March 31, 2026 — If you’re running a WordPress website, today’s security briefing is non-optional reading. Three critical vulnerabilities have been disclosed in the past 24 hours alone — including one with a CVSS score of 9.8 (near maximum severity) affecting over 900,000 WordPress sites. Here’s everything you need to know.
The Bottom Line Up Front
Plugin Issue Severity Installs Action
WPvivid Backup & Migration Remote Code Execution (RCE) 🔴 CRITICAL (9.8) 900,000+ Update to 0.9.124+
Smart Slider 3 Arbitrary File Read 🟠 HIGH 800,000+ Update to 3.5.1.34+
Gravity SMTP SMTP/API Credential Exposure 🟠 HIGH Unknown Update to 2.1.5+
WordPress core is also on a security release (6.9.2) — update immediately if you haven’t already.
1. WPvivid Backup & Migration — CRITICAL RCE (CVE-2026-1357, CVSS 9.8)
What It Does
The WPvivid Backup & Migration plugin has a flaw that allows attackers to execute any code on your server. Once exploited, an attacker can steal your database, inject malware, install ransomware, or use your server to attack other websites.
How It Works
The plugin uses RSA + AES encryption for backup transfers. When RSA decryption fails, it passes the error value (false) into the AES routine — creating a predictable encryption key. Combined with missing file name sanitisation, attackers can upload a PHP backdoor to your web root.
What You Must Do
Update WPvivid to 0.9.124 immediately
Disable “receive backup from another site” in WPvivid → Settings
Check for unknown PHP files in
12:45:28 PM
/wp-content/, /wp-content/uploads/, and root
4. Rotate database password and WordPress security keys if vulnerable
2. Smart Slider 3 — Critical File Read (CVE-2026-3098)
What It Does
Any logged-in user — even a free subscriber account — can read any file on your server, including wp-config.php (database credentials, WordPress keys, salts).
How It Works
The plugin’s AJAX export function (actionExportAll) lacks permission checks. Any authenticated user can trigger it and request arbitrary files via path traversal (../../wp-config.php). The file gets included in an export archive and downloaded by the attacker.
What You Must Do
Update Smart Slider 3 to 3.5.1.34 immediately
Audit and remove unknown subscriber/admin accounts
Rotate wp-config.php credentials if vulnerable
Enable a WAF (Wordfence, Solid Security, or Sucuri)
⚠️ 500,000+ sites still running vulnerable versions.
3. Gravity SMTP — Data Exposure (CVE-2026-4020, CVSS 7.5)
What It Does
SMTP credentials, API keys, and tokens are exposed to unauthenticated attackers via REST API endpoints. Exposed credentials lead to spam from your domain, blacklisting, and lateral movement.
How It Works
The plugin’s REST API routes return full plugin configuration (SMTP passwords, SendGrid/Mailgun/AWS keys, OAuth tokens) to anyone who sends a request — no authentication required.
What You Must Do
Update Gravity SMTP to 2.1.5 immediately
Rotate all exposed credentials — SMTP passwords, API keys
Check email provider logs for unauthorised activity
Monitor domain reputation via MXToolbox / Google Postmaster Tools
WordPress Core: Update to 6.9.2
WordPress 6.9.2 (released March 10, 2026) is a security release. Update now: Dashboard → Updates → Update Now.
Weekly Landscape: 331 New Vulnerabilities
331 new vulnerabilities this week — 275 plugins and 56 themes. 120 remain unpatched. Top attack types:
Stored XSS — Mal
12:45:39 PM
icious scripts in site content
SQL Injection — Database access via unsanitised queries
Authenticated RCE — Admin code execution via plugins
CSRF — Forged admin actions
🔧 What You Should Do Today — Action Checklist
1. Update WordPress to 6.9.2+
2. Update WPvivid Backup & Migration to 0.9.124+
3. Update Smart Slider 3 to 3.5.1.34+
4. Update Gravity SMTP to 2.1.5+ (if installed)
5. Update ALL other plugins
6. Check and remove unknown user accounts
7. Enable a WAF (not running? install Wordfence today)
8. Verify last clean backup was after January 28, 2026
9. Rotate database password if WPvivid or Smart Slider 3 were vulnerable
10. Subscribe to WPScan, Wordfence blog, WordPress.org security feed
💡 Did You Know?
A CVSS score doesn’t tell the whole story. The Smart Slider 3 vulnerability has a CVSS of 5.3 (Medium). But on any site with subscriber accounts — a news site, membership platform, or e-commerce store — it’s effectively critical because “authentication” is trivially satisfied. Always read the full context of a CVE.
Tags: WordPress Security, WordPress Vulnerabilities, Plugin Security, CVE-2026-1357, CVE-2026-3098, CVE-2026-4020, Web Security, RCE, WAF, WordPress Hardening
Meta Description (160 chars): Three critical WordPress plugin vulnerabilities disclosed today — WPvivid (CVSS 9.8), Smart Slider 3 (CVE-2026-3098), and Gravity SMTP (CVE-2026-4020). Update now.
🔒 Stay protected. Subscribe for daily briefings.