April 2026 was a heavy month for WordPress security. Researchers published ten significant CVEs this month. This April 2026 WordPress vulnerability roundup covers every critical flaw. Site owners need to act fast to protect their sites. The volume of patches this month is unusual.
The WordPress ecosystem saw multiple high-severity issues this month. These affected popular plugins used by millions of sites. The most critical flaw scored 9.1 on the CVSS scale. That vulnerability removes all permission checks. It gives attackers full control over WooCommerce stores. E-commerce sites face the biggest risk this month.
Security teams released patches for all these issues. Plugin developers responded within days of disclosure. Site owners should update their plugins now. The risks of delay are too high to ignore. Attackers actively scan for vulnerable installations. They can find and exploit these flaws within hours.
Each vulnerability carries unique risks for site owners. Some flaws allow remote code execution. Others expose sensitive customer data. A few let attackers access private information. Every site using these plugins needs immediate attention. Let us examine each vulnerability in detail. The sections below break down every CVE from this month. Read on to learn about each flaw and its impact.
The Critical: CVE-2025-15484 – Order Notification for WooCommerce (CVSS 9.1)
The most dangerous flaw this month is CVE-2025-15484. It affects Order Notification for WooCommerce. This plugin sends order alerts to store owners. The vulnerability removes all permission checks. Unauthenticated attackers gain complete read and write access.
Attackers can view and modify products without authentication. They can access customer data and coupons too. The scope of this flaw is alarming. Any site with version 3.6.2 or below is vulnerable. The fix arrived in version 3.6.3.
Store owners using WooCommerce should prioritize this update. The plugin is available on WordPress.org. Check your version number right now. Update to 3.6.3 or higher immediately.
This vulnerability poses a direct threat to your business data. Attackers can steal customer information without a trace. They can modify product prices or delete inventory records. The damage potential is enormous for any online store.
Do not wait to apply this patch. The exploit requires no authentication at all. Anyone on the internet can trigger it. Make this update your top priority today.
The High Severity Flaws
Four high-severity vulnerabilities demand attention this month. These scored between 7.2 and 8.1 on the CVSS scale. Each one poses serious risks to affected sites. Let us examine each one in detail.
CVE-2026-4347 affects MW WP Form with a CVSS score of 8.1. This flaw allows arbitrary file moves. Attackers can achieve remote code execution. The vulnerability exists in versions up to 5.1.0. It uses the generate_user_filepath() function. The move_temp_file_to_upload_dir() function is also vulnerable. Unauthenticated users can exploit this flaw. Remote code execution means attackers can run commands on your server. They can install backdoors or steal your database. Update from MW WP Form on WordPress.org right away.
CVE-2026-5032 hits W3 Total Cache with a CVSS score of 7.5. This plugin powers millions of WordPress sites. The flaw exposes information via output buffering bypass. Versions up to 2.9.3 are affected. Cache plugins manage sensitive data during output. This bypass leaks that information to attackers. The leak can include session tokens and private data. Update from W3 Total Cache on WordPress.org immediately.
CVE-2026-1540 targets Spam Protect for Contact Form 7 with a CVSS score of 7.2. This flaw enables remote code execution. It works through PHP file logging. Attackers need editor access to exploit this. The vulnerability exists in versions below 1.2.10. The fix closes the file logging loophole. Any site with contact forms should pay attention here. Get the update from Spam Protect for Contact Form 7 on WordPress.org.
CVE-2026-0686 affects the Webmention plugin with a CVSS score of 7.2. This is a server-side request forgery (SSRF) flaw. It exists in versions up to 5.6.2. The vulnerability lives in MF2::parse_authorpage() and Receiver::post(). Attackers can make your server send requests. They can reach internal services this way. SSRF attacks can expose cloud metadata and internal networks. Update from Webmention on WordPress.org.
Medium Severity Issues
Several medium-severity flaws also need attention. These scored between 4.3 and 6.5 on the CVSS scale. Each one can still cause significant damage. Do not ignore them just because they are not critical.
CVE-2026-4668 affects the Amelia plugin with a CVSS score of 6.5. This SQL injection flaw uses the sort parameter. It targets the payments listing feature. All versions of Amelia are vulnerable. SQL injection can expose your entire database. Attackers can read customer records and appointment data. Update from Amelia on WordPress.org.
CVE-2025-13535 hits King Addons for Elementor with a CVSS score of 6.4. This stored XSS vulnerability affects versions up to 51.1.38. Contributors and above users can exploit it. Stored XSS can infect all site visitors. It can redirect users to malicious sites or steal cookies. Update from King Addons on WordPress.org.
CVE-2026-0688 is a second SSRF in Webmention with a CVSS score of 6.4. This one requires authentication to exploit. It uses the Tools::read() function. Versions up to 5.6.2 are affected. Even authenticated SSRF can cause serious internal network damage. Update from Webmention again if needed.
CVE-2026-2696 affects Export All URLs with a CVSS score of 5.3. This plugin generates predictable CSV filenames. Private post URLs become exposed this way. Versions below 5.1 are vulnerable. Draft posts and hidden content can leak to unauthorized users. Update from Export All URLs on WordPress.org.
CVE-2026-3831 targets Database for CF7, WPForms, and Elementor with a CVSS score of 4.3. It has a missing capability check. The entries_shortcode() function lacks proper authorization. This allows unauthorized data access. Form submissions can contain sensitive user information. Update from Database for CF7, WPForms, Elementor on WordPress.org.
What Site Owners Should Do
Your first step is updating every plugin. Check each plugin listed in this article. Ensure you run the latest patched version. Do not delay these updates. Attackers scan for vulnerable sites constantly. They use automated tools to find outdated plugins.
Review your site for these specific plugins. Check your active plugin list carefully. If you use any of them, update right now. Set up automatic updates where possible. This reduces your exposure to future flaws. Many hosts offer automatic update features.
Good security hygiene goes beyond plugin updates. Use strong passwords for all user accounts. Enable two-factor authentication on your site. Limit user permissions to the minimum needed. Regular backups can save you from disaster. Keep backups offsite for maximum safety.
Monitor your site for unusual activity. Check your user accounts for new additions. Review failed login attempts regularly. Update your WordPress core version too. Security is an ongoing process. It is not a one-time fix. Make security reviews a monthly habit.
Remove unused plugins and themes from your site. Each extra plugin adds potential risk. If you do not use a plugin, delete it. Old abandoned plugins never receive security updates. Keep your installation lean and clean at all times.
Consider using a staging environment for testing updates. Test new plugin versions before deploying them live. This catches compatibility issues early. A staging site lets you verify patches safely. Many hosting providers offer staging features for free. Use these tools to avoid breaking your live site.
Do It All With One Plugin
Trusti simplifies your WordPress security workflow. Our plugin combines multiple security features. You get protection without managing several tools. The Known Vulnerabilities Scanner is especially useful. It checks your plugins against the latest CVE database.
Trusti Pro includes auto-scan scheduling for vulnerabilities. It detects vulnerable plugin versions automatically. You never miss a critical update again. The scanner cross-references your plugins against CVE databases. It alerts you before attackers exploit known flaws. This gives you time to patch before attacks happen.
Trusti also includes login protection and security headers. It offers brute force protection and login URL masking. You get a complete security solution in one plugin. Another helpful feature is the Core Integrity Scanner. It checks your WordPress files against the official versions. Any modified files get flagged immediately. The Admin Activity Log tracks every user action too. You can see who changed what and when.
For more security tips, read our guide on WordPress security plugins and best practices. You can also check our features page for the full list of Trusti capabilities.
The Bottom Line
April 2026 brought serious WordPress security challenges. Ten vulnerabilities were disclosed and patched. Site owners who update quickly stay safe. Those who delay take unnecessary risks. The choice is clear and simple.
Check your plugins against this list today. Update anything that shows a vulnerability. Consider using Trusti for ongoing protection. Your site security depends on proactive maintenance. Do not wait for an attack to take action.
Stay informed about new vulnerabilities as they appear. Subscribe to security newsletters and feeds. Follow WordPress security blogs for updates. Knowledge is your best defense against attackers. Bookmark the Wordfence blog and the WPScan database. These resources publish timely vulnerability disclosures. Stay safe out there.