Four WordPress plugin vulnerabilities disclosed in March-April 2026

Four widely used WordPress plugins each had a vulnerability disclosed between late March and mid April 2026. According to Patchstack and Wordfence, only one of the four can be exploited without an account on the site, which keeps the urgency uneven across them. Here is what each issue is, what versions are affected, and what to do.

What was disclosed

According to Patchstack, the following four plugins were affected:

• MW WP Form (Wordfence reports roughly 200,000 active installations). An "Unauthenticated Arbitrary File Move via regenerate_upload_file_keys" issue was disclosed on 10 April 2026, affecting versions up to and including 5.1.1. This is the most serious of the four because no login is required to exploit it.
• Perfmatters (Wordfence reports roughly 200,000 active installations). An "Authenticated (Subscriber+) Arbitrary File Deletion via 'delete' Parameter" issue was disclosed on 3 April 2026, affecting versions up to and including 2.5.9.1. An attacker needs at least a Subscriber account on the site.
• Tutor LMS Pro (Wordfence reports roughly 30,000 active installations). Wordfence describes an authentication-bypass issue. Patchstack also lists a Broken Access Control issue affecting Tutor LMS up to 3.9.7, disclosed on 20 April 2026.
• Smart Slider 3 (Wordfence reports roughly 800,000 active installations). An "Authenticated (Subscriber+) Arbitrary File Read via actionExportAll" issue was disclosed on 27 March 2026, affecting versions up to and including 3.5.1.33. Patchstack lists the current version as 3.5.1.34.

Why the auth requirement matters

An "unauthenticated" vulnerability means an attacker on the open internet can hit the bug directly. An "authenticated (Subscriber+)" vulnerability means the attacker first needs an account on the site at Subscriber level or above. Many WordPress sites accept Subscriber registrations by default (anyone signing up via a comment or a course gets one), so this is a real but smaller risk than the unauthenticated case.

In practical terms, the MW WP Form issue is the one to patch first. If your site uses MW WP Form for contact forms or quotes, treat this as urgent. The other three are still worth patching promptly, but the path to exploit is longer.

What to do

1. Open your WordPress admin under Plugins and check whether you have any of the four plugins installed.
2. If you do, compare the installed version with the affected ranges above.
3. Update to the latest available version. For Smart Slider 3 specifically, Patchstack lists 3.5.1.34 as patched.
4. After updating, scan your site for anything unexpected — new admin users, modified files in the uploads directory, or unfamiliar scheduled tasks. The unauthenticated MW WP Form bug has been disclosed for several weeks, so opportunistic exploitation is plausible.
5. If you cannot update immediately (a paid plugin licence has lapsed, for example), restrict the plugin's admin pages by IP or temporarily disable the plugin until you can patch it.

For broader background on which plugin patterns get exploited and how, see our vulnerable WordPress plugins guide. For a general defence-in-depth checklist, the security checklist for small business covers backups, file integrity monitoring and account hardening.

What does this mean for your site?

WordPress sites get attacked through their plugins far more often than through WordPress core itself. A monthly habit of "check plugins, apply updates, glance at the user list" closes most of these holes before anyone tries them on you. None of these four disclosures requires a panic response, but if you have MW WP Form installed and it is still on 5.1.1 or older, patch it today.

Sources: Patchstack — MW WP Form, Patchstack — Perfmatters, Patchstack — Tutor LMS, Patchstack — Smart Slider 3.