The Simultaneous Six
In June 2026, six WordPress plugin vulnerabilities — all CVSS 9.8, all actively exploited — were burning simultaneously. This has never happened before at this scale.
Kirki Customizer Framework (CVE-2026-8206): 500,000 installations, 150,000 still on vulnerable versions. The password reset API accepts an attacker-supplied email address — send a reset for any admin username with your own email, receive the valid reset link, take over the account. Not a buffer overflow. Not a race condition. A password reset function that sends tokens to arbitrary email addresses. Wordfence blocked 222+ exploitation attempts in 24 hours.
Burst Statistics (CVE-2026-8181): 200,000 installations, 115,000 exposed. Authentication bypass — the wp_authenticate_application_password function treats null returns as successful authentication. Supply any wrong password in a Basic Auth header with a valid admin username, get full REST API access. 7,400+ attacks blocked per day.
Everest Forms Pro (CVE-2026-3300): PHP eval() injection through form field values. sanitize_text_field() doesn't escape PHP context characters. Unauthenticated RCE through any public-facing form. Added to CISA KEV June 5. 29,300+ blocked attempts. Attackers creating rogue admin accounts named 'diksimarina.'
The Other Three
WP Maps Pro (CVE-2026-8732): The plugin's 'temporary access' vendor support feature registers an AJAX endpoint that creates admin accounts with a hardcoded email. The only protection: a frontend JavaScript nonce check that attackers bypass by setting check_temp to false. Complete site takeover with zero authentication. 3,600+ attacks blocked daily.
Motors Theme (CVE-2025-4322): Fails to validate user identity before updating account passwords. Any unauthenticated attacker can change any user's password. Patched May 14. Mass exploitation didn't begin until June 7 — 24 days of exposure. 23,000+ exploit attempts blocked since.
Breeze Cache by Cloudways (CVE-2026-3844): 400,000+ installations. Missing file-type validation in the Gravatar fetch function enables arbitrary file upload, leading to RCE. Requires the 'Host Files Locally - Gravatars' add-on to be enabled — non-default, but widely recommended in WordPress performance guides.
Then the Paid Plugin Got Hacked
While six free plugins were being exploited, Gravity Forms — a premium, paid WordPress plugin — was itself supply-chain compromised. Between June 1-3, malicious code was injected into common.php. The payload: site and server information sent to attacker-controlled domains, admin backdoor accounts created on every affected installation. Automated cleanup updates began rolling out June 3.
The Gravity Forms attack demolishes the common advice that paid plugins are safer than free ones. The WordPress plugin supply chain — free or premium — is a single attack surface.
The Patchstack Numbers
Patchstack's State of WordPress Security 2026 report quantifies the structural problem. 11,334 new vulnerabilities discovered in the WordPress ecosystem in 2025 — a 42% increase from 2024. Highly exploitable vulnerabilities increased 113% year-over-year. The median time from public disclosure to first exploitation attempt: 5 hours. 46% of vulnerabilities had no patch available at time of disclosure. 91% of vulnerabilities are in plugins. Traditional hosting defenses blocked just 12-26% of attacks in pentesting studies.
The math: the ecosystem produces vulnerabilities faster than it patches them. Nearly half have no fix when announced. Attackers exploit within 5 hours. Hosting firewalls catch a quarter of attacks. Every variable in this equation is moving in the wrong direction.
What WebPulse Data Shows
WebPulse has scanned 466,000+ sites. WordPress is the most detected framework in every region. In the Common Crawl broad web scan, WordPress accounts for 72% of detected frameworks on .com domains. The sites most exposed to this June massacre are the sites that dominate the web.
The question is no longer whether WordPress has security problems. The question is whether the plugin ecosystem's architecture — any developer can publish, automatic updates are opt-in, no mandatory security review — can survive a threat landscape that produces 11,000 vulnerabilities per year with a 5-hour exploitation window.
Hugo: 0 CVEs. Jekyll: 0 CVEs. Astro: 2 CVEs, none critical. The frameworks without plugin ecosystems are the frameworks without plugin vulnerability epidemics. June 2026 didn't create this reality. It made it impossible to ignore.
