Top/Articles/Three popular WordPress plugins hit by admin-takeover flaws, including a translation tool on 1M+ sites (CVE-2026-15005 and more) β€” update now (July 16, 2026)
wordpress-plugins-2026-07-16-privilege-escalation-roundup-cover-en

Three popular WordPress plugins hit by admin-takeover flaws, including a translation tool on 1M+ sites (CVE-2026-15005 and more) β€” update now (July 16, 2026)

On July 16, 2026, three popular WordPress plugins were disclosed to carry serious takeover flaws: the translation tool Loco Translate (1M+ installs), the phone-number login plugin Digits, and the funnel builder WPFunnels. All three can let an attacker impersonate an administrator, rated 8.8 out of 10. Updating each plugin to its latest version resolves the risk.

NewsPublished July 16, 2026 Updated today
Table of contents
Key takeaways

On July 16, 2026, three popular WordPress plugins were disclosed to carry serious takeover flaws: the translation tool Loco Translate (1M+ installs), the phone-number login plugin Digits, and the funnel builder WPFunnels. All three can let an attacker impersonate an administrator, rated 8.8 out of 10. Updating each plugin to its latest version resolves the risk.

On July 16, 2026, three popular WordPress plugins were disclosed to carry serious flaws that can lead to a site takeover. All three rate 8.8 out of 10 for severity, and under the right conditions an attacker can impersonate an administrator and control the site at will.

The affected plugins are the translation helper "Loco Translate" (running on more than 1 million sites worldwide), "Digits," which lets users sign up and log in with a phone number, and "WPFunnels," which builds marketing funnel pages. Their purposes differ, but the danger is the same: administrator privileges you were never meant to touch can be taken over.

The bottom line first: the fix in every case is simply to update each plugin to its latest version. None have confirmed real-world attacks yet, but once the details are public, updating sooner is safer. We walk through what happens, whether your site is affected, and how to fix it. WordPress plugin flaws surface almost weekly β€” just days ago, 28 of them were disclosed at once on July 13.

What happened across the three plugins

The three flaws split into two broad types. In one, a user registered with a low-level role can raise their own privileges to administrator on their own (Digits and WPFunnels). In the other, an attacker who is not logged in tricks an administrator into opening a crafted page and runs code on the server (Loco Translate).

Both share the same end goal: gaining "the same power as the site's owner." Once administrator privileges are taken, an attacker can effectively do anything β€” tamper with posts, plant fake pages, harvest member data, or embed other malicious code. That is why the severity lands at a high 8.8.

All three are problems in WordPress plugins (add-ons), not in WordPress core. So sites that do not have these plugins installed are unaffected. The starting point is to check whether your site has any of them and, if so, what version.

At-a-glance: affected plugins and fixes

Here are the three side by side so you can judge at a glance whether your site is affected. If your version falls under "Affected versions," update to the "Fixed version" immediately to its right.

PluginMain useInstall baseAffected versionsFixed versionSeverity
Loco TranslateEditing translations1M+ sites2.8.5 and below2.8.6 or later
(latest is 2.8.7)
8.8
DigitsPhone-number loginPaid; widely sold9.1.0.5 and belowVendor's latest8.8
WPFunnelsFunnel page builder6,000+ sites3.12.8 and below3.12.9 or later8.8

The "8.8" severity comes from CVSS, the shared yardstick that scores a flaw's severity out of 10. It falls just short of the 9.0-plus "Critical" band, but it sits firmly in the "High" range β€” not a number to put off.

Who targets this, and why

The people who abuse these flaws are someone who can register on the site as an ordinary member (a low-level role such as subscriber), or an attacker who can get a site administrator to click a crafted link. Any shop or membership site that accepts sign-ups keeps that "someone who can register" door permanently open.

What that person does is use the foothold they gained to promote themselves to administrator, or run any program they like on the server. With Digits and WPFunnels, a low-privilege account can jump straight to administrator. With Loco Translate, an attacker who is not logged in tricks an administrator into opening a crafted page, which pushes malicious code onto the server.

Once administrator access is reached, the damage stops being the operator's problem alone. Attackers can show visitors fake login or checkout pages to steal information, or use the site as a springboard for further attacks, so ordinary visitors are harmed too. In the past, privilege-escalation flaws have been targeted in waves β€” as seen in the takeover cases in the miniOrange login plugins.

The three flaws in detail

Here is each one individually, with some technical background. You can read only the entry for the plugin you use.

CVE-2026-15005: Arbitrary code execution in Loco Translate (1M+ sites)

Loco Translate is a staple tool for editing theme and plugin translations straight from the WordPress dashboard, installed on more than 1 million sites. This flaw (CVE-2026-15005) stems from a missing check β€” the one-time token (a nonce) that confirms "is this really a legitimate action" β€” in the internal handling of translation files.

Exploiting that gap, an attacker only needs to get an administrator to open a crafted page to invoke the translation routine while impersonating a legitimate action. By further abusing a special php://filter directive, they can ultimately run arbitrary PHP code on the server. No login credentials are needed; the trigger is an administrator carelessly clicking a link. Versions 2.8.5 and below are affected, and updating to 2.8.6 or later (the current latest is 2.8.7) resolves it.

CVE-2026-13741: Escalation to administrator in Digits (phone-number login)

Digits is a paid plugin that lets users register and log in with a mobile phone number instead of an email address. This flaw (CVE-2026-13741) arises because the internal routine that updates user information did not validate the "role" value sent to it.

As a result, a user who registered with a low-level role such as subscriber can slip a forged role value into an update request and promote themselves to administrator. On sites that leave sign-ups open, anyone can reach that door. Versions 9.1.0.5 and below are affected, and you need to update to the latest version released by the developer (UnitedOver). Because Digits updates come through its distributor, apply the latest version via the marketplace you bought it from or the license link in your dashboard.

CVE-2026-15103: Privilege escalation in WPFunnels (funnel page builder)

WPFunnels builds sales funnels and post-purchase upsell pages for WooCommerce, and it runs on more than 6,000 sites. This flaw (CVE-2026-15103) comes from a settings-update REST API routine that passed a received parameter into the internal settings save without checking it against an allow list.

Abusing this, a user with enough privilege to manage funnels can improperly rewrite the setting that governs user roles and raise their own privileges. Versions 3.12.8 and below are affected, and updating to 3.12.9 or later resolves it. WPFunnels has had other serious flaws reported before, so it is a plugin where keeping the latest version at all times matters especially.

What to do right now

The task is simple. From the WordPress dashboard, check and act in the following order.

StepWhat to do
1. CheckOn the Plugins screen, look for the
three plugins and their versions
2. UpdateIf affected, update to the fixed version
(Digits via its distributor)
3. InspectCheck for unfamiliar administrator
accounts that were added
4. PreventEnable auto-updates and review
whether open sign-ups are needed

Sites that leave member sign-ups open should update first, since the privilege escalation in Digits and WPFunnels is more likely to become a real threat there. After updating, it is reassuring to confirm that no unfamiliar accounts have been added to the administrator list. If you find a suspicious account or tampering, consider resetting all passwords and restoring from backup.

As everyday preparation, delete plugins you no longer use and enable auto-updates on the ones you keep. As we have noted repeatedly in past WordPress plugin vulnerability roundups, "installed and forgotten" tends to be the biggest risk.

Bottom line

The three flaws disclosed on July 16, 2026 differ in purpose but share the same danger: administrator privileges can be taken over. Loco Translate in particular is a staple used on more than 1 million sites, so its reach is wide. None have confirmed attacks yet, but disclosed vulnerabilities grow easier to exploit over time.

What you need to do is only "update the affected plugin to its latest version" β€” nothing difficult. Handle sites that accept sign-ups first, and treat inspecting your administrator accounts after updating as the final step. As new information or confirmed attacks emerge, we will add them to this article.

Sources

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django