🚨 WordPress Weekly Threat Report: April 6–11, 2026 — A Critical Zero-Day, 17 New CVEs, and WordPress 7.0 Delayed

Every week, hundreds of WordPress vulnerabilities are quietly published. Most site owners never see them.

This week was not a quiet one.

Between March 30 and April 9, 2026, the WordPress security ecosystem recorded over 70 new CVEs — spanning the Wordfence March 30–April 5 window and the April 8–9 digest. One has no patch. One has a CVSS score of 9.8. One could hand a complete stranger full control of your website with a single HTTP request — no login, no credentials, no warning.

Here is everything that happened, explained in plain English, and exactly what SwissWPSuite does to protect you.

🔴 Threat #1 — CVE-2026-3535 (CVSS 9.8) | DSGVO Google Web Fonts GDPR Plugin | UNPATCHED — Remove Immediately

What Is This Plugin?

This plugin was installed by site owners trying to comply with GDPR by hosting Google Fonts locally — a responsible, legally-motivated choice. That good decision accidentally opened a back door.

How Does the Attack Work?

The plugin contains a function called DSGVOGWPdownloadGoogleFonts(), registered via a wp_ajax_nopriv_ hook. That means anyone on the internet — with zero login — can call it directly.

Here is what an attacker does, step by step:

• Send a single HTTP POST request to /wp-admin/admin-ajax.php
• Point the plugin to a fake CSS file hosted on their own server
• That CSS file references a PHP file — a webshell (a remote control panel for hackers)
• The plugin downloads that PHP file and writes it directly into your active theme’s directory
• No file type verification. No MIME check. No authentication. Done.

Impact: Full server takeover. Database credentials exposed. Admin accounts compromised. Every file on your hosting account accessible.

Is There a Fix?

No. The plugin appears abandoned. There is no patch as of publication. Remove it immediately and replace it with OMGF or Local Google Fonts.

🟠 Threat #2 — Five CVSS 9.8 Criticals (March 30 – April 5)

Wordfence’s weekly report covering March 30 to April 5 flagged 54 vulnerabilities in 49 plugins, including five rated Critical at CVSS 9.8. All five require zero authentication — any anonymous scanner on the internet can attempt to exploit them.

Update all five immediately. Patches exist — there is no reason to stay exposed.

🟠 Threat #3 — CVE-2026-4808 (CVSS 7.2) | Arbitrary File Upload | Gerador de Certificados

A second arbitrary file upload vulnerability appeared in the same April 8–9 window. The plugin is a Brazilian-market certificate generator — but the bug class is identical to CVE-2026-3535: missing file type validation. Two completely different developers, two different plugins, the same critical mistake — disclosed in the same 48-hour period.

That is not coincidence. It is a pattern. Arbitrary file upload remains one of the most under-reviewed vulnerability classes in the WordPress plugin ecosystem.

🟡 Threat #4 — Seven Stored XSS Vulnerabilities (April 8–9)

Stored Cross-Site Scripting (XSS) means an attacker injects malicious JavaScript into your website’s content. When any admin or logged-in user visits that page, the script runs in their browser — silently stealing session cookies, creating rogue admin accounts, or redirecting your visitors to malicious sites.

This week’s stored XSS disclosures:

• CVE-2026-5506 (CVSS 6.4) — Wavr plugin (shortcode injection)
• CVE-2026-3618 (CVSS 6.4) — Columns by BestWebSoft
• CVE-2026-5508 (CVSS 6.4) — WowPress plugin
• CVE-2026-3142 (CVSS 6.4) — Pinterest Site Verification Meta Tag
• CVE-2026-4871 (CVSS 6.4) — Sports Club Management
• CVE-2026-2838 (CVSS 4.4) — Whole Inquiry Cart for WooCommerce
• CVE-2026-5169 (CVSS 4.4) — Inquiry Form to Posts or Pages

Check each plugin for updates. If you don’t actively use any of them, remove them entirely — an unused plugin is still an open door.

🟡 Threat #5 — SQL Injection, CSRF, Broken Access Control, and Info Disclosure

The week also brought a cluster of mid-severity issues that are easy to overlook but carry real risk:

• CVE-2026-3781 (CVSS 5.4) — SQL Injection in Attendance Manager via the attmgr_off parameter. SQL injection (structured query language injection) lets attackers extract password hashes, user tables, and full site metadata directly from your database.
• CVE-2026-5167 (CVSS 5.3) — Broken Access Control in Masteriyo LMS, exposing paid course content to unauthorized users — a direct revenue loss vector for online course sellers.
• CVE-2026-3594 (CVSS 5.3) — Information Disclosure via unauthenticated endpoint in Riaxe Product Customizer.
• CVE-2026-4141 (CVSS 4.3) — Cross-Site Request Forgery (CSRF) in the Quran Translations plugin. CSRF tricks a logged-in admin into unknowingly performing actions on your site.
• CVE-2026-3533 — Broken Access Control in LearnPress LMS — patched in v4.14.2. Update now.

📊 The Bigger Picture: 225 Vulnerabilities Reported in a Single Week

SolidWP’s April 1 weekly report disclosed 225 vulnerabilities, with 91 still unpatched at time of publication. Patchstack’s 2026 annual whitepaper confirms the wider trend: over 11,300 new WordPress ecosystem vulnerabilities were identified last year — a 42% increase year-on-year.

Plugins account for 96–97% of all WordPress vulnerabilities. Not themes. Not WordPress core. Plugins.

The math is simple: the average WordPress site runs 20–30 active plugins. Each one is a potential attack surface. Keeping them updated is not optional — it is the minimum baseline.

🆕 WordPress 7.0 — Officially Delayed

WordPress 7.0 was originally scheduled for release on April 9, 2026. It has been delayed. As of April 8, additional pre-release builds were paused through April 17, with a revised final schedule promised no later than April 22. WordPress VIP’s platform schedule now targets April 30, 2026 as the new release date.

The delay centers on real-time collaboration features introduced in Gutenberg’s Phase 3. WordPress 6.9.4 remains the current stable version and is recommended for all live production sites.

• Stay on 6.9.4
• Do not install a 7.0 beta on any live site
• Monitor the official April 22 announcement from the WordPress project

🛡️ How SwissWPSuite Protects You From Every Threat Disclosed This Week

SwissWPSuite’s 10-layer defense architecture addresses each of these threats directly. Here is the exact mapping:

Against CVE-2026-3535 — Unauthenticated File Upload / RCE

• Layer 1 WAF (Pro): PHP-in-Uploads blocking intercepts PHP files being written to publicly accessible directories
• Layer 3 Hardening: The blockphpuploads .htaccess rule denies PHP execution inside /wp-content/uploads/ at the server level — even if a malicious file reaches disk, it cannot execute
• Layer 5 Sentinel Scanner: Module M1-A detects PHP files in the uploads directory on every scheduled scan. M1-B matches 18 known webshell filename patterns. M1-C scans file content against 24 malware signature patterns
• Layer 8 Quarantine (Pro): Any detected malicious file is moved to a protected quarantine directory, renamed, and locked down automatically

Against SSTI / RCE (Everest Forms Pro, Order Notification for WooCommerce)

• Layer 1 WAF Pro: 38 command injection patterns — covering shell built-ins like system, passthru, shell_exec, reverse shells, and interpreter invocations — block these payloads at the HTTP request level before they reach WordPress
• Layer 1 WAF Pro: PHP Object Injection detection with recursive closure checks intercepts deserialization attacks

Against All Seven Stored XSS Vulnerabilities

• Layer 1 WAF Free: 4 baseline XSS patterns catch the most common attack vectors
• Layer 1 WAF Pro: 40 XSS patterns covering DOM execution, 20 event handler types, protocol handlers, and WordPress Interactivity API directive scanning. User-Agent and Referer headers are also actively scanned
• Layer 4 Security Headers: X-XSS-Protection header and CSP Report-Only mode log injection attempts in real time

Against SQL Injection (Attendance Manager)

• Layer 1 WAF Free: 5 core SQLi patterns
• Layer 1 WAF Pro: 28 patterns covering comment-injected unions, destructive stacking, schema enumeration, time-based blind injection, file I/O operations, and dangerous stored procedures

Against Broken Access Control (Masteriyo LMS, LearnPress)

• Layer 3 Hardening: REST API namespace whitelisting restricts guest access to sensitive endpoints
• Layer 2 Authentication (Pro): TOTP-based two-factor authentication (2FA) adds a second verification step that broken access control flaws cannot bypass — an attacker cannot escalate privilege without the second factor
• Layer 5 Sentinel M4-J: Open registration and excessive admin detection flags unusual privilege configurations automatically

Against All CVEs — Vulnerable Plugin Detection

• Layer 5 Sentinel M4-D2: The WPScan API integration queries every installed plugin for known CVEs with version-accurate matching. The hardcoded fallback list covers 20 critical 2024–2026 CVEs. A three-layer validation system (AI prompt rules + VPS JavaScript version compare + PHP version_compare) ensures zero false positives

Free users get the WAF (basic patterns), login lockout, M1–M4 scanner, and core integrity check. Pro users unlock the full 40-pattern XSS WAF, 28-pattern SQLi WAF, PHP-in-uploads blocking, 2FA, geoblocking, WPScan API integration, Deep Scan, quarantine, and Layer 2 AI analysis.

✅ Your Action Checklist for This Week

1. Remove DSGVO Google Web Fonts GDPR plugin immediately — no patch exists, exploitation requires a single HTTP request
2. Update Contact Form by Supsystic, Everest Forms Pro, Order Notification for WooCommerce, Responsive Plus, and ThemeREX Addons — all five have patches available now
3. Update LearnPress to v4.14.2 or higher
4. Check all seven XSS-affected plugins for updates — remove any you are not actively using
5. Stay on WordPress 6.9.4 — do not install any 7.0 beta build on a production site
6. Watch for the official WordPress 7.0 revised schedule on or before April 22
7. Run a SwissWPSuite Sentinel scan today to audit your entire plugin inventory against known CVEs