WordPress powers ~43% of the web — it's also the most-exploited target by opportunistic attackers via third-party plugins. In May 2026, 4 popular plugins disclosed critical CVEs (CVSS 9.8), all enabling admin account takeover without authentication:
- CVE-2026-8181 — Burst Statistics (privacy-friendly analytics) — auth bypass
- CVE-2026-6271 — Career Section — arbitrary file upload → RCE
- CVE-2026-6510 — InfusedWoo Pro (automation) — privilege escalation
- CVE-2026-5229 — Form Notify — auth bypass via cookie injection
If you operate WordPress sites (or offer managed WordPress hosting), audit your installs immediately.
CVE-2026-8181 — Burst Statistics auth bypass via application passwords
The plugin
Burst Statistics is a privacy-friendly analytics plugin, alternative to Google Analytics that stores no personal data. Very popular among GDPR-compliant European sites (~50,000 active installs per the WordPress repo).
The bug
The is_mainwp_authenticated() function validates application passwords from the Authorization header but misinterprets the return value. Consequence: an attacker who knows an administrator username (often visible via the REST API at /wp-json/wp/v2/users) can send a request with a random Basic Auth password and be authenticated as that admin for the duration of the request.
# Exploitation example
curl -u "admin:RandomString123" \
https://target-wordpress.com/wp-json/burst/v1/data
Characteristics
| Field | Value |
|---|---|
| CVSS 3.1 | 9.8 (CRITICAL) |
| Affected versions | 3.4.0 → 3.4.1.1 |
| Patched version | Check on the WordPress repo |
| CWE | CWE-697 (Incorrect Comparison) + CWE-287 (Improper Authentication) |
CVE-2026-6271 — Career Section arbitrary file upload
The plugin
Career Section is a careers/recruiting plugin letting candidates upload their CV via a form. Used on enterprise sites for the "Careers" page.
The bug
The CV upload handler does not validate file type. An attacker can upload any file, including a PHP shell (shell.php). Once uploaded into wp-content/uploads/career-section/, the file is publicly accessible and executed by the PHP server.
# Exploitation example
curl -X POST "https://target.com/wp-content/plugins/career-section/cv-upload.php" \
-F "cv=@shell.php" \
-F "candidate_name=test"
# Then access the shell
curl "https://target.com/wp-content/uploads/career-section/shell.php?cmd=id"
Characteristics
| Field | Value |
|---|---|
| CVSS 3.1 | 9.8 (CRITICAL) |
| Affected versions | ≤ 1.7 |
| Patched version | Check |
| CWE | CWE-434 (Unrestricted Upload of File with Dangerous Type) |
CVE-2026-6510 — InfusedWoo Pro privilege escalation via AJAX
The plugin
InfusedWoo Pro is a WooCommerce automation plugin (post-purchase email sequences, retargeting workflows). Paid plugin, several thousand active licenses.
The bug
The iwar_save_recipe() AJAX handler performs no nonce check or capability check. An unauthenticated attacker can:
- Create a malicious automation recipe via the AJAX endpoint
- Configure an HTTP POST trigger paired with an auto-login action
- Visit the crafted URL → receive a valid authentication cookie for any account (including admin)
It's the archetypal "unprotected AJAX nopriv" vulnerability that recurs across the WordPress ecosystem.
Characteristics
| Field | Value |
|---|---|
| CVSS 3.1 | 9.8 (CRITICAL) |
| Affected versions | ≤ 5.1.2 |
| Patched version | Check |
| CWE | CWE-862 (Missing Authorization) + CWE-269 (Improper Privilege Management) |
CVE-2026-5229 — Form Notify auth bypass via cookie injection
The plugin
Form Notify is a plugin that sends LINE (the Japanese messenger) notifications on WordPress form submissions. Used on Japanese and Korean sites.
The bug
When LINE doesn't provide an email address (common, since LINE doesn't request email at OAuth time), the plugin trusts a form_notify_line_email cookie to determine which WordPress account to log in. An attacker can:
- Auth via LINE OAuth with their own LINE account
- Inject the cookie
form_notify_line_email=admin@victim.com - The plugin signs the attacker in as
admin@victim.comwithout verifying the email belongs to the LINE account
Characteristics
| Field | Value |
|---|---|
| CVSS 3.1 | 9.8 (CRITICAL) |
| Affected versions | ≤ 1.1.10 |
| Patched version | Check |
| CWE | CWE-287 (Improper Authentication) + CWE-602 (Client-Side Enforcement of Server-Side Security) |
Summary and Action
| CVE | Plugin | Type | Action |
|---|---|---|---|
| CVE-2026-8181 | Burst Statistics | Auth bypass | Update ASAP |
| CVE-2026-6271 | Career Section | Arbitrary file upload | Update ASAP |
| CVE-2026-6510 | InfusedWoo Pro | Privilege escalation | Update ASAP |
| CVE-2026-5229 | Form Notify | Auth bypass | Update ASAP |
Immediate patch procedure
In WordPress Admin → Plugins:
- Filter "Available updates"
- Find the 4 listed plugins
- Update all in one click via "Select all → Update"
Or via WP-CLI on the server:
wp plugin update --all
Post-update compromise check
After updating, verify no malicious admin accounts were created during the exposure window:
# List all administrators
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered
# List PHP files uploaded via Career Section
ls -la wp-content/uploads/career-section/ | grep "\.php$"
Also check the database for recent InfusedWoo recipes:
SELECT * FROM wp_iwar_recipes WHERE created_at > NOW() - INTERVAL 30 DAY;
If you find suspicious artefacts
- Delete non-legitimate PHP files in
uploads/ - Disable recently created admin accounts (do not delete — forensic evidence)
- Rotate passwords for every admin account
- Scan the filesystem for webshells using WPScan or Maldet
- Audit WP options:
wp option getforsiteurl,home,admin_email
Why Continuous Monitoring of WordPress Installations Matters
WordPress runs ~43% of the web. 80% of WP compromises come through an unpatched third-party plugin. Plugin CVE disclosure cadence is several per week — impossible to track manually.
With cveo.tech, inventory your WordPress installs and their deployed third-party plugins and get automatic alerts when a critical CVE targets one of your exact versions — so you patch in the window before automated scanning bots reach your site.