Critical WordPress Plugin Flaws Expose Sites to File Upload, SQL Injection, and Takeover
Multiple WordPress plugins were flagged for severe vulnerabilities that could let attackers take over sites through unauthenticated file upload, SQL injection, arbitrary file deletion, and authorization bypass. References point to issues in plugins including WP Duplicate, Ninja Forms File Upload, Ultimate Member, Product Addons for WooCommerce, CleanTalk Spam Protect, Ally, Perfmatters, and Kali Forms, alongside identifiers such as CVE-2024-48930, CVE-2025-13192, and CVE-2026-1104. Several flaws were described as allowing arbitrary plugin installation, malicious file upload, or direct database manipulation, creating a path to remote code execution and full site compromise.
Wordfence reports indicate the exposure spans hundreds of thousands of WordPress sites, with some bugs already under active exploitation. The most serious cases include an unauthenticated SQL injection flaw in the Ally plugin affecting roughly 400,000 sites, an arbitrary file deletion issue in Perfmatters affecting about 200,000 sites, and active attacks targeting a critical flaw in Kali Forms. Taken together, the disclosures show a broad wave of high-impact plugin security failures that increase the risk of website defacement, malware deployment, data theft, and administrator-level compromise across the WordPress ecosystem.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Wordfence reports active exploitation of Kali Forms vulnerability
In April 2026, Wordfence reported that attackers were actively exploiting a critical vulnerability in the Kali Forms plugin. The supplied content supports this as a distinct escalation event because it indicates in-the-wild exploitation rather than only vulnerability disclosure.
Wordfence discloses arbitrary file deletion flaw in Perfmatters plugin
Wordfence published an April 2026 report on an arbitrary file deletion vulnerability in the Perfmatters WordPress plugin, saying about 200,000 WordPress sites were affected. No additional remediation or exploitation dates are available in the provided references.
Steam-hosted malware campaign targeting crypto users comes under FBI scrutiny
A March 2026 Hypebeast reference indicates the FBI was probing malware-loaded games distributed via Steam that targeted cryptocurrency users. The available reference suggests a law-enforcement investigation into the campaign, but provides no further dated milestones in the supplied content.
Wordfence discloses authentication bypass flaw in Tutor LMS Pro plugin
Wordfence reported an authentication bypass vulnerability in the Tutor LMS Pro WordPress plugin affecting about 30,000 sites. The supplied reference indicates this was a separate plugin vulnerability disclosure from the other Wordfence-reported flaws already in the timeline.
Wordfence discloses SQL injection flaw affecting Ally WordPress plugin
Wordfence published a March 2026 report about an unauthenticated SQL injection vulnerability in the Ally WordPress plugin, stating that roughly 400,000 WordPress sites were affected. The supplied reference does not include patch timing or exploitation details beyond the disclosure headline.
Wordfence discloses arbitrary file upload flaw in WPvivid Backup plugin
Wordfence reported an arbitrary file upload vulnerability in the WPvivid Backup WordPress plugin and said about 800,000 WordPress sites were affected. The supplied reference indicates a vulnerability disclosure involving a separate plugin from those already in the timeline.
Wordfence discloses Demo Importer Plus reset and privilege escalation flaw
Wordfence reported vulnerabilities in the Demo Importer Plus WordPress plugin that could allow site reset and privilege escalation. The reference indicates roughly 10,000 WordPress sites were protected against the issue, making this a distinct disclosure from the plugin flaws already in the timeline.
Wordfence discloses password-change flaw in Amelia Booking plugin
Wordfence published a vulnerability report on the Amelia Booking WordPress plugin describing an authenticated customer insecure direct object reference that could allow arbitrary user password changes. The supplied reference indicates a distinct plugin vulnerability disclosure not already represented in the timeline.
Sources
20 references tracked. Mallory keeps watching after this page renders.
[no-title]
wordfence.com
Open source[no-title]
wordfence.com
Open source[no-title]
wordfence.com
Open source[no-title]
wordfence.com
Open source[no-title]
wordfence.com
Open source[no-title]
wordfence.com
Open source[no-title]
wordfence.com
Open source[no-title]
wordfence.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical WordPress Plugin Flaws Expose Sites to RCE and Privilege Escalation
Two high-severity vulnerabilities have been disclosed in widely deployed WordPress plugins, exposing internet-facing sites to **unauthenticated compromise**. `CVE-2026-3584` affects **Kali Forms** through version `2.4.9` and allows **remote code execution** because user-controlled input can be mapped into internal placeholder storage and later invoked via `call_user_func` in the `form_process` path. The issue is classified as `CWE-94` and carries a `CVSS 3.1` score with the vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating critical impact on confidentiality, integrity, and availability. A second flaw, `CVE-2026-4038`, affects **Aimogen Pro** through version `2.7.5` and enables **unauthenticated privilege escalation** through an arbitrary function call in `aiomatic_call_ai_function_realtime` caused by a missing capability check. According to the disclosure, attackers can invoke WordPress functions such as `update_option` to change the default registration role to administrator and enable user registration, effectively creating a path to full site takeover. The vulnerability is tracked as `CWE-862` and was likewise rated with a high-impact `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`.
Mar 21, 2026
Critical File Upload Flaws Expose WordPress Plugins to Remote Code Execution
Multiple WordPress plugins were found vulnerable to **unauthenticated arbitrary file upload** flaws that can lead to remote code execution and full site compromise. The most urgent case involves the **Breeze Cache** plugin, where **CVE-2026-3844** affects versions through `2.4.4` when the optional **"Host Files Locally - Gravatars"** feature is enabled. Researchers said the bug stems from missing file-type validation in the `fetch_gravatar_from_remote` function, and BleepingComputer reported that attackers are already exploiting the issue in the wild, with Wordfence observing more than 170 attack attempts. Cloudways released a fix in version `2.4.5`, and defenders were urged to update immediately or disable the Gravatar-related feature until patching is complete. Two additional **Contact Form 7** upload extensions were also disclosed with critical upload weaknesses. **CVE-2026-5718** affects **Drag and Drop Multiple File Upload for Contact Form 7** through `1.3.9.6`, where custom blacklist handling can override the default dangerous-extension denylist and a non-ASCII filename trick can bypass sanitization, allowing attackers to upload PHP files. **CVE-2026-5364** affects **Drag and Drop File Upload for Contact Form 7** through `1.1.3`, where the plugin validates an unsanitized extension but saves a sanitized one, enabling bypasses using special characters such as `$`; researchers noted that `.htaccess` protections and filename randomization may reduce real-world exploitability. Together, the disclosures highlight a broader pattern of insecure file validation in WordPress upload plugins.
Apr 24, 2026
Critical WordPress Plugin Vulnerabilities Enable Account Takeover and Privilege Escalation
Multiple high-severity vulnerabilities were disclosed across popular **WordPress plugins**, creating pathways to account takeover, privilege escalation, and sensitive data exposure. The most severe issue, **CVE-2025-15521** in *Academy LMS* (<= `3.5.0`), allows **unauthenticated administrator account takeover** because the plugin’s password update flow relies on a **publicly exposed WordPress nonce** as authorization rather than validating user identity; *Wordfence* reported observing exploitation attempts in the wild and blocking dozens of attacks in a 24-hour period. Additional disclosures affect other plugins with different exploitation prerequisites and impacts. **CVE-2026-0726** in *Nexter Extension – Site Enhancements Toolkit* (<= `4.4.6`) is an **unauthenticated PHP object injection** via `nxt_unserialize_replace`, but it requires a usable **POP chain** from another installed plugin/theme to reach file deletion, data theft, or code execution. **CVE-2025-15347** in *Creator LMS* (<= `1.1.12`) enables **authenticated (Contributor+)** attackers to update arbitrary WordPress options due to a missing capability check, potentially leading to privilege escalation or site compromise. **CVE-2025-14977** in *Dokan* (<= `4.2.4`) is an **IDOR** in the `/wp-json/dokan/v1/settings` REST endpoint that lets **authenticated (Customer+)** users read/modify other vendors’ settings, including changing PayPal payout emails and accessing bank/payment details, enabling fraud and sensitive information disclosure.
Mar 21, 2026