Three concurrent WordPress plugin issues are putting millions of sites at risk. Funnel Builder, used on 40,000+ WooCommerce sites, is being actively exploited: an unauthenticated attacker hits an unprotected checkout endpoint, modifies global plugin settings, and injects JavaScript skimmers into checkout pages. Avada Builder, with 1 million installs and bundled with the Avada theme, ships fixes in 3.15.3 for CVE-2026-4782 (CVSS 6.5 arbitrary file read by Subscriber-level users, exposes wp-config.php) and CVE-2026-4798 (CVSS 7.5 unauthenticated time-based blind SQL injection when WooCommerce was used then deactivated). Burst Statistics CVE-2026-8181 is an auth bypass already being exploited on 200,000 sites.
Wordfence has seen more than 170 live exploit attempts against CVE-2026-3844, a critical unauthenticated arbitrary file upload in the Breeze Cache WordPress plugin from Cloudways. Breeze has roughly 400,000 active installations, making this one of the larger exposure events of the month. The flaw lives in the fetch_gravatar_from_remote function, which fetches avatar images from an arbitrary remote URL and saves them locally without validating the downloaded file's MIME type - so an attacker can point it at a .php payload and drop a webshell directly into a web-accessible directory. The attack is only possible when the 'Host Files Locally - Gravatars' add-on is enabled, which is not the default, but any site that turned it on for performance reasons is wide open. Cloudways shipped the fix as Breeze 2.4.5 earlier this week; as of publication only about 138,000 of the 400,000 installations had downloaded the patched version, leaving hundreds of thousands of sites exposed to a pre-auth RCE with 9.8 CVSS.