Loading...
A critical WordPress plugin vulnerability — rated 9.8 out of 10 — is letting attackers take over sites with no login required. It affects 900,000+ installs. If your WordPress site hasn't been touched since it was built, you need to read this.
CVE-2026-1357 in the WPvivid Backup plugin (900K+ installs) allows full remote takeover with zero authentication. A second flaw in King Addons for Elementor logged 50,000+ active exploit attempts. WordPress plugin vulnerabilities are up 68% year-over-year. Most small business WordPress sites are unmaintained — and that is exactly what attackers count on.
In February 2026, a security researcher disclosed CVE-2026-1357 — a critical flaw in WPvivid Backup & Migration, a WordPress plugin installed on over 900,000 websites.
The severity score is 9.8 out of 10.
What makes a vulnerability score that high? Two things: what it lets an attacker do, and how easy it is to do it. CVE-2026-1357 checks both boxes. It allows remote code execution — meaning an attacker can run arbitrary commands on your server — and it requires zero authentication to trigger. No username, no password, no special access. Just knowledge that the plugin exists and the right request.
Around the same time, the King Addons for Elementor plugin (a popular visual builder add-on with tens of thousands of active installs) was found to have a similarly critical flaw that allowed attackers to create their own administrator accounts. Security researchers logged more than 50,000 active exploitation attempts against that vulnerability before patches were even widely deployed.
These are not hypothetical risks. These are attacks that happened to real sites this quarter.
WordPress powers more than 40% of all websites on the internet. That scale makes it the most valuable target in web security — not because WordPress itself is poorly built, but because the plugin ecosystem is enormous, inconsistently maintained, and widely deployed on sites that nobody is actively watching.
According to the Patchstack State of WordPress Security 2026 report, plugin vulnerabilities increased 68% year-over-year. Forty-three percent of all WordPress vulnerabilities are exploitable without any login at all — meaning an attacker doesn't need to trick anyone into clicking anything. They just need to find the site, confirm the vulnerable plugin, and act.
The attack cycle works like this: a researcher discloses a vulnerability, attackers reverse-engineer the patch to understand the flaw, and within hours to days, they run automated scans across the internet looking for every site still running the vulnerable version. Unpatched sites get queued. Exploitation is often automated at scale.
Your site does not need to be specifically targeted. It just needs to be findable — and every WordPress site is findable.
Here is how most small business WordPress sites get built: a developer or agency builds the site, launches it, and hands it over. The business owner gets a login, a tutorial they may or may not follow, and a support email they may or may not use.
Plugins are installed to cover functionality: a backup plugin, a contact form plugin, a page builder, an SEO plugin, a gallery, a booking system. Each one is another surface area. Each one gets updated by its own developer on its own timeline, with its own record of security disclosures.
Most small business owners have never logged back into WordPress to check if any of those plugins have security updates waiting. Some do not have automatic updates enabled. Some have automatic updates enabled but have not verified they are working. And some have automatic updates that silently fail because the hosting environment has restrictions that nobody ever told them about.
Six months after launch, twelve months after launch, three years after launch — the site is still running the same plugin versions from day one. This is exactly the scenario attackers look for.
The outcomes vary, but common attack patterns include:
Defacement. The site's visible content is replaced with whatever the attacker wants to display — sometimes political messaging, sometimes shock content, sometimes a fake warning that the site has been seized. Clients and customers see this. Trust is immediately destroyed.
Malware injection. Code is inserted into the site that infects visitors' browsers, steals credentials, or turns the site into a malware distribution point. Google detects this and flags the site with a browser warning. Organic search traffic drops to zero.
SEO spam. Attackers inject hidden links to their own sites — often pharmaceutical spam or gambling content — to exploit your domain's search authority. You may not notice for months, but search engines do. Rankings collapse.
Data theft. Any contact form submissions, customer records, or email addresses stored in your WordPress database become accessible. If your site has WooCommerce or a booking system, that data includes payment and personal information.
Ransomware staging. In some cases, a compromised WordPress site is used as a relay point for attacks on other infrastructure — meaning your site becomes part of someone else's attack chain.
Sixty percent of small businesses that experience a significant breach close within six months. That number comes up in cybersecurity reporting consistently because it reflects something true about the weight of recovery: the technical cleanup, the reputation damage, the legal exposure, and the operational disruption compound in ways that are genuinely hard to survive.
CVE-2026-1357 is the headline this quarter, but plugins are one of several attack surfaces on a typical WordPress installation:
Themes are maintained with the same inconsistency as plugins and have the same vulnerability profile.
WordPress core updates regularly — but only if someone is accepting them. Major version updates often require plugin compatibility testing that owners skip indefinitely.
The hosting environment matters. A WordPress site on outdated PHP or on a shared hosting environment with weak isolation can be compromised through other sites on the same server — even if your own plugins and themes are fully up to date.
Admin credentials that were set at launch and never rotated, with usernames like "admin" and passwords the owner can actually remember, are a parallel attack vector entirely independent of plugin vulnerabilities.
The good news is that maintained sites are demonstrably more resilient. The attacks that swept through vulnerable WPvivid installations this quarter did not touch patched sites — the patch was available, and sites running the updated version were not in scope for the exploit.
A maintained WordPress site has:
None of this is exotic. It is the baseline of responsible ongoing ownership for a site that represents your business.
The industry norm for most web projects is a build-and-deliver model. A site gets built, it gets launched, and the relationship ends there — or continues only as paid hourly support when something visibly breaks.
Security maintenance is not something that visibly breaks until it catastrophically breaks. A vulnerable plugin on an active WordPress site looks exactly like a secure plugin on an active WordPress site — until the moment it doesn't.
The business owners who are not in this story are the ones who had someone paying attention after launch: checking the plugin update queue, monitoring for new CVE disclosures, running periodic security scans. Not because they expected an attack, but because they treated their website like business infrastructure rather than a finished product.
That distinction is the actual separator between sites that get hit and sites that don't.
Every site we build at SitoraWeb is built to be maintained — not just launched. That means clear documentation, a maintainable tech stack, and a relationship that does not end when the site goes live.
For businesses already running a WordPress site, the question is not whether a vulnerability like CVE-2026-1357 exists — it always will. The question is whether there is a person or a process catching it before it becomes your problem.
If you do not know who is watching your site, the honest answer is probably nobody. That is worth fixing.
👉 Get a security and architecture review or Book a strategy call with Sitora
If this article reflects the kind of problem you are solving, these are the most relevant next steps inside SitoraWeb.
Improve trust, search visibility, and lead quality with a custom website built around how buyers actually compare options.
Explore Website ServicesBuild secure portals, dashboards, internal tools, and customer-facing web apps that remove operational friction.
Explore Web App ServicesGet validation, workflow analysis, and a roadmap before you commit to the wrong build path.
Explore ConsultingThe rest of the blog covers search strategy, site architecture, analytics, automation, and common mistakes that slow down growth.