WordPress Is a Ransomware Welcome Mat: Three Critical Vulnerabilities You Need to Patch Right Now
Three WordPress plugins published critical vulnerabilities this week. All three scored CVSS 9.8. All three are exploitable by unauthenticated attackers. None of them require a username, a password, or any prior access to your system.
This is not threat intelligence designed to sell you a product. These are published CVEs from NIST’s National Vulnerability Database, timestamped in the last 24 hours. The data is public. The exploits are real. The question is whether your website is already patched.
What the Vulnerabilities Actually Are
CVE-2026-6279: Avada Builder (fusion-builder), versions up to and including 3.15.2
Avada is one of the most widely used WordPress themes and page builders in the world. The vulnerability sits in a function called Fusion_Builder_Conditional_Render_Helper::get_value(). In the wp_conditional_tags case, attacker-controlled values from a base64-decoded JSON blob are passed directly to PHP’s call_user_func() without any validation of which functions are permitted to be called.
In plain terms: an attacker sends a crafted request to a publicly accessible endpoint, and PHP executes whatever code they instruct it to. No login. No privileges. The AJAX endpoint handling this is registered for unauthenticated users.
CVSS score: 9.8. Classification: Unauthenticated Remote Code Execution.
CVE-2026-5118: Divi Form Builder, versions up to and including 5.1.2
Divi is another dominant WordPress ecosystem product. This vulnerability allows privilege escalation during user registration. The plugin accepts a role parameter from POST data and does not validate it against the form’s configured default user role.
An unauthenticated attacker visits your registration page, tampers with the role parameter to specify administrator, and submits the form. They now have an administrator account on your WordPress site.
CVSS score: 9.8. Classification: Unauthenticated Privilege Escalation.
CVE-2026-6960: BookingPress Pro, versions up to and including 5.6
BookingPress Pro is widely used by service businesses: salons, clinics, consultancies, tradespeople. Any business that takes online appointments. The vulnerability is in the booking form validation function, which fails to check what type of file is being uploaded through a signature custom field.
If a booking form on your site includes a signature field, an unauthenticated attacker can upload a PHP webshell disguised as an image file. From there, remote code execution follows.
CVSS score: 9.8. Classification: Unauthenticated Arbitrary File Upload leading to Remote Code Execution.
Why This Matters for Small UK Businesses Specifically
The combined installed base of Avada, Divi, and BookingPress Pro represents a substantial portion of UK SMB websites. These are not obscure enterprise tools. They are the products that web agencies sell to small businesses because they are feature-rich and affordable.
The businesses most at risk are those who had a website built by an agency or freelancer, received no ongoing maintenance contract, and have not thought about plugin updates since the site went live. That describes a significant proportion of UK SMBs.
When an attacker gains remote code execution on your WordPress server, the consequences extend beyond a defaced website. Your customer data, any payment-adjacent information, email credentials stored in the CMS, and potentially access to your hosting environment are all at risk. A compromised business website is also a vector for supply chain attacks: malicious code injected into your site can target your customers.
Under UK GDPR, a breach of customer data resulting from a failure to apply available security patches is not a sympathetic position to be in when the ICO comes asking questions.
The Microsoft Defender Situation: Also Worth Your Attention
Separate from the WordPress vulnerabilities, CISA added two Microsoft Defender vulnerabilities to its Known Exploited Vulnerabilities catalogue this week: CVE-2026-41091 and CVE-2026-45498.
CVE-2026-41091 is a privilege escalation flaw rated 7.8. CVE-2026-45498 is a denial-of-service flaw. Both are under active exploitation in the wild, confirmed by CISA.
Microsoft Defender ships with Windows and is the default endpoint protection on most Windows machines. If your business runs Windows and your automatic updates are not current, you are running software with confirmed active exploits against it.
This is the part where “keep Windows updated” goes from background noise to an actionable directive with a documented threat behind it.
Why This Gives You an Edge
Most small businesses treat their website as a marketing asset, not a security perimeter. That framing is a liability. Your website is an internet-facing system running third-party code at the intersection of your customer data, your brand reputation, and your legal obligations.
Businesses that can demonstrate they have a documented patch management process, that they know what plugins and versions are running on their sites, and that they respond to published CVEs within a defined window, are materially more defensible in the event of a breach. They are also more attractive to enterprise clients and partners who are starting to ask supply chain security questions of their SMB suppliers.
Knowing your patch posture before a prospective client asks is a better position than discovering it during a procurement questionnaire.
Making the Business Case
Three points that land at board level:
The cost of remediation after exploitation far exceeds the cost of patching. A WordPress compromise requiring forensic investigation, data breach notification, and website rebuild is a five-figure event at minimum. Plugin updates are free.
The ICO does not accept “we didn’t know” as a defence when patches for known vulnerabilities were publicly available. NIST published these CVEs. The patches exist. The expectation to apply them is established.
Supply chain liability runs both ways. If your compromised website is used to attack your customers or partners, the reputational and legal exposure is yours, not your web developer’s.
What to Do Before the End of This Week
1. Log into your WordPress dashboard and check plugin versions immediately. Navigate to Plugins in your WordPress admin panel. Look for Avada Builder (fusion-builder), Divi Form Builder, and BookingPress Pro. If any are installed and the versions match those listed above, update them now. If updates are available, apply them.
2. If you cannot patch immediately, disable the vulnerable plugins. A disabled plugin cannot be exploited. It is a temporary measure, not a solution, but it closes the attack surface while you arrange a proper update.
3. Contact your web developer or hosting provider today and ask for written confirmation of patch status. If you are on managed WordPress hosting, your provider may handle plugin updates. Confirm this explicitly. “I think they do it” is not an answer. Get it in writing.
4. Ensure Windows automatic updates are enabled across your business devices. The Defender vulnerabilities are being actively exploited. Windows Update should not require manual intervention on a small business network. If it does, fix that process.
5. Add a quarterly plugin audit to your calendar. WordPress plugin vulnerabilities are a recurring reality, not an exception. Set a recurring reminder to check plugin versions and update them. It takes fifteen minutes and costs nothing.