On June 24, 2026, Wordfence disclosed CVE-2026-12077, a time-based SQL injection vulnerability in Dokan Pro, one of the most popular multi-vendor marketplace plugins for WooCommerce. The flaw affects every version up to 5.0.4 and lets unauthenticated attackers inject SQL through the latitude and longitude parameters. No login required. No special permissions. Just two parameters that the plugin trusted without sanitizing.

If you run Dokan Pro and you have not updated, you are already behind. According to Patchstack's 2026 State of WordPress Security report, the weighted median time from public vulnerability disclosure to mass exploitation is five hours. Five. Not five days. Not five weeks. The window between "researcher publishes a CVE" and "automated bots are scanning every WordPress site on the internet for that specific flaw" is roughly the length of a long lunch break.

This is not a Dokan-specific problem. It is a structural problem with how WordPress sites manage plugins, and the 2026 numbers make it impossible to ignore.

The numbers are getting worse, not better

Patchstack recorded 11,334 new WordPress vulnerabilities in 2025, a 42% increase over the previous year. The trend is not slowing down. In the first week of January 2026 alone, 333 new vulnerabilities were disclosed, and 120 of them had no patch available when they went public. The weekly average heading into mid-2026 sits at over 250 plugin vulnerabilities per week. That is roughly 36 per day.

The WordPress core itself is not the issue. The core team found exactly two vulnerabilities in all of 2025. The problem is the plugin ecosystem. Ninety-one percent of all WordPress vulnerabilities come from plugins. Six percent come from themes. The remaining sliver is core. The average WordPress installation runs 20 to 30 plugins, and each one is a potential entry point.

The severity is climbing too. Highly exploitable vulnerabilities — the kind attackers weaponize at scale — increased by 113% year-on-year in 2025. More high-severity CVEs were found in 2025 than in the previous two years combined. And 57% of all vulnerabilities in the first half of 2025 required zero authentication. No stolen credentials. No social engineering. Just a vulnerable plugin sitting on a public-facing site.

The WP Maps Pro takeover was a preview

In late May 2026, attackers started exploiting CVE-2026-8732 in WP Maps Pro, a Google Maps plugin installed on roughly 15,000 sites. The vulnerability scored a 9.8 on the CVSS scale — essentially a perfect ten for exploitability. The flaw was in a temporary access feature the vendor used for customer support troubleshooting. The AJAX callback that handled temporary access generation was protected only by a WordPress nonce, and that nonce was embedded in every frontend page, visible to any unauthenticated visitor.

The result: attackers could create new administrator accounts on any vulnerable site, receive a magic login URL, and get full control. They could install malicious plugins, inject backdoors, modify themes, exfiltrate data, or deploy web shells for persistent access. Defiant, the company behind Wordfence, blocked over 1,700 attacks targeting this vulnerability in a single 24-hour period.

WP Maps Pro patched the issue in version 6.1.1 by adding a proper capability check. But the gap between disclosure and exploitation was measured in hours, not days. Site owners who were not monitoring security feeds had no chance to react before the bots arrived.

The AI-generated plugin problem

Patchstack's 2026 report specifically flags a trend the security community has been warning about: developers using large language models to generate plugin code and shipping it without being able to audit what the model wrote. The report calls it "vibe coding," and the implication is straightforward. When the person deploying the code cannot review it for security problems, vulnerabilities go live silently and stay live until someone else finds them.

This is not hypothetical. The barrier to publishing a WordPress plugin has always been low. LLMs have made it lower. A developer can now generate a functional plugin in minutes, submit it to the repository, and move on. The code might work perfectly for its stated purpose while containing SQL injection vectors, missing capability checks, or exposing unauthenticated AJAX endpoints. The developer would not know because they did not write the code in a way they could reason about.

The 2026 Patchstack data suggests this is already contributing to the vulnerability count. The number of plugins with critical flaws is rising faster than the number of active plugin developers, which implies a growing share of the ecosystem is being maintained by people who did not write the code they are responsible for.

What to actually do about it

The traditional advice — keep your plugins updated — is necessary but insufficient. Patchstack says it plainly: "Regular plugin updates are the second line of defence, but as attackers weaponize new vulnerabilities within mere hours, this is not a viable defence."

Here is what actually moves the needle. Run a security plugin that includes a web application firewall. Wordfence free plus Cloudflare is a reasonable baseline for small sites. Audit your plugin stack quarterly. If you are not using a plugin, deactivate and delete it. An inactive plugin with a vulnerability is still a vulnerability if the files are on the server. Limit the number of plugins you run. The math is simple: 30 plugins means 30 potential entry points. Cut it to 15 and you have halved your attack surface.

For anything touching payments, user data, or multi-vendor functionality — like Dokan Pro — set up automated update notifications and respond to them within hours, not days. The five-hour window is a median, not a guarantee. Some exploits start even faster.

And if you are building custom plugins or hiring someone to build them, demand a security review before deployment. The cost of a code audit is a rounding error compared to the cost of a compromised site.

The bottom line

WordPress runs 43.5% of all websites on the internet. That concentration makes it the most valuable target on the web, and the plugin ecosystem is where the attacks land. The Dokan Pro disclosure yesterday, the WP Maps Pro exploitation last month, and the 11,000-plus vulnerabilities from last year are not isolated incidents. They are the pattern.

The five-hour window is real. The question is not whether your plugins will have vulnerabilities. They will. The question is whether you will find out before the bots do.