Three critical WordPress plugin vulnerabilities dropped in the last seven days, and all three carry a CVSS of 9.8. One of them is being actively exploited right now, with more than 29,000 attack attempts blocked by Wordfence alone. If you run a WordPress site, this is the kind of week where you stop what you are doing and check your plugin list before you check your email.

The first bug is in WP Maps Pro, a store locator plugin installed on more than 15,000 sites. Tracked as CVE-2026-8732, the flaw lives in a feature the developers added to make their own support lives easier: a temporary access mechanism that let plugin staff log into a customer site during troubleshooting. The endpoint was registered using WordPress's wp_ajax_nopriv_ hook, which is the version that lets unauthenticated users call it. The only protection was a nonce, and that nonce was being printed into the HTML of every frontend page on the site. An attacker just reads the nonce, calls the endpoint with a magic parameter, and the server hands them back a fully authenticated administrator account. Wordfence reports blocking 2,858 attacks against this flaw in a single 24-hour window. The plugin has been pulled from the Envato marketplace while the developer works on a fix, but the version that is already installed on your site does not get retroactively healed by that removal. If you are running WP Maps Pro, deactivate it until a patched build ships, or audit the wpgmp_temp_access_ajax handler in your access logs to see whether someone has already created an admin account you do not recognize.

The second bug is in Kirki, the popular page builder and customizer framework with more than 500,000 installs and roughly 150,000 sites running a vulnerable version. CVE-2026-8206 is a flaw in a custom REST endpoint for password resets. The endpoint accepts an attacker-supplied email address instead of using the email on file for the account, so a request that says "I am the admin and my email is attacker@evil.com" walks away with a reset link sent to the attacker's inbox. They click it, set a new password, and they own the site. The fix shipped in version 6.0.7. If you have Kirki on your site and your version number starts with 6.0.0 through 6.0.6, update right now, and then check your admin user list for any account you do not remember creating.

The third bug, and the one that should scare you most, is CVE-2026-3300 in Everest Forms Pro. The plugin has about 4,000 active installations, which sounds small, but the vulnerability is being actively exploited. The bug is a textbook eval() injection in the Calculation Addon, where user-submitted form values get concatenated into a PHP string and run without proper escaping. An unauthenticated visitor to a form on your site can submit a crafted string in any text, email, or select field on a form that uses the "Complex Calculation" feature, and the server will execute it as PHP. Wordfence has blocked more than 29,300 exploit attempts since the wave started on April 13, and the pace has not slowed. The patch is version 1.9.13, released March 18. If you are running anything older, you are exposed and the attacks are ongoing. A successful exploit hands the attacker a web shell, which is the worst possible outcome because it survives plugin updates and theme changes.

What to actually do this week. Open your plugin list and search for WP Maps Pro, Kirki, and Everest Forms Pro. For each one, check the version number against the fixed version. For Kirki the safe line is 6.0.7. For Everest Forms Pro it is 1.9.13. For WP Maps Pro there is no safe line yet, so the right move is to deactivate the plugin and find a temporary replacement or live without a store locator for a few days. After updating, open your Users screen and look for any administrator account you did not create, and rotate the passwords of every admin user on every site you run, because the password reset bug in Kirki is the kind of flaw that leaves no obvious footprint. Finally, make sure you have offsite backups that are less than 24 hours old. The WordPress attack economy is not slowing down, and the gap between disclosure and mass exploitation is now measured in hours, not weeks.