WordPress site owners face a serious week. Four newly confirmed vulnerabilities are actively targeting WordPress installations right now โ one with no patch available, one allowing complete server takeover without a single login, and two injecting malicious code silently into your pages. Here is what is happening, what it means in plain language, and exactly how to protect your site.
๐ด CRITICAL โ W3 Total Cache: A Stranger Can Take Over Your Server
CVE-2026-27384 | CVSS 9.8 | Unauthenticated Remote Code Execution
W3 Total Cache is installed on over 1 million WordPress sites. Versions up to 2.9.1 contain a flaw in the plugin’s dynamic content processing โ specifically in the mfunc and mclude tag handlers โ that lets anyone on the internet send a specially crafted request and execute arbitrary PHP code on your server. No login required. No admin account needed. Full server compromise in a single request.
What attackers gain: Complete control of your server, your database, your files, and every site hosted on it.
What to do right now: Update W3 Total Cache to version 2.9.2 or later immediately.
SwissWPSuite stops this cold:
The WAF (Layer 1) blocks the malicious mfunc/mclude payload patterns at the HTTP layer before they reach PHP execution โ Pro tier covers 38 command injection patterns including system(), passthru(), shell_exec(), eval(), and reverse shell chains
PHP-in-Uploads blocking (Layer 3, Pro) prevents any PHP execution attempt through the uploads path
Sentinel M4-D2 (Layer 5) flags W3 Total Cache 2.9.1 as a known vulnerable version via WPScan integration and 20 hardcoded CVE fallbacks
๐ด CRITICAL โ Royal Elementor Addons: Delete It Immediately
CVE-2026-28135 | Missing Authorization | NO PATCH AVAILABLE
Royal Elementor Addons (up to version 1.7.1049) allows attackers to access functionality that should be restricted โ bypassing access controls entirely due to inclusion of functionality from an untrusted control sphere. There is a patched version 1.7.1050 available as of the disclosure date, however the plugin vendor’s update response has been inconsistent across distribution channels. Until you can confirm a verified patched version on your installation, the safest action is immediate removal.
What attackers gain: Unauthorized access to protected admin actions, potential data theft and site manipulation without needing an account.
What to do right now: Delete the plugin immediately. Do not just deactivate โ remove it entirely. Verify no malicious files were already dropped before deletion.
SwissWPSuite detects and limits exposure:
REST API whitelist (Layer 7) blocks unauthenticated access to non-whitelisted namespaces โ limits the attack surface for authorization bypass attempts
Sentinel M4-D2 flags Royal Elementor Addons โค1.7.1049 as vulnerable
Sentinel M1-B and M1-C (Layer 5) scan for suspicious filenames and 24 malware signatures if a payload was already dropped before the plugin was removed
Note: SwissWPSuite cannot fully prevent an authorization bypass that operates inside legitimate authenticated flows โ deletion remains mandatory
๐ HIGH โ Gutenverse: Malicious Scripts Hiding in Your Pages
CVE-2026-2924 | Stored XSS via imageLoad | Patched in 3.4.7
Gutenverse (used on hundreds of thousands of sites) allows any Contributor-level user โ meaning anyone you have ever given basic editing access to โ to inject malicious JavaScript via the imageLoad parameter. Once stored, that script executes silently in the browser of every visitor or admin who views the affected page. An attacker with Contributor access can steal admin session cookies, redirect visitors, or deface your site.
What to do right now: Update Gutenverse to version 3.4.7 or later.
SwissWPSuite defends in depth:
WAF XSS detection (Layer 1) covers 40+ patterns in Pro tier including