finds your site running a vulnerable version of WP Maps Pro can walk straight into your WordPress dashboard and, from there, install backdoors, exfiltrate customer data, redirect your site to malicious destinations, lock you out entirely, or silently harvest payment information over weeks before anyone notices. The site you have spent time and money building becomes a tool working against you and your customers.

Avada (Fusion) Builder versions 3.15.2 and prior carry a different category of risk. This remote code execution vulnerability allows an unauthenticated attacker to inject PHP functions and execute arbitrary code directly on the server. Avada is one of the most widely used WordPress themes and page builders on the market, which means that if your site was built using it and has not been updated past version 3.15.2, your server is exposed to code execution by anyone who chooses to target it.

The scale of active exploitation puts these risks in context. More than 29,300 exploitation attempts targeting a WordPress plugin vulnerability were blocked by Wordfence, with a single-day spike of over 17,900 attacks recorded on 16 May 2026. Live attacks, running at volume, hitting real sites.

The 30-Day Window That Separates Protected Sites from Exposed Ones

A 30-day protection gap is the concrete outcome of how free and paid security tiers differ. A critical vulnerability discovered on 8 May 2026 exposed over 200,000 websites to full account takeover: Wordfence’s PRISM system identified it, and paid customers on Premium, Care, or Response tiers received firewall protection the same day. Free users were scheduled to receive the same protection on 7 June 2026. For a full month, every site running the free tier was unprotected against a known, actively exploited vulnerability.

The business logic here matters more than the product choice. If your website generates revenue, holds customer data, or represents your brand to the world, treating its security as a cost to minimise is the wrong frame. The question is whether your current protection level matches the actual value of the site as a business asset, and for most businesses it does not. Free security tools have genuine value for personal projects and low-stakes sites, but for a business site handling customer enquiries, processing transactions, or anchoring your marketing, a 30-day lag in receiving firewall coverage for a known critical vulnerability is a business continuity risk.

Keeping plugins updated is the single most direct action available to any site owner. Most of the vulnerabilities disclosed each week have patches available, and the attack surface exists because sites are running outdated versions. Attackers know it: automated scanners probe millions of sites continuously, looking for version strings that match known vulnerable releases.

A few practical points worth building into your site management:

• Check your WordPress dashboard for plugin updates at least once a week
• Remove plugins that are no longer actively maintained or that you no longer use
• Verify that your security plugin is on a tier that delivers real-time firewall rules, not delayed ones
• Confirm that Avada (Fusion) Builder, if present on your site, is updated past version 3.15.2

One consequence that rarely comes up in these conversations is what happens with Google. A site that serves malware or redirects visitors to phishing pages gets flagged, and once Google marks a domain as dangerous, recovering that trust takes weeks of documented remediation, a manual review request, and time you cannot get back. The SEO damage compounds the direct harm, and a business that has spent years building organic search presence can see it collapse because of a single unpatched plugin.

If you are not certain which plugins are running on your site, which versions they are at, or whether your current security configuration would have protected you during that 30-day window described above, that uncertainty is the risk. A professional audit of your plugin stack will tell you exactly where you stand.

I offer a WordPress security audit specifically for business sites: a structured review of your plugin versions, your security configuration, and the gaps between your current setup and the threat level your site actually faces. Given that over 29,300 live attacks were recorded against a single vulnerability in recent weeks, and that 100 new vulnerabilities were disclosed in one week alone, waiting until a problem surfaces is not a strategy.

Book a security audit at The WordPress Guy and find out whether your site would have survived the last 30 days unscathed.