WordPress Security in 2026: The CVEs Putting Sites at Risk — and the Managed Protection That Stops Them
WordPress runs roughly 43% of the entire web. That scale makes it the single most attacked platform on the internet — and 2026 has already delivered a steady drip of critical vulnerabilities in WordPress core, its plugins, and the infrastructure it runs on. Most site owners only find out a CVE existed after their site is defaced, leaking data, or quietly serving malware.
This is a working practitioner's rundown of the WordPress vulnerabilities actually being exploited in 2026 — and an honest answer to the question every business eventually asks: "do I really have to track all of this myself?"
The WordPress CVEs defining 2026
These are the vulnerabilities our threat-detection network has seen scanned and exploited most aggressively this year. Each links to our full technical breakdown with indicators of compromise and remediation steps.
| CVE | What it hits | Severity | Why it matters |
|---|---|---|---|
| CVE-2026-0740 | Ninja Forms (plugin) | Critical | Unauthenticated file upload → remote code execution on 1M+ sites |
| CVE-2026-41940 | cPanel (hosting layer) | Critical | Authentication bypass exploited as a zero-day for two months before disclosure |
| CVE-2026-42945 | NGINX rewrite module | High | 18-year-old flaw in the web server fronting roughly a third of all sites |
CVE-2026-0740 — Ninja Forms file-upload RCE
A flaw in one of WordPress's most popular form plugins lets an unauthenticated attacker upload a malicious file and execute code on the server. With over a million active installs, it's the most-scanned WordPress vulnerability we're tracking right now. Read the full Ninja Forms CVE-2026-0740 breakdown →
CVE-2026-41940 — cPanel authentication bypass
This one is a cautionary tale: it was being exploited in the wild as a zero-day for roughly two months before a patch existed. If your WordPress site sits on cPanel hosting, the control panel itself was the way in. Read the full cPanel CVE-2026-41940 analysis →
CVE-2026-42945 — NGINX rewrite module
An 18-year-old bug in the NGINX rewrite module — the web server that fronts a huge share of WordPress sites. It's a reminder that "WordPress security" isn't just plugins; it's the whole stack underneath. Read the full NGINX CVE-2026-42945 write-up →
Why chasing CVEs yourself is a losing game
Here's the uncomfortable maths. New WordPress vulnerabilities are disclosed every single week — across core, 60,000+ plugins, themes, and the server stack. To stay genuinely safe on your own you would need to:
- Monitor the NVD, vendor advisories, and dozens of plugin changelogs daily
- Judge which disclosures actually affect your site
- Test and apply patches before attackers weaponise them
- Watch your logs for the scanning that always precedes an exploit
The dangerous window is the gap between a vulnerability being disclosed and you patching it. The cPanel flaw above was exploited for two months. No small business has the time to win that race by hand — and attackers know it. They run automated scanners that hit every WordPress site on the internet within hours of a CVE going public.
What managed WordPress security actually means
The alternative to chasing CVEs yourself isn't another plugin to install and forget — it's handing the whole job to a security company that does it for you.
That's our managed WordPress security service. We become the security team your business doesn't have. A UK, Cyber Essentials–certified practitioner looks after your site so you never have to think about the next vulnerability:
- 24/7 real-time monitoring — we watch your site continuously with our own threat-detection platform, so SQL injection, XSS, brute-force and bot attacks are blocked before they reach your code
- We apply the patches — core, plugins and themes kept current with a staging-first workflow, so a CVE is closed before attackers can use it
- Daily off-site backups — there's always a clean restore point, kept away from your host
- Incident response — if something does happen, a real person investigates and recovers your site, not a ticket queue
- A named human — you get a security practitioner who knows your site, not a chatbot or a script
When a vulnerability like the three above drops, you don't do anything — we've already handled it. That's the point of a managed service: it isn't a tool you operate, it's a team that operates for you.
Launch offer: managed protection, half price for 3 months
To get businesses protected before the next CVE, we're running a launch offer on our managed WordPress security service:
50% off your first 3 months — fully-managed WordPress security from £44.50/month (normally £89), with the usual £249 onboarding fee waived.
That's a monitored, patched and backed-up WordPress site, looked after by a UK security company, for less than the cost of a single hour of emergency cleanup after a breach.
To claim it, email contact@obsyde.com quoting SECURE3, or see the full managed care plans.
How it works
- Get in touch — email contact@obsyde.com quoting SECURE3 and we'll set up a short call.
- We audit and onboard — security baseline, monitoring switched on, backups configured. You get the audit whether or not you proceed.
- We manage it — updates, monitoring, backups and incident response handled for you every week, with a plain-English monthly report.
Questions about your specific site? Email contact@obsyde.com — a real security practitioner will answer, not a sales script.
Frequently asked questions
How do I know if my WordPress site is vulnerable?
If you run any plugins (everyone does) and you're not actively monitoring CVE disclosures, assume you have exposure. The Ninja Forms, cPanel and NGINX flaws above all affect ordinary, well-maintained sites. A managed service tells you what's actually being attempted against your site rather than leaving you guessing.
How often are new WordPress vulnerabilities found?
New CVEs affecting the WordPress ecosystem are disclosed every week, across core, plugins, themes and the underlying server stack. The volume is precisely why handing security to a managed team beats manual patching for most businesses.
Do I still need a managed service if I keep WordPress updated?
Updates are essential but reactive — they only help after a patch exists, and only if you apply it before an attacker strikes. Zero-days like the cPanel bypass were exploited for weeks with no patch available. A managed service covers the gap that updates can't, with monitoring and response on top.
How much does managed WordPress security cost?
Our managed service starts at £89/month — currently £44.50/month for your first three months under the launch offer, onboarding waived. That covers continuous monitoring, updates, daily backups and incident response, run by our UK, Cyber Essentials–certified team.
Can you take over a site you didn't build?
Yes. We take over management of any existing self-hosted WordPress site, wherever it's hosted and whoever built it. Email contact@obsyde.com and we'll get you onboarded.
Sources and further reading
- CVE-2026-0740: Ninja Forms File Upload Vulnerability
- CVE-2026-41940: cPanel Authentication Bypass
- CVE-2026-42945: NGINX Rewrite Module Vulnerability
- WordPress Site Hacked? What To Do
- National Vulnerability Database — nvd.nist.gov
Obsyde is a UK, Cyber Essentials–certified cybersecurity company providing managed WordPress security and consultancy. Get in touch any time at contact@obsyde.com.
Related Insights
CVE-2026-4020: Gravity SMTP Bug Leaks Live API Keys to Anyone — 17 Million Attacks and Counting
A critical information-disclosure flaw in the Gravity SMTP plugin lets unauthenticated attackers read your live API keys and OAuth tokens for Amazon SES, Gmail, Mailjet, Resend and Zoho. Over 17 million exploit attempts blocked since May. The fix is in 2.1.5 — but you also need to rotate every credential. Here's how it works, what's exposed, and exactly how to respond.
10 min read
CVE-2026-8713: Avada Builder Flaw Lets Anyone Delete Your WordPress Files (1 Million Sites at Risk)
A critical CVSS 9.1 vulnerability in the Avada Builder WordPress plugin lets unauthenticated attackers delete arbitrary files — including wp-config.php — leading to full site takeover. Roughly one million sites were exposed before the patch in version 3.15.4. Here's how it works, who's affected, exactly how to fix it, and how to check whether your site has already been hit.
10 min read
CVE-2026-42945: 18-Year-Old NGINX Rewrite Module Flaw Puts a Third of the Web at Risk
CVE-2026-42945 — NGINX Rift — is a CVSS 9.2 heap buffer overflow undetected for 18 years. Affects every NGINX from 2008 onwards. Patches, exploit trigger, what to do tonight.
6 min read