Every week, hundreds of WordPress vulnerabilities are quietly published. Most site owners never see them. This week was not a quiet one.
This week, the WordPress security ecosystem recorded over 70 new CVEs across both the March 30βApril 5 Wordfence window and the April 8β9 digest. One of them has no patch. One of them has a CVSS score of 9.8. One of them could hand an anonymous stranger full control of your website β no login required.
Here is everything that happened, explained plainly, and what SwissWPSuite does to protect you.
π΄ THREAT #1 β CVE-2026-3535 (CVSS 9.8) | DSGVO Google Web Fonts GDPR Plugin | UNPATCHED β REMOVE IMMEDIATELY
What is it?
An unauthenticated arbitrary file upload and Remote Code Execution (RCE) vulnerability in the DSGVO Google Web Fonts GDPR plugin. This plugin was installed by site owners trying to comply with GDPR privacy rules by hosting Google Fonts locally β a responsible, legally-motivated decision that accidentally opened a back door.
How does it work β in plain English?
The plugin has a function called DSGVOGWPdownloadGoogleFonts() that is registered via a wp_ajax_nopriv_ hook β meaning anyone on the internet, without any login, can call it. You send a single HTTP POST request to /wp-admin/admin-ajax.php. You point it at a fake CSS file you control on your own server. That CSS file contains a reference to a PHP file (a webshell). The plugin faithfully downloads that PHP file and writes it directly into the active theme’s directory. No verification. No MIME check. No authentication. Done.
Impact: Full server takeover. Database credentials. Admin accounts. Everything.
Is there a fix? No. The plugin appears abandoned and has no patch as of the time of writing. Remove it now and replace with OMGF or Local Google Fonts.
π THREAT #2 β Five CVSS 9.8 Criticals (March 30 β April 5)
Wordfence’s weekly report covering March 30 to April 5 flagged 54 vulnerabilities in 49 plugins, including 5 rated Critical at CVSS 9.8:
Plugin Vulnerability Status
Contact Form by Supsystic β€ 1.7.36 Unauthenticated Server-Side Template Injection Patched
Everest Forms Pro β€ 1.9.12 Unauthenticated Remote Code Execution Patched
Order Notification for WooCommerce < 3.6.3 Unauthenticated RCE Patched
Responsive Plus < 3.4.3 Unauthenticated Arbitrary Code Execution Patched
ThemeREX Addons < 2.38.5 Unauthenticated Arbitrary File Upload Patched
All five share one dangerous property: zero authentication required. Any anonymous scanner on the internet can attempt to exploit them. Update immediately.
π THREAT #3 β CVE-2026-4808 (CVSS 7.2) | Arbitrary File Upload | Gerador de Certificados
A second arbitrary file upload vulnerability appeared in the same April 8β9 window. The plugin is a Brazilian-market certificate generator. Same bug class as CVE-2026-3535 β missing file type validation. Two different developers, two different plugins, same critical mistake disclosed in the same 48-hour period. That is not coincidence. It is a pattern.
π‘ THREAT #4 β 7 Stored XSS Vulnerabilities (April 8β9)
Stored Cross-Site Scripting (XSS) means an attacker can inject malicious JavaScript into your website's content. When an admin or logged-in user visits that page, the script runs in their browser β potentially stealing session cookies, creating rogue admin accounts, or redirecting visitors.
This week's stored XSS hits:
CVE-2026-5506 (CVSS 6.4) β Wavr plugin (shortcode injection)
CVE-2026-3618 (CVSS 6.4) β Columns by BestWebSoft
CVE-2026-5508 (CVSS 6.4) β WowPress plugin
CVE-2026-3142 (CVSS 6.4) β Pinterest Site Verification Meta Tag
CVE-2026-4871 (CVSS 6.4) β Sports Club Management
CVE-2026-2838 (CVSS 4.4) β Whole Inquiry Cart for WooCommerce
CVE-2026-5169 (CVSS 4.4) β Inquiry Form to Posts or Pages
π‘ THREAT #5 β SQL Injection, CSRF, Broken Access Control, Info Disclosure
CVE-2026-3781 (CVSS 5.4) β SQL Injection in Attendance Manager via the attmgr_off parameter. SQL injection can extract password hashes, user tables, and full site metadata.
CVE-2026-5167 (CVSS 5.3) β Broken Access Control in Masteriyo LMS, exposing paid course content to unauthorized users.
CVE-2026-3594 (CVSS 5.3) β Information Disclosure via unauthenticated endpoint in Riaxe Product Customizer.
CVE-2026-4141 (CVSS 4.3) β CSRF in the Quran Translations plugin.
CVE-2026-3533 β Broken Access Control in LearnPress LMS (patched in v4.14.2).
π The Bigger Picture: 225 New Vulnerabilities in a Single Week
SolidWP's April 1 weekly report disclosed 225 vulnerabilities, with 91 still unpatched at time of publication. Patchstack's 2026 annual whitepaper confirms the trend: over 11,300 new WordPress ecosystem vulnerabilities were identified last year β a 42% increase year-on-year. Plugins account for 96β97% of all WordPress vulnerabilities. Not themes. Not core. Plugins.
π WORDPRESS 7.0 β OFFICIALLY DELAYED
WordPress 7.0 was originally scheduled for release on April 9, 2026. It has been delayed. As of April 8, additional pre-release builds are paused through April 17, and the WordPress project leadership has committed to publishing a revised final schedule no later than April 22. WordPress VIP's platform schedule now points to April 30, 2026 as the new target.
The delay centers on real-time collaboration features introduced in Gutenberg's Phase 3. WordPress 6.9.4 remains the current stable version and is recommended for all live sites.
What to do now: Stay on 6.9.4. Do not rush a 7.0 beta onto production. Monitor the April 22 announcement.
π‘οΈ How SwissWPSuite Protects You From All of This
Here is exactly which layer of our 10-layer defense architecture maps to each threat disclosed this week:
Against CVE-2026-3535 (Unauthenticated File Upload / RCE):
Layer 1 WAF (Pro): PHP-in-Uploads blocking intercepts PHP files uploaded to publicly accessible directories
Layer 3 Hardening: .htaccess rule blockphpuploads denies PHP execution inside /wp-content/uploads/ at the server level β even if a malicious file lands on disk, it cannot execute
Layer 5 Sentinel Scanner: Module M1-A detects PHP files in the uploads directory on every scheduled scan. Module M1-B matches 18 known webshell filename patterns. Module M1-C scans file content against 24 malware signature patterns
Layer 8 Quarantine (Pro): Any detected malicious file can be moved to a protected quarantine directory, renamed, and locked down
Against SSTI / RCE (Everest Forms, Order Notification for WooCommerce):
Layer 1 WAF Pro: 38 Command Injection patterns covering shell builtins (system, passthru, shell_exec, reverse shells, interpreter invocations) block these payloads at the HTTP request level
Layer 1 WAF Pro: PHP Object Injection detection with recursive closure checks intercepts deserialization attacks
Against Stored XSS (7 plugins):
Layer 1 WAF Free: 4 baseline XSS patterns catch the most common vectors
Layer 1 WAF Pro: 40 XSS patterns including DOM execution, 20 event handlers, protocol handlers, and WordPress Interactivity API directive scanning. User-Agent and Referer headers are also scanned
Layer 4 Security Headers: X-XSS-Protection header and CSP Report-Only mode log injection attempts
Against SQL Injection (Attendance Manager):
Layer 1 WAF Free: 5 core SQLi patterns
Layer 1 WAF Pro: 28 patterns covering comment-injected unions, destructive stacking, schema enumeration, time-based blind injection, file I/O operations, and dangerous procedures
Against Broken Access Control & Missing Authorization (WP Blockade, PZ Frontend Manager, Masteriyo):
Layer 3 Hardening: REST API namespace whitelisting restricts guest access to sensitive endpoints
Layer 2 Authentication (Pro): TOTP-based 2FA adds a second factor requirement that broken access control flaws cannot bypass β an attacker cannot escalate privilege without the second factor
Layer 5 Sentinel M4-J: Open registration and excessive admin detection flags unusual privilege configurations
Against Vulnerable Plugin Detection (all CVEs above):
Layer 5 Sentinel M4-D2: The WPScan API integration queries your installed plugins for known CVEs with version-accurate matching. The hardcoded fallback list covers 20 critical 2024β2026 CVEs. Three-layer validation (AI prompt rules + VPS JavaScript version compare + PHP version_compare) ensures zero false positives
Free users get the WAF (basic patterns), login lockout, M1-M4 scanner, and core integrity check. Pro users unlock the full 40-pattern XSS WAF, 28-pattern SQLi WAF, PHP-in-uploads blocking, 2FA, geoblocking, WPScan API integration, Deep Scan, quarantine, and Layer 2 AI analysis.
β
Your Action Checklist for This Week
Remove DSGVO Google Web Fonts GDPR plugin immediately β no patch exists, exploitation is trivial
Update Contact Form by Supsystic, Everest Forms Pro, Order Notification for WooCommerce, Responsive Plus, ThemeREX Addons
Update LearnPress to 4.14.2+
Check all seven XSS-affected plugins for updates or remove if unused
Stay on WordPress 6.9.4 β do not install 7.0 beta on production
Watch for the official WordPress 7.0 revised schedule on or before April 22
Run a SwissWPSuite Sentinel scan today to check your entire plugin inventory