Every month we review the WordPress plugin vulnerability disclosures from Patchstack and WPScan and summarize the ones that matter most: high install counts, exploitable without privileges, or actively weaponized in the wild. May 2026 had three that every WordPress site owner should know about.
May 2026 at a Glance
| CVE | Plugin | CVSS | Type | Auth Required | Status |
|---|---|---|---|---|---|
| CVE-2026-1492 | User Registration & Membership | 9.8 Critical | Authentication Bypass | None | Patched — update to 5.1.3 |
| CVE-2026-4798 | Avada Builder | 7.5 High | SQL Injection | None | Patched — update to latest |
| CVE-2026-5371 | MonsterInsights | 7.1 High | Missing Authorization | Subscriber | Patched — update to 10.1.3 |
All three vulnerabilities have patches available. The action item for each is a plugin update — but for MonsterInsights, an update alone is not sufficient. More on that below.
CVE-2026-1492 — User Registration & Membership (CVSS 9.8 Critical)
Affected versions: All versions up to and including 5.1.2
Fixed in: 5.1.3
Auth required to exploit: None — fully unauthenticated
This is the disclosure that should send you straight to your plugin list. A complete authentication bypass in the User Registration & Membership plugin allows a remote attacker to gain full administrator access to a WordPress site without supplying any credentials or creating any account.
The root cause is a nonce-and-AJAX architecture flaw. The plugin embeds security nonces in client-side JavaScript on publicly accessible pages — meaning any visitor to the site can extract the token. Those tokens are then used to authorize privileged AJAX actions without any capability check. An attacker who visits a page, reads the nonce from the page source, and crafts a single request can trigger administrative actions and immediately elevate themselves to site admin.
Successful exploitation lets an attacker:
- Create hidden administrator accounts
- Install or modify plugins and themes
- Access and export stored user data (email addresses, password hashes)
- Plant backdoors for persistent access after the vulnerability is patched
At CVSS 9.8, no authentication required, and fully remote — this is an immediate update. If you are running any version through 5.1.2, treat it as actively exploitable. After updating, check your user list for unfamiliar administrator accounts and rotate all admin passwords.
CVE-2026-4798 — Avada Builder (CVSS 7.5 High)
Affected versions: All versions in the affected range disclosed by the vendor
Auth required to exploit: None — unauthenticated
Install count: ~1 million sites
Avada is one of the best-selling WordPress themes and its companion Avada Builder plugin powers roughly one million sites. CVE-2026-4798 is a time-based SQL injection vulnerability triggered through the product_order parameter in unauthenticated requests.
The underlying mistake is a classic one: the plugin calls sanitize_text_field() on user input — which strips HTML tags and control characters but does nothing to neutralize SQL — and then concatenates the sanitized value directly into an ORDER BY clause without using $wpdb->prepare(). Because ORDER BY clauses cannot use parameterized values in the way WHERE clauses can, safe SQL construction here requires explicit allowlisting of valid sort columns. The plugin does neither.
Time-based SQL injection means an attacker can extract data from your database by measuring how long queries take to respond. There is no visible error output required. Given an unauthenticated entry point and one million installed sites, the attack surface here is significant. Update Avada Builder to the latest available version immediately.
CVE-2026-5371 — MonsterInsights (CVSS 7.1 High)
Affected versions: All versions up to and including 10.1.2
Fixed in: 10.1.3
Auth required to exploit: Subscriber-level account (any registered user)
Install count: ~3 million sites
MonsterInsights is the most widely used Google Analytics integration plugin for WordPress. CVE-2026-5371 is a missing authorization vulnerability affecting two AJAX handlers: get_ads_access_token() and reset_experience().
Both handlers verify a WordPress nonce — confirming the request came from a legitimate page session — but neither checks whether the requesting user actually has the capability to call them. A Subscriber-level account (the default role assigned to anyone who registers on a site with open registration) can scrape the nonce from their profile page, call either handler, and walk away with the site owner's live Google OAuth access token. That token was issued when the site owner connected their Google account during MonsterInsights setup.
The impact is twofold:
- Token theft: With the OAuth token, an attacker can access the site owner's Google Analytics data — including traffic sources, user behavior, and any linked advertising data — without ever touching the WordPress site again.
- Integration reset: The
reset_experience()handler lets any Subscriber disconnect the site's Google Ads integration, disrupting active ad campaigns without leaving obvious traces in the WordPress admin log.
Updating to 10.1.3 patches the capability check. But updating alone does not invalidate the OAuth token that may already have been stolen. If your site has open user registration and was running a vulnerable version, do the following after updating:
- Go to your Google Account permissions page
- Revoke the MonsterInsights OAuth grant
- Return to MonsterInsights settings and reconnect Google Analytics to issue a fresh token
- Audit your Google Ads campaigns for any unexpected changes during the exposure window
If your site does not have open user registration — meaning a Subscriber account cannot be created without your approval — the exploitability is limited to users you already trust. Still update, but the urgency is lower.
The Three-Step Response for All Three
- Check which plugins you have installed. In your WordPress admin, go to Plugins → Installed Plugins. Look for User Registration & Membership, Avada Builder, and MonsterInsights. Note the version number shown under each plugin name.
- Update immediately. Go to Dashboard → Updates. If any of these plugins appear, click Update. Verify the version number in Installed Plugins after the update completes.
- Follow the MonsterInsights post-patch steps above if you run MonsterInsights with open user registration enabled.
If you manage multiple WordPress sites, running through this process manually for each one is time-consuming. The vulnerability databases referenced above — Patchstack and WPScan — both offer free tiers that send email alerts when a vulnerability is disclosed for a plugin installed on your connected sites.
Looking Ahead
The pattern across all three May disclosures is the same story told three different ways: trusting user input without parameterization (Avada), exposing privileged actions without capability checks (MonsterInsights), and letting publicly visible tokens authorize server-side actions (User Registration & Membership). None of these are novel vulnerability classes — they appear in the WordPress plugin ecosystem every month. The defense is the same each time: keep plugins updated and monitor disclosure databases for any plugin in your stack.
We will publish the June 2026 roundup at the end of next month. In the meantime, the Patchstack database is updated daily and is free to search.
Related reading: How to Check if Your WordPress Plugins Have Security Vulnerabilities • Managed WordPress Hosting Plans • WordPress Development Services