Three concurrent WordPress plugin issues are putting millions of sites at risk. Funnel Builder, used on 40,000+ WooCommerce sites, is being actively exploited: an unauthenticated attacker hits an unprotected checkout endpoint, modifies global plugin settings, and injects JavaScript skimmers into checkout pages. Avada Builder, with 1 million installs and bundled with the Avada theme, ships fixes in 3.15.3 for CVE-2026-4782 (CVSS 6.5 arbitrary file read by Subscriber-level users, exposes wp-config.php) and CVE-2026-4798 (CVSS 7.5 unauthenticated time-based blind SQL injection when WooCommerce was used then deactivated). Burst Statistics CVE-2026-8181 is an auth bypass already being exploited on 200,000 sites.
A flaw in Smart Slider 3 - one of WordPress's most popular slider plugins with over 800,000 active installations - lets anyone with a basic subscriber account download arbitrary files from the server. That includes wp-config.php, which contains database credentials, encryption keys, and salt data. An attacker only needs the lowest level of authenticated access to trigger the vulnerable export function and package sensitive files into a downloadable ZIP.