Takeover Flaws Across Many WordPress Plugins: June 2026 Disclosure, Update Each One Now
In June 2026, dozens of WordPress plugins disclosed critical flaws leading to site takeover or data theft. The invoicing plugin Easy Invoice and the chatbot GeekyBot are rated a maximum 10.0, and a dozen-plus form-integration plugins are exploitable with no login. If your site uses an affected plugin, update each one to the latest version now.
Makoto Horikawa
Backend Engineer / AWS / Django
In June 2026, dozens of WordPress plugins disclosed critical flaws leading to site takeover or data theft. The invoicing plugin Easy Invoice and the chatbot GeekyBot are rated a maximum 10.0, and a dozen-plus form-integration plugins are exploitable with no login. If your site uses an affected plugin, update each one to the latest version now.
In June 2026, a wave of serious vulnerabilities that can lead to site takeover or data theft was disclosed in WordPress plugins all at once. Two of them reach the maximum severity of 10.0 (out of 10), and many are the kind that can be exploited from outside with no login. If your site uses an affected plugin, update now rather than later.
Plugin vulnerabilities live not in WordPress core but in the "bolt-on extensions." No matter how up to date you keep core, a single hole in one of your installed plugins can lead to the whole site being taken over. What stands out this time is that more than a dozen form-integration plugins from the same developer were found to share the exact same type of flaw. Below we organize them, starting with the most dangerous.
✓ Key points this time
- ✓Two flaws rated 10.0: the invoicing plugin Easy Invoice and the AI chatbot GeekyBot. Both let an attacker push malicious code onto the server without authentication
- ✓More than a dozen form-integration plugins from the same developer disclosed an unauthenticated "PHP Object Injection" (CWE-502) at once
- ✓Many require no login (PR:N in the CVSS vector). No known exploitation or CISA KEV listing yet, but indiscriminate scanning tends to begin right after disclosure
- ✓The fix in every case is to update each plugin to the latest version. For ones you cannot update immediately, consider deactivating or removing them
It's bots, not people, that come after you — one unpatched plugin is an open window
"We're too small to be targeted" simply does not apply to WordPress. When a vulnerability is disclosed like this, attackers do not pick targets one by one by hand; they use programs (bots) that crawl sites worldwide automatically to find every site where the hole remains. Size and fame are irrelevant — the only filter is "is an unpatched plugin installed."
What happens to a site that steps on this hole depends on the attacker's goal. Crews that plant fake input fields on a store's checkout page to steal credit card numbers, operators who embed masses of invisible links to pollute search results, attackers who redirect visitors to fake sites or malware pages, brokers who resell a hijacked site as a springboard for other attacks, and ransomware groups that encrypt data and demand payment all break in for their own ends. What they get is members' names, addresses, and email addresses, the personal data left in contact forms, the administrator password, and the site itself. Leaving a single unpatched plugin in place is the same as leaving open the window through which all of that can be carried off.
Especially common this time are flaws that require no login (PR:N). Because they need not even an account and work from "doors anyone can touch" — forms and APIs — the bar to attack is low and they pair well with automation. A site once taken over may keep being used as a spam source or a host for fraud pages for a long time without the owner noticing.
The numbers "10.0" and "9.8" only mark technical severity. For someone running a site solo or as a small business, what really hurts is apologizing to and compensating leaked customers, reporting to the data protection authority, a sudden drop in search rankings, the time and cost of recovery, and the reputation that "that site is risky". What you lose is not "one site" but the trust you built up.
The two max-severity (10.0) flaws come first
First, the two flaws that reached a perfect 10.0. Both can, with no login, get an attacker's routine to run on the server. If you use either plugin, handle it before anything else.
CVE-2026-40772: AI chatbot "GeekyBot" (severity 10.0)
CVE-2026-40772 is a flaw in "GeekyBot" (version 1.2.2 and earlier), a plugin that adds an AI chatbot and automated inquiry responses to a site. It is an unauthenticated arbitrary file upload (CWE-434); a malicious program file can be uploaded and run on the server, risking site takeover. Update to the latest version.
CVE-2026-48836: invoicing plugin "Easy Invoice" (severity 10.0)
CVE-2026-48836 is a flaw in "Easy Invoice" (version 2.1.19 and earlier), a plugin for creating and managing invoices. It is an unauthenticated flaw that lets code be pushed onto and executed on the server (CWE-94, code injection), which likewise leads directly to full site takeover. Update to the latest version.
Form-integration plugins all hit by "the same type of hole"
A major feature this time is that a series of "form-integration plugins" from the same developer disclosed the exact same type of flaw together. These plugins connect popular input forms — Contact Form 7, WPForms, Elementor, Ninja Forms — with customer management services (CRMs) such as ActiveCampaign, HubSpot, and Keap. Because they reuse common code, when that shared part has a hole, plugins with different names end up carrying the same vulnerability all at once.
All are an unauthenticated PHP Object Injection (CWE-502, an attack that abuses the restoration of untrusted data), rated 9.8 across the board. We list representative ones, but beyond these, many flaws of the same type were disclosed this time (CVE-2026-49104–49109, CVE-2026-49763–49770, CVE-2026-49781, and more). If you use this kind of form-to-CRM plugin, do not feel safe based on the product name — update them all to the latest version.
| CVE | Plugin | Severity | Affected |
|---|---|---|---|
| CVE-2026-9691 | Integration for ActiveCampaign and Contact Form 7, etc. | 9.8 | 1.1.1 and earlier |
| CVE-2026-49085 | WP Insightly for Contact Form 7, etc. | 9.8 | 1.1.4 and earlier |
| CVE-2026-49104 | Integration for Keap and Contact Form 7, etc. | 9.8 | 1.2.1 and earlier |
| CVE-2026-49763 | Integration for Contact Form 7 HubSpot | 9.8 | 1.3.7 and earlier |
Other critical vulnerabilities
Beyond the above, many flaws rated 9 or higher were disclosed. We summarize the main ones, focusing on widely used and unauthenticated cases. In every case, the fix is to update to the latest version.
| CVE | Plugin (purpose) | Severity | Type | Affected |
|---|---|---|---|---|
| CVE-2026-39591 | WP-BusinessDirectory (business directory) | 9.9 | Dangerous file upload | 4.0.0 and earlier |
| CVE-2026-49766 | WP User Manager (member management) | 9.9 | File deletion via path traversal | 2.9.16 and earlier |
| CVE-2026-27053 | Broadcast Live Video (live streaming) | 9.8 | Unauth. PHP object injection | See vendor info |
| CVE-2026-34901 | iControlWP (bulk site management) | 9.8 | Unauth. privilege escalation | 5.5.3 and earlier |
| CVE-2026-39492 | WP Maps (map display) | 9.3 | Unauth. SQL injection | 4.9.1 and earlier |
| CVE-2026-42381 | Funnel Builder by FunnelKit (sales funnels) | 9.3 | Unauth. SQL injection | 3.15.0.1 and earlier |
| CVE-2026-52703 | FastDup (duplicate / migrate) | 9.6 | Path traversal | 2.7.2 and earlier |
| CVE-2026-48881 | TrueBooker (booking) | 9.1 | Unauth. broken access control | 1.1.9 and earlier |
These are only part of the disclosed vulnerabilities. Exact severity and affected versions, and the fixed version numbers, can be checked on each plugin's distribution page, the Patchstack vulnerability database, and NVD.
What to do now
The fix is simple: update every plugin you use to its latest version. An update notice should be showing on the WordPress "Plugins" screen, so apply them all. For plugins you no longer use, removing them rather than just deactivating means you are unaffected when a flaw like this appears.
It is also worth checking whether you were already breached before updating. Look for administrator accounts you do not recognize, suspicious PHP files placed among your site's files, and unfamiliar posts or redirects. If you cannot tell, the safe path is to restore from a backup and consult a professional early. On this site we have previously covered arbitrary code execution in WPCode (CVE-2026-8832), a roundup of four flaws including Gravity Forms, and an unauthenticated takeover of a WooCommerce invoice plugin (CVE-2026-52704). Treating a plugin not as "install it and you're done" but as something to keep updating like core is the most basic defense.
The problem of a vulnerability slipping into a component you pulled in from outside (a plugin or library) happens in any environment, not just WordPress. For npm or Python dependencies, our OSS vulnerability scanner offers a paste-and-check option.
Exploitation status, and what to keep an eye on
As of June 16, 2026, there are no reports of the flaws disclosed this time being used in real attacks, and they are not listed in the U.S. government's CISA KEV catalog of actively exploited vulnerabilities. You can track the latest status of exploited flaws in one place on our CISA KEV dashboard (Japanese).
That said, with vulnerabilities exploitable without authentication, indiscriminate scanning typically begins right after disclosure. "Not attacked yet" does not mean "no need to update." Getting the updates done now, while fixes are out, is the most reliable defense.