Skip to main content

WordPress Plugin Security Roundup: June 2026

Two 9.8 Critical takeover flaws, an arbitrary file deletion bug on a million sites, and an information-disclosure vulnerability that drew more than seventeen million attacks landed this month. Here is what was disclosed in June 2026, what is patched, and what still needs your attention.

Every month we review the WordPress plugin vulnerability disclosures from Patchstack, Wordfence Intelligence, and WPScan, then summarize the ones that matter most: high install counts, exploitable without privileges, or actively weaponized in the wild. June 2026 delivered all three at once.

June 2026 at a Glance

CVE Plugin CVSS Type Auth Required Status
CVE-2026-8206 Kirki Customizer Framework 9.8 Critical Privilege Escalation None Patched — update to 6.0.7
CVE-2026-8181 Burst Statistics 9.8 Critical Authentication Bypass None Patched — update to 3.4.2
CVE-2026-8713 Avada Builder 9.1 Critical Arbitrary File Deletion None Patched — update to 3.15.4
CVE-2026-4020 Gravity SMTP 7.5 High Information Disclosure None Patched — under active mass exploitation

All four have patches available. Three are fully unauthenticated criticals, and the fourth — Gravity SMTP — is the one already being exploited at scale. Every item on this list resolves to a plugin update, but two of them require follow-up work after the update. More on that below.

CVE-2026-8206 — Kirki Customizer Framework (CVSS 9.8 Critical)

Affected versions: 6.0.0 through 6.0.6
Fixed in: 6.0.7
Auth required to exploit: None — fully unauthenticated
Install count: ~500,000 active installs (~150,000 on vulnerable versions)

This is the disclosure that should send you straight to your plugin list. Kirki is a long-running customizer and page-builder framework bundled into hundreds of themes. CVE-2026-8206 lets a remote attacker take over an administrator account without any credentials, and it is already being exploited — Wordfence reported blocking attacks against it within 24 hours of disclosure.

The root cause is a broken password-reset flow. The plugin registers a custom REST API endpoint that calls a handle_forgot_password() function, which accepts an attacker-supplied email address rather than looking up the address registered to the target account. An attacker requests a reset for the admin username, supplies their own email, then receives the reset link. From there they set a new password and log in as administrator.

Successful exploitation lets an attacker:

  • Seize the existing administrator account rather than create an obvious new one
  • Install or modify plugins and themes
  • Plant web shells or backdoors for persistent access
  • Exfiltrate stored user data and site content

At 9.8, unauthenticated, with confirmed exploitation, this is an immediate update. If you run any 6.0.x version below 6.0.7, treat it as live. After updating, check your administrator list for password changes you did not make, force a password reset on every admin account, and review recent logins.

CVE-2026-8181 — Burst Statistics (CVSS 9.8 Critical)

Affected versions: 3.4.0 through 3.4.1.1
Fixed in: 3.4.2
Auth required to exploit: None — unauthenticated
Install count: ~200,000 sites

Burst Statistics is a privacy-friendly analytics plugin. CVE-2026-8181 is an authentication bypass in its MainWP integration — the feature that lets a central dashboard manage many connected sites at once.

The flaw lives in the plugin's is_mainwp_authenticated() check. When WordPress's wp_authenticate_application_password() function rejects a bad credential, it can return null rather than a WP_Error object. The plugin treats that null as success. An attacker sends a crafted REST API request with a valid administrator username plus any arbitrary password, the underlying call returns null, the plugin reads that as "authenticated," and the request is allowed through with administrator context.

This is a textbook example of a dangerous failure mode: code that checks for an explicit error, but never checks for an explicit success. Anything that is not an error gets waved through. Because the bypass keys off a known admin username — which is often discoverable from author archives or the REST users endpoint — the practical barrier to exploitation is low. Update to 3.4.2 now. If you connect this site to MainWP, rotate the application passwords used for that connection after updating.

CVE-2026-8713 — Avada Builder (CVSS 9.1 Critical)

Affected versions: 3.15.3 and earlier
Fixed in: 3.15.4 (released June 2, 2026)
Auth required to exploit: None — unauthenticated
Install count: ~1,000,000 sites

Avada is one of the best-selling commercial themes, and its companion Avada Builder plugin powers roughly a million sites. The plugin is back in this roundup a second month running — May brought a SQL injection flaw, and June brings something more dangerous: unauthenticated arbitrary file deletion.

The vulnerability stems from missing path validation in the form-entry handling. There is no realpath() resolution, and no check that the target path stays inside the uploads directory. An attacker can supply a traversal path that walks out of the intended folder, then delete any file the web server can write to. Exploitation has one precondition: the site must have a published Avada form configured to save entries to the database. Many Avada sites do, because contact and lead forms are exactly what the builder is used for.

Arbitrary file deletion sounds limited until you consider wp-config.php. Delete it, and on the next request WordPress behaves as if it is unconfigured. An attacker who reaches the setup screen can then point the site at a database they control, which converts file deletion into a full takeover. That is why this carries a 9.1 and is described as a path to remote code execution. Update Avada to 3.15.4 immediately. After updating, confirm wp-config.php and your core files are intact. Restore from backup if anything is missing.

CVE-2026-4020 — Gravity SMTP (CVSS 7.5 High)

Affected versions: All versions up to and including 2.1.4
Fixed in: 2.1.5
Auth required to exploit: None — unauthenticated
Install count: ~100,000 sites

This CVE was assigned earlier in the year, but it earns a place in the June roundup for one reason: this is the month it was weaponized at scale. Wordfence has blocked more than seventeen million exploitation attempts against it, with daily volume peaking in early June. If a vulnerability database alert is going to save your site this month, it is most likely this one.

Gravity SMTP routes outgoing WordPress email through providers like Amazon SES, Google, Mailjet, Resend, and Zoho. The flaw is a REST API endpoint — /wp-json/gravitysmtp/v1/tests/mock-data — whose permission_callback unconditionally returns true. Any anonymous visitor can call it to receive roughly 365 KB of JSON: PHP version, loaded extensions, database details, the full active-plugin inventory, and — critically — the API keys plus OAuth tokens configured for the mail provider.

The damage here does not stop at the WordPress site. Leaked SES or Mailjet credentials let an attacker send mail as your domain — phishing that lands with your sender reputation behind it. The plugin inventory it leaks is a ready-made target list for the next attack. The patch in 2.1.5 closes the endpoint, but a patch cannot un-leak a key that was already scraped:

  1. Update Gravity SMTP to 2.1.5 or later
  2. Rotate every API key and OAuth token for the mail providers you connected (SES, Google, Mailjet, Resend, Zoho)
  3. Check your provider's sending logs for mail you did not send during the exposure window
  4. Watch for bounce or abuse notices that signal your domain was used to send spam

The Three-Step Response

  1. Check which plugins you have installed. In your WordPress admin, go to Plugins → Installed Plugins. Look for Kirki (it may be bundled by your theme), Burst Statistics, Avada Builder, and Gravity SMTP. Note the version shown under each.
  2. Update immediately. Go to Dashboard → Updates and apply every update for the plugins above. Confirm the new version number afterward: Kirki 6.0.7, Burst Statistics 3.4.2, Avada 3.15.4, Gravity SMTP 2.1.5.
  3. Do the post-patch cleanup. For Kirki, reset admin passwords and review your administrator list. For Gravity SMTP, rotate your mail-provider keys. Updating alone does not undo a takeover or a leaked credential.

If you manage several WordPress sites, running this by hand for each one is slow. Patchstack and WPScan both offer free tiers that email you when a vulnerability is disclosed for a plugin on your connected sites — worth setting up before the next bad month.

Looking Ahead

June's four disclosures are the same handful of mistakes wearing different clothes: trusting attacker-supplied input in a reset flow (Kirki), reading "not an error" as "authenticated" (Burst Statistics), skipping path validation before a file operation (Avada), and shipping a permission callback that always says yes (Gravity SMTP). None of these are exotic. They are the recurring failure modes of the WordPress plugin ecosystem, and the defense does not change month to month — keep plugins current, watch the disclosure databases, then clean up fast when an update lands.

The Gravity SMTP campaign is the lesson worth carrying forward. A vulnerability disclosed months ago became a seventeen-million-attack event the moment a working exploit circulated, which means "I will update later" is the gap attackers are counting on. If keeping up with this every month is not realistic for your business, our managed WordPress hosting monitors these disclosures, applies plugin patches fast, then verifies the fix held. We will publish the July 2026 roundup at the end of next month. Until then, the Patchstack database is updated daily, free to search.

Related reading: WordPress Vulnerability TrackerFree WordPress Vulnerability ScannerHow to Check if Your WordPress Plugins Have Security VulnerabilitiesWordPress Security Checklist for Small Business SitesManaged WordPress Hosting Plans