April 2026 brought a wave of serious security disclosures affecting some of the most widely-installed plugins in the WordPress ecosystem. If your site runs Elementor, Advanced Custom Fields, ManageWP Worker, or W3 Total Cache, you need to check your versions today. Several of these vulnerabilities require no login credentials to exploit, meaning any attacker who knows a site is running an outdated version can target it directly from the open internet, no password required.
This is not a theoretical risk. Sucuri identifies automated attacks targeting known software vulnerabilities as one of the leading causes of website compromises. Bots continuously scan millions of sites looking for unpatched versions of popular plugins. When they find one, the attack can be launched in seconds. The business running that site rarely knows anything has happened until the damage is done.
The Affected Plugins and What You Need to Know
Elementor Website Builder is installed on over 10,000,000 WordPress sites. Versions 3.35.5 and below contain a Cross Site Scripting (XSS) vulnerability rated Medium risk. The patched version is 3.35.6. Given the sheer scale of Elementor’s install base, this vulnerability is an attractive target regardless of its severity rating. If you or your developer built your site with Elementor, check the version running on your site right now.
Advanced Custom Fields (ACF) has over 2,000,000 installations and versions 6.7.0 and below contain a Broken Access Control vulnerability rated Medium risk. Like the Elementor flaw, this one requires no authentication to exploit. An attacker does not need an account on your site to take advantage of it. The patched version is 6.7.1.
ManageWP Worker is used by site owners and agencies to manage WordPress installations remotely. Versions 4.9.31 and below contain a Cross Site Scripting vulnerability rated High risk, affecting over 1,000,000 installations, and it requires no authentication to exploit. The patched version is 4.9.32. A High-severity, unauthenticated XSS flaw in a plugin designed for site management is a serious combination. If this plugin is active on your site and running an outdated version, update it immediately.
W3 Total Cache is one of the most popular caching plugins available, again with over 1,000,000 installations affected by a Sensitive Data Exposure vulnerability rated High risk. This vulnerability also requires no authentication. Sensitive Data Exposure at the High risk level means an attacker could access information your site is not intended to share. Check whether a patched version is available and apply it without delay.
What a Compromised Site Actually Costs
Business owners sometimes treat plugin updates as a low-priority task, something to get to when there is time. That calculation changes quickly once a site is compromised. Recovery from a serious attack typically involves forensic investigation to understand what was accessed, cleaning infected files, restoring from backups if backups exist and are clean, and then hardening the site to prevent a repeat. That work takes time and costs money. If customer data was exposed, there may be regulatory obligations to consider under UK GDPR. If the site was used to distribute malware to visitors, Google will flag it and search rankings will suffer. If an online shop was taken offline mid-campaign, the lost revenue is gone.
None of that is hypothetical. It is the predictable outcome when a known, fixable vulnerability is left unpatched on a live site. The update that closes the gap takes minutes. The recovery work that follows a breach can take days or weeks, and some of the reputational damage may not be recoverable at all.
The plugins named in this roundup are popular precisely because they are genuinely useful. Elementor powers the layout of millions of business sites. ACF gives developers flexible content management tools. W3 Total Cache improves site speed. The fact that they contain vulnerabilities is not a reason to remove them. It is a reason to keep them updated and to have a process for doing so reliably.
If you manage your own WordPress site, log into your dashboard, go to Plugins, and compare the versions you are running against the patched versions listed above. If you are running an outdated version of any of these four plugins, apply the update now. If your site is managed by an agency or a developer and you are not certain whether these updates have been applied, ask them directly. You are entitled to a clear answer.
If you would rather have someone review your site’s plugin versions, security posture, and update history properly, get in touch with me at The WordPress Guy. I work with business owners who want their WordPress site maintained to a professional standard, not left exposed because updates were never part of the arrangement.
