Multiple critical WordPress plugin vulnerabilities (CVE-2026-1743, CVE-2026-1891, CVE-2026-2034) expose over 8 million websites to remote code execution. NIS2-regulated companies face mandatory 24-hour incident reporting — here's your action plan.
A critical unauthenticated remote code execution vulnerability in WP Advanced Forms (versions < 3.4.2) allows attackers to execute arbitrary PHP code via crafted form submissions. Over 3 million active installations affected.
A SQL injection flaw in ElementorPro Widgets (versions < 4.1.7) enables authenticated attackers with subscriber-level access to extract full database contents, including user credentials and session tokens. 2.8 million sites at risk.
An authentication bypass in WooCommerce Payments Gateway (versions < 6.9.3) allows unauthenticated attackers to escalate to administrator privileges. 2.5 million e-commerce stores potentially compromised.
| CVE | Plugin | CVSS | Active Installs | Patched Version |
|---|---|---|---|---|
| CVE-2026-1743 | WP Advanced Forms | 9.8 | 3.1M | 3.4.2 |
| CVE-2026-1891 | ElementorPro Widgets | 9.1 | 2.8M | 4.1.7 |
| CVE-2026-2034 | WooCommerce Payments | 9.4 | 2.5M | 6.9.3 |
Combined, these vulnerabilities affect over 8 million WordPress installations worldwide. Security researchers at Wordfence confirmed active exploitation in the wild starting February 25, 2026.
Under the EU NIS2 Directive (Directive 2022/2555), which became enforceable in October 2024, organizations classified as essential or important entities face strict obligations when vulnerabilities of this magnitude are discovered:
Article 23 of NIS2 mandates that entities must submit an early warning within 24 hours of becoming aware of a significant incident. If your WordPress infrastructure has been compromised via these CVEs, the clock starts now.
A full incident notification — including severity assessment, impact analysis, and indicators of compromise — must be filed with your national CSIRT within 72 hours.
wp plugin list --status=active across all WordPress instanceswp-config.php, webshells in /uploads/The most critical of the three, CVE-2026-1743 in WP Advanced Forms, stems from insufficient input sanitization in the form processing handler. The vulnerability allows an unauthenticated attacker to inject PHP code through specially crafted multipart form data:
Attack vector: Network / No authentication required
Complexity: Low — public proof-of-concept exists
Impact: Full server compromise, lateral movement potential
EPSS Score: 0.94 (94th percentile — very high exploitation probability)
Wordfence Threat Intelligence has observed automated scanning for this vulnerability from over 12,000 unique IP addresses since February 26. Exploitation attempts increased 800% within 48 hours of public disclosure.
| Requirement | Action | Deadline |
|---|---|---|
| Asset inventory | Document all WordPress instances and plugin versions | Immediate |
| Vulnerability management | Patch or mitigate all three CVEs | Within 4 hours |
| Incident detection | Deploy IOC-based monitoring rules | Within 8 hours |
| Early warning | Notify national CSIRT if compromised | Within 24 hours |
| Full notification | Submit detailed incident report | Within 72 hours |
| Supply chain review | Verify third-party plugin security practices | Within 1 week |
| Final report | Complete remediation documentation | Within 1 month |
This incident highlights a recurring challenge: WordPress powers 43% of all websites globally, yet plugin security remains inconsistent. The NIS2 Directive now forces organizations to treat CMS vulnerabilities as potential compliance events, not just IT issues.
Key takeaways for security leaders:
Get real-time vulnerability alerts, NIS2 compliance monitoring, and automated security briefings delivered to your team daily.
Start Free Trial →Stay satisfactorily paranoid. — The KENSAI Security Team