← Back to Security Blog
Security Briefing 10 min read

Critical WordPress Plugin Vulnerabilities Expose Millions of Sites — What NIS2-Compliant Companies Must Do Now

Multiple critical WordPress plugin vulnerabilities (CVE-2026-1743, CVE-2026-1891, CVE-2026-2034) expose over 8 million websites to remote code execution. NIS2-regulated companies face mandatory 24-hour incident reporting — here's your action plan.


Three Critical WordPress Plugin Vulnerabilities Discovered

CVE-2026-1743 — WP Advanced Forms: Unauthenticated RCE (CVSS 9.8)

A critical unauthenticated remote code execution vulnerability in WP Advanced Forms (versions < 3.4.2) allows attackers to execute arbitrary PHP code via crafted form submissions. Over 3 million active installations affected.

CVE-2026-1891 — ElementorPro Widgets: SQL Injection (CVSS 9.1)

A SQL injection flaw in ElementorPro Widgets (versions < 4.1.7) enables authenticated attackers with subscriber-level access to extract full database contents, including user credentials and session tokens. 2.8 million sites at risk.

CVE-2026-2034 — WooCommerce Payments Gateway: Authentication Bypass (CVSS 9.4)

An authentication bypass in WooCommerce Payments Gateway (versions < 6.9.3) allows unauthenticated attackers to escalate to administrator privileges. 2.5 million e-commerce stores potentially compromised.


Impact Assessment

CVEPluginCVSSActive InstallsPatched Version
CVE-2026-1743WP Advanced Forms9.83.1M3.4.2
CVE-2026-1891ElementorPro Widgets9.12.8M4.1.7
CVE-2026-2034WooCommerce Payments9.42.5M6.9.3

Combined, these vulnerabilities affect over 8 million WordPress installations worldwide. Security researchers at Wordfence confirmed active exploitation in the wild starting February 25, 2026.


NIS2 Compliance Implications

Under the EU NIS2 Directive (Directive 2022/2555), which became enforceable in October 2024, organizations classified as essential or important entities face strict obligations when vulnerabilities of this magnitude are discovered:

24-Hour Early Warning Requirement

Article 23 of NIS2 mandates that entities must submit an early warning within 24 hours of becoming aware of a significant incident. If your WordPress infrastructure has been compromised via these CVEs, the clock starts now.

72-Hour Incident Notification

A full incident notification — including severity assessment, impact analysis, and indicators of compromise — must be filed with your national CSIRT within 72 hours.

Fines and Penalties


Immediate Action Plan

Step 1: Identify Affected Assets (0–2 hours)

Step 2: Patch Immediately (2–4 hours)

Step 3: Investigate for Compromise (4–12 hours)

Step 4: NIS2 Reporting (if compromised)


Technical Deep Dive: CVE-2026-1743

The most critical of the three, CVE-2026-1743 in WP Advanced Forms, stems from insufficient input sanitization in the form processing handler. The vulnerability allows an unauthenticated attacker to inject PHP code through specially crafted multipart form data:

Attack vector: Network / No authentication required
Complexity: Low — public proof-of-concept exists
Impact: Full server compromise, lateral movement potential
EPSS Score: 0.94 (94th percentile — very high exploitation probability)

Wordfence Threat Intelligence has observed automated scanning for this vulnerability from over 12,000 unique IP addresses since February 26. Exploitation attempts increased 800% within 48 hours of public disclosure.


NIS2 Compliance Checklist for WordPress Operators

RequirementActionDeadline
Asset inventoryDocument all WordPress instances and plugin versionsImmediate
Vulnerability managementPatch or mitigate all three CVEsWithin 4 hours
Incident detectionDeploy IOC-based monitoring rulesWithin 8 hours
Early warningNotify national CSIRT if compromisedWithin 24 hours
Full notificationSubmit detailed incident reportWithin 72 hours
Supply chain reviewVerify third-party plugin security practicesWithin 1 week
Final reportComplete remediation documentationWithin 1 month

Broader Context

This incident highlights a recurring challenge: WordPress powers 43% of all websites globally, yet plugin security remains inconsistent. The NIS2 Directive now forces organizations to treat CMS vulnerabilities as potential compliance events, not just IT issues.

Key takeaways for security leaders:

Protect Your Organization with KENSAI

Get real-time vulnerability alerts, NIS2 compliance monitoring, and automated security briefings delivered to your team daily.

Start Free Trial →

Stay satisfactorily paranoid. — The KENSAI Security Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →