Four WordPress plugins hit with critical takeover flaws: CVE-2026-48866 and 3 more
Four popular WordPress plugins were hit with critical flaws (up to CVSS 9.8): file deletion in Gravity Forms (CVE-2026-48866) and unauthenticated site takeover in Contest Gallery, wpForo and AIWU. Who's affected and what to update now.
Makoto Horikawa
Backend Engineer / AWS / Django
Four popular WordPress plugins were hit with critical flaws (up to CVSS 9.8): file deletion in Gravity Forms (CVE-2026-48866) and unauthenticated site takeover in Contest Gallery, wpForo and AIWU. Who's affected and what to update now.
Four widely used plugins for WordPress, the software behind a huge share of business and personal websites, have just been hit with serious flaws that could let attackers take over a site or wipe its files. The vulnerabilities were disclosed on June 1, 2026 (US time) by Patchstack, which tracks WordPress security issues, and the most severe scores 9.8 out of 10 on the CVSS severity scale. The list includes CVE-2026-48866 in the popular contact-form plugin Gravity Forms.
Three of the four can be exploited without logging in (unauthenticated), and most are "privilege escalation" flaws that hand an attacker administrator-level control of the site. WordPress powers more than 40% of all websites worldwide, so the number of sites running at least one of these plugins is enormous. This article walks through which plugins are affected, what an attacker can do, and what you should do right now.
The four vulnerabilities at a glance
Here are the four flaws disclosed together. The most severe are the unauthenticated privilege-escalation bugs (CVSS 9.8), followed by the Gravity Forms file-deletion flaw (9.6). All four shipped with a fix at the same time, so affected sites can close the hole simply by updating.
| ID | Plugin | Flaw type | Severity | Login needed? | Affected | Fixed in |
|---|---|---|---|---|---|---|
| CVE-2026-42680 | Contest Gallery Pro | Privilege escalation | 9.8 (Critical) | No (anyone) | ≤ 29.0.1 | 29.0.2 |
| CVE-2026-48879 | AIWU | Privilege escalation | 9.8 (Critical) | No (anyone) | ≤ 1.4.17 | 1.4.19 |
| CVE-2026-48866 | Gravity Forms | Arbitrary file deletion | 9.6 (Critical) | No + user action | ≤ 2.10.0.1 | 2.10.1 |
| CVE-2026-42682 | wpForo Forum | Broken access control | 9.1 (Critical) | No (anyone) | ≤ 3.0.6 | 3.0.7 |
"Privilege escalation" means someone with no real permissions tricks the site into handing them a powerful role, such as administrator. "Unauthenticated" means they can do it without even logging in, and the two together are the worst-case combination. Each flaw is explained one by one below.
The front-door key was handed to anyone walking past
The most dangerous thing about these four flaws is that three of them need no login at all: the moment one is triggered, the attacker walks off with administrator control of the site. The people who hunt for this are fraud crews that bolt fake payment screens onto hijacked sites, operators who mass-produce spam and counterfeit-goods pages, SEO-poisoning hands who slip malicious pages into search results, and ransomware gangs after a payout. A compromised site is sitting on the names, addresses and phone numbers typed into contact forms, members' login emails and passwords, order histories and card details on stores, and the keys to the admin dashboard itself. Once an unauthenticated privilege escalation is triggered, the administrator's chair that guarded all of that is handed wholesale to a stranger.
Taking the admin chair is rarely where it ends. The attacker plants a hidden backdoor, overlays fake input fields on the homepage or checkout, and skims visitors' card numbers as they type. The stolen customer list is sold on dark-web markets, and a convincing "there's a problem with your order" phishing email then lands using exactly that list — so one site's fall chains into the takeover of each of its customers' accounts. The Gravity Forms file-deletion flaw can delete the core files that run the site, knock the whole thing offline, and become leverage for a ransom demand.
And the cleanup falls back on the company or person running the site. A customer-data leak triggers a legal duty to notify the individuals and report to data-protection authorities; a defaced page that spreads malware brings victim support and even damage claims. If search engines flag the site as "dangerous," the traffic and ranking built up over years vanish at once. A CVSS score of 9.8 does not capture that lost trust or recovery cost. Whether you can update a single plugin is what decides if you carry that weight.
Why WordPress "plugins" get targeted in the first place
WordPress is free software that lets people build and update a site without deep technical skills, and its hallmark is that you can add features later. Those add-on features are plugins — contact forms, photo galleries, forums, online stores and tens of thousands more. The catch is that plugins are each built by outside developers, so even when WordPress core is safe, a hole in a plugin can open the whole site to takeover.
For attackers, plugin flaws are an efficient target. The same plugin sits in the same form across tens or hundreds of thousands of sites, so one flaw can be exploited mechanically against all of them. Patchstack notes that the wpForo flaw is expected to be abused in mass-exploitation campaigns regardless of site size. That "reusable hole" is why plugin vulnerabilities, rather than WordPress core, are reported almost every week. We have covered the same pattern before in WPCode and ACF Extended.
All four were reported to Patchstack by security researchers through a bug-bounty process, and the vendors released fixes before going public. In other words, these are not "zero-days" exploited before a patch exists — the fix is already available. The flip side is that attackers will only now start building exploits from the published details, so the sooner you update, the safer; the longer you wait, the more dangerous. It is a race against the clock.
CVE-2026-42680: admin takeover via the photo-contest plugin "Contest Gallery Pro"
The first flaw, CVE-2026-42680, is in "Contest Gallery Pro," a paid plugin for running photo contests and member galleries. It is a privilege-escalation (incorrect privilege assignment) flaw rated CVSS 9.8. According to the Patchstack advisory, an unauthenticated attacker can raise a low-privilege account to a stronger role, ultimately leading to full site takeover.
Versions 29.0.1 and earlier are affected; the vendor fixed it in 29.0.2. The flaw was found by researcher daroo. If you use this plugin on a membership or fan-community site, update it first.
CVE-2026-48879: privilege escalation in the AI writing plugin "AIWU"
The second flaw, CVE-2026-48879, is in "AIWU (AI Copilot Content Generator)," a plugin that auto-generates articles and text with AI. It is also a privilege-escalation flaw, rated CVSS 9.8. The Patchstack advisory says an attacker can raise a low-privilege account without logging in and fully take over the site.
Versions 1.4.17 and earlier are affected, fixed in 1.4.19. It was also found by daroo. A plugin installed to mass-produce articles with AI can, ironically, become the way into the site. If you use it, update immediately.
CVE-2026-48866: site files deleted via the popular "Gravity Forms"
The third flaw, CVE-2026-48866, is in "Gravity Forms," a paid plugin widely used to build contact and application forms on business sites. It is an "arbitrary file deletion (path traversal)" flaw rated CVSS 9.6. According to the Patchstack advisory, an attacker can delete files on the site, and if core files that run the site are deleted, the display breaks and the site can stop functioning.
Unlike the other three, this one needs a "user action" — getting a user to click a malicious link the attacker prepared — so even though no login is required, it takes an extra step. It still rates 9.6 because the flaw sits in a form, an entry point touched by countless outside visitors. Affected versions are 2.10.0.1 and earlier; the fix is 2.10.1, credited to daroo. Note that Gravity Forms also suffered a 2025 incident where malware was injected into the official download files, so sites using it should make a habit of checking update notices.
CVE-2026-42682: broken access control in the forum plugin "wpForo Forum"
The fourth flaw, CVE-2026-42682, is in "wpForo Forum," which lets you build a discussion forum inside a site. It is a "broken access control (missing authorization, authentication or nonce check)" flaw rated CVSS 9.1. The Patchstack advisory explains that an action meant only for privileged accounts can be performed by an unauthenticated third party.
As noted, Patchstack expects this flaw to be abused in mass-exploitation campaigns regardless of site size, making it a high-alert case. Affected versions are 3.0.6 and earlier; the fix is 3.0.7, credited to Tiago Ventura (@perses). If you run a community forum where users can post, update it right away.
No exploitation reported yet, but don't drop your guard
Here is what is confirmed versus what is still uncertain. Reading both the reassuring and the worrying signals correctly helps set your priorities.
✓ Confirmed facts
- ✓All four vendors have released a fix (Patchstack)
- ✓As of June 1, 2026, none are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog
- ✓Three of the four need no login; the top severity is CVSS 9.8
? Still uncertain (watch closely)
- ?Whether exploit code will circulate — now that details are public, attackers' tooling may follow
- ?wpForo is predicted by Patchstack to be "abused in mass campaigns" — not yet observed in the wild
WordPress plugin privilege-escalation flaws have repeatedly become targets of automated mass scanning soon after disclosure. "No reports of exploitation now" does not mean "safe from here on." Updating while you can still close the hole before attacks spread is the surest defense.
What site administrators should check now
The top priority is checking whether you use any of the four plugins and, if so, updating to the fixed version. From the WordPress dashboard, open "Plugins" to see every installed plugin and its current version. The safe latest versions are Contest Gallery Pro 29.0.2, AIWU 1.4.19, Gravity Forms 2.10.1, and wpForo Forum 3.0.7. Even if auto-update is on, confirm by sight that it has actually applied.
If you have plugins you no longer use but left deactivated, this is a good time to delete them. Even when deactivated, files left on the server can become a foothold for attacks. While you are at it, check whether any unfamiliar administrator accounts have appeared, or whether suspicious pages have crept into your site or search results — that helps catch a breach early if one has already happened.
If you outsource the build or operation, asking your provider about their response is the fastest route. To track flaws in products widely used by Japanese companies and government bodies, see our roundup of major vulnerabilities targeting Japanese enterprises in H1 2026 as well.
FAQ
Q. Am I safe if I don't use any of the four?
A. For these four specific flaws, you are not directly affected if you don't use the plugins. But WordPress plugin vulnerabilities are reported almost weekly. Keeping installed plugins on auto-update and deleting ones you don't use is the best defense against the next flaw, whatever it turns out to be.
Q. Are the free Contest Gallery and wpForo also at risk?
A. CVE-2026-42680 affects the paid "Contest Gallery Pro" 29.0.1 and earlier. wpForo Forum, by contrast, is the free plugin, with 3.0.6 and earlier affected. For both, check your situation via the version shown in the dashboard and update to the latest if you're affected.
Q. How can I tell if I've already been attacked?
A. A full check needs an expert investigation, but start by looking for administrator accounts you don't recognize, posts or pages you don't remember adding, and broken-looking displays. If anything seems off, apply the fix, then consider changing passwords and consulting your developer.
Q. Why were several plugins disclosed at the same time?
A. These were reported by security researchers through Patchstack's bug-bounty program and published together once each vendor had a fix ready. Sharing a date is less coincidence than the timing of report-and-fix coordination lining up. The goal is to get fixes out before attackers can get ahead.
Summary
Four popular WordPress plugins were hit at once with critical flaws topping out at CVSS 9.8. Contest Gallery Pro and AIWU allow unauthenticated site takeover via privilege escalation, Gravity Forms allows file deletion, and wpForo Forum has a broken-access-control flaw — and all four already have fixes. There are no reports of exploitation yet, but WordPress plugin flaws tend to become mass-attack targets after disclosure, and update speed is what separates safe from compromised. If you use any of these, update to Contest Gallery Pro 29.0.2 / AIWU 1.4.19 / Gravity Forms 2.10.1 / wpForo Forum 3.0.7 today.
References
- ▸NVD - CVE-2026-48866 (Gravity Forms arbitrary file deletion)
- ▸NVD - CVE-2026-42680 (Contest Gallery Pro privilege escalation)
- ▸NVD - CVE-2026-42682 (wpForo Forum broken access control)
- ▸NVD - CVE-2026-48879 (AIWU privilege escalation)
- ▸Patchstack - Gravity Forms <= 2.10.0.1 Arbitrary File Deletion
- ▸Patchstack - Contest Gallery Pro <= 29.0.1 Privilege Escalation
- ▸Patchstack - wpForo Forum <= 3.0.6 Broken Access Control
- ▸Patchstack - AIWU <= 1.4.17 Privilege Escalation
- ▸Gravity Forms - Security Incident Notice (2025 download tampering)
- ▸Kinsta - WordPress Market Share Statistics