Security Advisory ยท Published 2026-05-28
Three CVSS 9.9 WordPress Vulns in One Day - And They're All Different Plugins
Today's batch from Patchstack is brutal. Three separate WordPress plugins, three separate vulnerabilities, all scoring CVSS 9.9. That's not a typo. When I saw the first one I figured it was a bad day for one plugin developer. Then the second dropped. Then the third. Three different codebases, three different attack vectors, all independently hitting near-perfect severity scores.
If you manage more than one WordPress site, statistically at least one of your sites is running one of these plugins. Let's go through them.
The three CVEs
CVE-2026-42748 - Unrestricted File Upload (CVSS 9.9)
Classic unrestricted file upload. The plugin accepts file uploads through a form handler without properly validating file types. An attacker uploads a PHP webshell disguised as an image or document, and the server stores it in a web-accessible directory. If PHP execution is allowed there, the upload becomes a web shell.
What makes this 9.9 instead of 9.8: the scope is changed (S:C in CVSS vector), meaning successful exploitation affects resources beyond the vulnerable component. In plain English: compromising the WordPress plugin gives access to everything on the server, not just WordPress.
CVE-2026-42756 - Path Traversal (CVSS 9.9)
Path traversal means the attacker can read or write files outside the intended directory. In this case, it's paired with enough access to write arbitrary content to arbitrary paths on the filesystem. That's effectively the same as RCE - write a PHP file to a web-accessible location and execute it.
The terrifying part: path traversal vulnerabilities are often missed by WAFs because
the payloads look like normal file operations with ../ sequences that
can be encoded a dozen different ways.
CVE-2026-42757 - Path Traversal (CVSS 9.9)
Same attack class as 42756, different plugin. This tells me there's likely a common coding pattern in the WordPress plugin ecosystem that developers keep getting wrong: taking user input and using it to construct file paths without sanitization.
Check your sites right now
The plugin names will be fully disclosed in the NVD CPE data within 48-72 hours. In the meantime, here's what you can do:
Update everything
# Update all plugins on a single site
wp plugin update --all
# For multiple sites, use a loop (adjust paths):
for site in /var/www/*/; do
echo "=== Updating: $site ==="
wp plugin update --all --path="$site" 2>/dev/null
done
# Check Patchstack's database for affected plugins
# https://patchstack.com/database/ Check for signs of exploitation
# PHP files in uploads directory = almost certainly a webshell
find wp-content/uploads/ -name "*.php" -o -name "*.phtml" -o -name "*.phar" | head -20
# Recently modified PHP files outside of updates
find wp-content/plugins/ -name "*.php" -mtime -2 -newer wp-includes/version.php
# Path traversal artifacts - look for files in unexpected places
find /tmp -name "*.php" -newer /etc/passwd 2>/dev/null
find /var/tmp -name "*.php" 2>/dev/null
# Check access logs for traversal attempts
grep -r "\.\./\.\." /var/log/apache2/ /var/log/nginx/ 2>/dev/null | tail -20 Harden upload directories
# Prevent PHP execution in uploads (add to .htaccess in wp-content/uploads/)
cat > wp-content/uploads/.htaccess << 'EOF'
<FilesMatch "\.(?:php|phtml|phar|php5|php7)$">
Require all denied
</FilesMatch>
EOF
# For Nginx, add to your server block:
# location ~* /uploads/.*\.php$ {
# deny all;
# } This won't fix the vulnerability, but it prevents the most common exploitation path (uploading a PHP webshell to the uploads directory).
Why Patchstack keeps finding these
Multiple 9.0+ WordPress CVEs in one day usually point to repeated plugin patterns: file handling without enough type validation, path construction from user input, and permission checks that stop at a nonce. The same mistakes keep showing up across unrelated plugins:
- File uploads without type validation
- Path construction from user input without sanitization
- Privilege checks that only verify a nonce, not actual capabilities
- SQL queries built with string concatenation instead of prepared statements
If you're running WordPress in production for clients, monthly updates aren't enough. You need daily monitoring of the Patchstack database and the ability to deploy patches within hours, not days.
Need help staying on top of this?
I publish daily CVE alerts through our Telegram channel and can set up automated monitoring for your specific plugin stack. If any of your plugins get hit, you'll know within the hour - not next Tuesday when you remember to check.
- Free: Join our Telegram CVE alerts - real-time, no spam
- Emergency patching: Same-day for critical vulns, $99 per site
- Monthly WordPress security: $49/mo - daily scans + priority patching + incident response
References
- NVD: CVE-2026-42748
- NVD: CVE-2026-42756
- NVD: CVE-2026-42757
- Patchstack Vulnerability Database
- CWE: Unrestricted Upload of File with Dangerous Type, Path Traversal