Critical WordPress Security Advisory – June 2026
Two WordPress-relevant vulnerabilities have been added to the CISA Known Exploited Vulnerabilities (KEV) catalog in recent weeks. Site administrators should review and take action immediately.
1. CVE-2026-45247 – Mirasvit Full Page Cache Warmer (Deserialization to Remote Code Execution)
- Severity: Critical (CWE-502: Deserialization of Untrusted Data)
- Added to KEV: June 3, 2026
- Affected Product: Mirasvit Full Page Cache Warmer (WordPress plugin)
- Attack Vector: Unauthenticated attacker supplies a crafted serialized PHP object via the CacheWarmer cookie
- Impact: Full remote code execution on the WordPress server
- Ransomware use: Not yet confirmed, but actively exploited in the wild
Recommended Action: If you use the Mirasvit Full Page Cache Warmer plugin, update to the latest patched version immediately. If a patch is not yet available, disable the plugin until one is released.
2. CVE-2026-41940 – cPanel/WHM and WP2 (WordPress Squared) Authentication Bypass
- Severity: Critical (CWE-306: Missing Authentication for Critical Function)
- Added to KEV: April 30, 2026 – Known ransomware campaign use confirmed
- Affected Products: cPanel and WHM (WebHost Manager) and WP2 (WordPress Squared) by WebPros
- Attack Vector: Unauthenticated remote attacker bypasses login flow to gain unauthorized control panel access
- Impact: Full administrative access to hosting control panel and all managed WordPress sites
- Ransomware use: CONFIRMED – Known ransomware campaigns are actively exploiting this
Recommended Action: If your hosting uses cPanel/WHM, ensure you are running the latest security update (April 28, 2026 or later). If you use WP2 (WordPress Squared), update to version 13.6.17 or later.
Additional Infrastructure CVEs to Monitor
While not directly WordPress-specific, the following high-severity CVEs in common web infrastructure components may affect your hosting environment:
- CVE-2026-23631 – Redis Lua Scripting RCE (CVSS 8.8 HIGH)
- CVE-2026-25243 – Redis RESTORE Memory Corruption RCE (CVSS 8.8 HIGH)
- CVE-2026-33186 – gRPC-Go Authorization Bypass (CVSS 9.1 CRITICAL)
- CVE-2026-33747 – BuildKit Arbitrary File Write and Code Execution (CVSS 8.2 HIGH)
- CVE-2026-42578 through CVE-2026-42587 – Multiple Netty HTTP/DoS Vulnerabilities (CVSS 7.2 to 7.5 HIGH)
General Recommendations
- Audit all WordPress plugins – remove any unused or unmaintained plugins
- Ensure WordPress core, themes (including Newsup v5.4.3), and all plugins are up to date
- Verify your hosting provider has patched cPanel/WHM if applicable
- Review server-level software (Redis, Go runtime, OpenSSL) for pending updates
- Monitor the CISA KEV catalog for new additions
This advisory was generated by the Tyche automated security scanner. Data sources: CISA KEV (catalog version 2026.06.09), CIRCL CVE feed.
