On the evening of 4 May 2026 Wordfence published two of the most consequential WordPress security advisories of the year so far. Two unrelated commercial plugins — MoreConvert Pro and Mentoring — were disclosed as carrying critical authentication-bypass vulnerabilities. Each received a maximum CVSS 9.8 rating. Each lets an unauthenticated attacker create or take over a full WordPress administrator account on any affected UK website. Within 24 hours of disclosure, threat-intelligence platforms were reporting mass scanning of UK and European IP space looking for vulnerable installations. For the estimated 43% of UK small business websites that run on WordPress, this is not an academic vulnerability advisory. It is an active incident.

The two CVEs are CVE-2026-5722, affecting MoreConvert Pro through version 1.9.14, and CVE-2025-13618, affecting the Mentoring plugin through version 1.2.8. They are technically unrelated but operationally identical in their impact: from the public internet, with no credentials and no user interaction, an attacker walks into the WordPress admin dashboard with full root-equivalent control of the site. From that position they can install a backdoored plugin, inject malware into every page, redirect customers to phishing pages, harvest checkout data, exfiltrate customer records, or hold the site to ransom. For any UK SME whose website handles enquiries, bookings, transactions, customer accounts, or any personal data at all, this is a top-of-list incident.

9.8

CVSS score on both new WordPress plugin CVEs

43%

Of UK SME websites run on WordPress

WordPress plugin vulnerabilities disclosed in the week to 3 May 2026

7 days

Window to audit, patch and re-verify your web stack

What was actually disclosed on 4 May 2026

The first advisory covers MoreConvert Pro, a paid e-commerce conversion plugin marketed primarily to WooCommerce store owners that adds “back in stock” notifications, waitlists, abandoned-cart recovery sequences and post-purchase upsell flows. Wordfence’s analysis describes a logic flaw in the guest waitlist verification routine: a guest user (with no account) can request a verification token sent to their own email address, then submit a request that swaps the bound email to that of an existing target account — without the token being invalidated, and without the existing account being notified. The attacker then authenticates as the target user. If the target is an administrator, the attacker now holds an admin session.

The second advisory covers the Mentoring plugin, a learning-management add-on used by training providers, coaches and education businesses. The vulnerability is starker still: the registration AJAX endpoint never validates which user role the new account requests. A request with the role parameter set to administrator is accepted on its face. There is no second-factor check, no email verification, no rate limit, no protection of any kind. An attacker visits the registration page, intercepts the form, modifies one parameter, and an administrator account belongs to them in a single HTTP request.

Neither of these is a sophisticated remote-code-execution chain. They are commercial-plugin logic mistakes — the kind of one-line oversight that the wider WordPress economy produces every week. The reason 4 May matters is that both happen to be plugins with active commercial install bases in the UK SME segment, both were classed at the maximum severity, and both went public within 24 hours of each other. Mass-scanning is a near-certainty in that configuration. The threat-intel feeds confirm it has already begun.

If your site runs either plugin, treat this as an active incident

If your WordPress install has MoreConvert Pro ≤ 1.9.14 or the Mentoring plugin ≤ 1.2.8 active right now, the only defensible interpretation is that compromise is plausible. Hardening alone is not enough. You also need to audit user accounts, plugin files and outbound traffic for evidence of post-exploitation activity in the last seven days.

The seven-day timeline that matters

Sunday 4 May 2026 — advisories drop

Wordfence publishes CVE-2026-5722 (MoreConvert Pro) and CVE-2025-13618 (Mentoring) within hours of each other. Both rated CVSS 9.8 critical. Both patched the same day in vendor-provided updates — but only for sites running automatic updates.

Monday 5 May 2026 — mass scanning begins

Internet-wide scanners on commodity hosting providers start probing for both plugin signatures. Honeypots in the UK and Germany pick up the first opportunistic exploitation attempts. The pattern matches every prior CVSS-9.8 WordPress plugin advisory in the last 12 months.

Tuesday 6 May 2026 — SBCSG threat brief published

The Small Business Cybersecurity Guy issues a UK SMB threat brief naming both CVEs as the top priority of the week, alongside CVE-2026-31431 in the Linux kernel (CopyFail) and SHADOW-EARTH-053 exploitation of unpatched Exchange Servers. WordPress is the SME-facing story.

Wednesday 7 May 2026 — first confirmed compromises

Wordfence threat-intel feeds report the first confirmed compromises of UK WordPress sites running MoreConvert Pro ≤ 1.9.14. Attackers create a rogue admin account, then install a credential-stealer plugin to harvest WooCommerce checkout submissions.

Friday 9 May 2026 — ICO advisory referenced

The Information Commissioner’s Office quietly references the WordPress wave in its weekly breach-tracking email to data controllers, reminding organisations that an unpatched plugin known to be vulnerable is a UK GDPR “appropriate measures” failure under Article 32.

Saturday 10 May 2026 — opportunistic deface campaigns

A wave of opportunistic site defacements begins, primarily targeting small UK retail and hospitality sites running outdated WooCommerce extensions. Compromised sites are used as redirector hops in wider SEO-poisoning and pharmacy-spam campaigns.

Today — Monday 11 May 2026

Your seven-day audit window starts now. Cyber Essentials v3.3 requires applying critical-rated patches within 14 days of vendor release. NCSC guidance recommends faster action for vulnerabilities under active exploitation. The realistic ceiling for action on this advisory is the end of this week.

Why UK SMEs are disproportionately exposed

The shape of the UK WordPress economy creates a near-perfect set of conditions for vulnerabilities like these to land on under-defended targets. Most UK small business sites were built by a freelance designer or a small agency — sometimes years ago — using a starter theme, a child theme, and somewhere between 15 and 50 plugins drawn from a mixture of free directories and commercial marketplaces. The site went live, the designer moved on, and the SME never put a maintenance retainer in place. Plugins are not patched. Themes are not updated. Inactive plugins are left installed but disabled, still inviting attack on their database tables and PHP files.

On top of that, the UK WordPress hosting landscape skews towards shared hosting and entry-level managed plans. Shared hosting providers vary enormously in their willingness to apply WAF rules, isolate accounts, or take down compromised sites quickly. Managed WordPress hosting at the more premium end (Kinsta, WP Engine, Pressable, Cloudways) typically applies automatic plugin updates and edge-level virtual patching, but many UK SMEs are paying £6–£15 a month for a basic plan that does none of this.

Layer on top the 2026 SEO economy — where Google AI Overviews now drive a measurable share of UK SME web traffic — and you have a target profile that combines high commercial impact (the site is the lead-generation engine) with low defensive maturity. The attackers know this. The mass-scanning patterns of the last 18 months have made it clear that the WordPress UK SME segment is being treated as the soft underbelly of the British digital economy. The advisories of 4 May are simply the latest entries.

Out-of-date plugins on the live site

78%

Inactive but installed plugins still present

71%

No WAF or edge-level virtual patching

66%

Admin login URL still at /wp-admin

84%

No MFA on the WordPress admin account

69%

Shared admin credentials across staff

42%

No off-site backup with restore tested in 90 days

73%

Those numbers come from a January 2026 audit of 1,200 UK SME WordPress sites carried out by Patchstack’s incident-response team and cross-referenced with Wordfence threat-intel telemetry. Every single one of those gaps is exploitable by the techniques being used in this week’s wave.

What “administrator takeover” actually buys an attacker

Plenty of UK SME owners read “admin takeover of your website” and mentally translate it to “they can change the homepage.” That is not the threat model. A WordPress administrator account is, in practice, root on the application stack. Here is what changes the moment that account is in attacker hands:

They can install any plugin from the dashboard. That includes backdoored plugins designed to look like cache utilities or SEO helpers, but in practice running a webshell on every PHP request. From that webshell they can execute arbitrary code under the web-server user.
They can edit any theme file. A single line of injected JavaScript in the active theme’s header file silently exfiltrates every form submission on your site — contact enquiries, password reset requests, checkout fields — to an attacker-controlled endpoint. This is the most common monetisation route for WordPress compromise in 2026.
They can read your database. WordPress site databases routinely hold customer email addresses, IP addresses, order history, comment metadata, abandoned-cart records, and (if a CRM plugin is installed) full lead and contact history. All of that is personal data under UK GDPR.
They can pivot to your hosting account. If you use a single admin email between WordPress and your hosting control panel, password-reset chaining frequently gets the attacker into the hosting layer as well, where DNS, mailbox forwarders and other domains under the same account become accessible.
They can plant SEO-poisoning content. Hidden pages targeting pharmacy spam, gambling, or scam landing pages get indexed by Google under your domain name. Google flags your site as malware-distributing, the warning interstitial appears in search results, and recovering the SEO position takes months even after cleanup.
They can ransom the database. A modern WordPress compromise frequently ends with the attacker exporting the database, dropping the original, leaving a ransom note in the site root, and demanding payment in cryptocurrency in exchange for restoring data. If you do not have an off-site backup tested within the last 90 days, that conversation gets very difficult very quickly.

Of UK WordPress compromises in 2025 traced to a known, patchable plugin or theme vulnerability — not a zero-day. Patch hygiene is the defensive lever.

Where most UK SME WordPress posture is failing today

The eight common gaps on UK SME WordPress sites

No documented inventory of installed plugins, versions and last-update date High

Automatic plugin updates disabled or never reviewed High

Admin accounts shared by multiple staff with no MFA High

Inactive plugins still installed in the WordPress filesystem High

No edge WAF (Cloudflare, Sucuri, Wordfence Premium, Patchstack) Mid

Off-site backup older than 30 days or never restore-tested Mid

Admin login still at /wp-admin without rate limiting Mid

No PHP-level execution restrictions in /uploads Low

Most UK SMEs sit at five or six of those eight gaps. The good news is that none of them require a re-platforming project. All can be addressed in a one-week sprint with the right partner.

The realistic cost-of-compromise envelope by business size

Business size	Direct cleanup & restoration	Lost revenue & productivity	UK GDPR / ICO exposure	Realistic total
1–9 staff micro-business	£1,800–£3,500	£2,200–£6,000	£0–£5,000	£4,000–£14,500
10–49 staff small business	£3,500–£8,000	£8,000–£22,000	£5,000–£25,000	£16,500–£55,000
50–99 staff mid-market	£8,000–£18,000	£22,000–£55,000	£25,000–£120,000	£55,000–£193,000
100–249 staff upper SME	£18,000–£35,000	£55,000–£180,000	£120,000–£500,000	£193,000–£715,000

Those bands draw on Cyber Security Breaches Survey 2025/2026 medians plus the 2025 ICO enforcement actions covering WordPress-driven personal data exposure. The figures assume a compromise discovered within 14 days, professional cleanup, and a contained ICO disclosure — not the worst-case ransomware scenario. The cyber-insurance angle is separate: most UK SME cyber policies now exclude losses arising from unpatched, publicly-known vulnerabilities older than 30 days. Once an advisory has been public for a month, the burden of proof shifts onto the insured.

What “managed WordPress” looks like vs the typical UK SME baseline

The typical UK SME baseline

What most sites look like before incident response

Site built by a freelancer 2–5 years ago, no current maintenance retainer
Between 15 and 50 plugins, most last updated more than 6 months ago
Single shared admin account, no MFA, password unchanged for 12+ months
Hosted on a £6–£15/month shared plan with no WAF
Backups, if any, taken by a single free plugin to the same hosting account
No documented inventory of plugins, versions, or who installed what
Discovery of compromise typically arrives via Google’s blacklist warning, not internal monitoring

A managed WordPress posture

Where Cloudswitched Web Development takes you

Documented monthly maintenance retainer with named technical owner
Plugin inventory reviewed monthly, vulnerable plugins replaced or patched within 14 days
Per-user admin accounts with MFA enforced; default editor role for non-technical staff
Cloudflare or equivalent edge WAF with virtual patching for known CVEs
Off-site daily backups with quarterly restore tests verified in writing
Monthly vulnerability scan, with the report shared with the business owner
Incident response runbook agreed in advance, with a 4-hour first-response target

The 10-step seven-day web stack audit plan

Step 1 — Inventory every WordPress site under the business’s control

Day 1

Step 2 — Pull a current plugin list and version for each site

Day 1

Step 3 — Cross-reference against this week’s Wordfence advisories

Day 2

Step 4 — Patch or remove MoreConvert Pro and Mentoring on any affected site

Day 2

Step 5 — Audit admin accounts; remove any unknown users; force a password rotation

Day 3

Step 6 — Enforce MFA on every administrator and editor account

Day 3

Step 7 — Trigger an off-site backup and a restore drill into a staging environment

Day 4

Step 8 — Turn on an edge WAF with virtual patching (Cloudflare, Patchstack, Wordfence Premium)

Day 5

Step 9 — Run a one-shot integrity scan; review .htaccess, theme files and /uploads for webshells

Day 6

Step 10 — Sign off on a written monthly maintenance retainer and document the runbook

Day 7

The plan deliberately front-loads the patching and admin-account work. Steps 1 to 6 alone will eliminate roughly 80% of the realistic compromise risk from this week’s advisories. Steps 7 to 10 lift the site from “not vulnerable to today’s CVEs” to “not vulnerable to next month’s either.”

41/100

Average UK SME WordPress security readiness against the 10-step audit plan, on Patchstack’s Q1 2026 benchmark.

How this stacks with Cyber Essentials v3.3 (effective 27 April 2026)

The Cyber Essentials Danzell question set came into force on 27 April 2026 — we covered the full implications in the earlier Cloudswitched analysis. Two of its newly-strengthened control families bear directly on this week’s WordPress wave:

A2.1 Security update management. Critical-rated vendor patches must now be applied within 14 days of release. Both MoreConvert Pro and the Mentoring plugin published vendor patches on 4 May 2026. The 14-day clock therefore expires on 18 May. Sites still running the vulnerable versions on 19 May are out of scope for Cyber Essentials and will fail an assessment without remediation.
A4.1 Vulnerability management. Where a vulnerability is rated CVSS 7.0 or higher and a patch is available, the v3.3 framework now requires evidence that the patch has been applied or, where applied is genuinely impossible, that a compensating mitigation is documented. CVSS 9.8 is well above the threshold.

For any UK SME that holds Cyber Essentials, intends to apply this year, or is required to maintain it under a customer contract (government framework, MoD supply chain, NHS supplier panel, financial services subcontract), this advisory is not just a security event — it is a certification event.

The 14-day window is not negotiable in audit

Cyber Essentials assessors increasingly verify the patch date directly from plugin metadata. The plugin .zip filename, the database option_value, and the plugin’s “last updated” timestamp all leave a trail. If you intend to apply for Cyber Essentials this quarter, factor the WordPress audit into your readiness work this week, not next month.

The at-a-glance reference for this week

Field	Value
Primary CVEs	CVE-2026-5722 (MoreConvert Pro), CVE-2025-13618 (Mentoring)
Severity	CVSS 9.8 (critical) on both
Vulnerable versions	MoreConvert Pro ≤ 1.9.14, Mentoring ≤ 1.2.8
Patched versions	MoreConvert Pro 1.9.15+, Mentoring 1.2.9+
Authentication required	None — unauthenticated
User interaction required	None
Impact on success	Full WordPress administrator account creation or takeover
Public disclosure date	4 May 2026
Active exploitation observed	Yes — from 5 May 2026 onwards
Cyber Essentials v3.3 14-day deadline	18 May 2026
UK GDPR Article 32 exposure	Yes — personal data on most affected sites
Realistic SME cost-of-compromise	£4,000 — £715,000 depending on business size
Recommended action window	Seven days from today (11–17 May 2026)

Where this sits in the wider Cloudswitched coverage

This advisory does not sit in isolation. It is the latest in a continuous run of UK SME cyber and infrastructure stories that all point at the same underlying message — the British small business stack is being probed faster than most SMEs can audit it. If you have not already read the recent Cloudswitched analyses, the most relevant context for this week is:

Cyber Essentials v3.3 launches 27 April 2026 — the Danzell update, auto-fail rules and 8-day countdown for the patch-management framework that this week’s WordPress advisories will be assessed against.
The 2026 UK Cyber Security Breaches Survey reality check for the statistical context on 612,000 UK businesses breached and the 5% revenue-impact rate.
The UK Cyber Resilience Pledge & £90m SME fund for the policy framework that will increasingly require this level of patch hygiene as a contracting prerequisite.
Palo Alto PAN-OS CVE-2026-0300 for the parallel perimeter-side story unfolding this same week.
Windows 10’s final cliff — 14 October 2026 for the wider endpoint-side patch-management posture every UK SME will need by the year-end.
Fortinet & Cisco zero-days — April 2026 edge-device crisis for the broader pattern of vendor disclosures that this WordPress wave fits into.

Need a partner to run the seven-day WordPress audit for you?

Cloudswitched Web Development runs the inventory, the patching, the WAF deployment, the backup verification and the documented monthly maintenance retainer end-to-end — with a named technical owner and a Cyber Essentials-aligned reporting trail you can hand to your insurer or auditor without a follow-up email.

Talk to us about Web Development

Frequently asked questions

We do not run MoreConvert Pro or Mentoring. Are we safe?

From these two specific CVEs, yes. But the pattern of the last 12 months is that critical-rated WordPress plugin CVEs are disclosed at a rate of two to four per month. The defensive posture that protects you this week — documented inventory, automatic updates, MFA, WAF, monthly review — is the same posture that protects you next month when the advisories rotate. Treat this advisory as the prompt to put that posture in place, not as a single point fix.

Our site does not take payments. Do we still have to act on this?

Yes. UK GDPR Article 4 defines personal data extremely broadly — contact form submissions, comment metadata, abandoned-cart records, cookie identifiers and IP addresses all qualify. A WordPress administrator compromise puts all of that in attacker hands. The ICO has fined SMEs for breach of Article 32 (“appropriate technical measures”) in exactly these scenarios.

We have automatic updates turned on. Are we automatically patched?

For free plugins from the WordPress.org directory, generally yes — the auto-update mechanism is reliable. For commercial plugins distributed via a vendor licence (which both MoreConvert Pro and Mentoring are), the situation is more complex. Some commercial plugins ship their own auto-update channel; others require the licence to be active and configured correctly. The only safe approach is to verify the running version inside Plugins » Installed Plugins rather than assume.

How do we know if our site has already been compromised?

Three quick checks. First, the Users list in WordPress admin — any account you do not recognise, particularly an administrator role, is the strongest single signal. Second, the “last login” or audit log if you have one. Third, scan the theme files (especially functions.php and header.php) and the /uploads directory for unexpected PHP files. If any of those produce a finding, treat the incident as confirmed and move to incident response — do not just delete the rogue user.

Should we move off WordPress entirely after this?

For most UK SMEs, no. WordPress remains the most cost-effective and feature-rich content management system for the segment, and the security gap is overwhelmingly a maintenance discipline issue rather than a platform flaw. A managed WordPress retainer plus an edge WAF will give you a defensive posture comparable to a custom-built site, at a fraction of the cost. The platforms most often suggested as alternatives (Webflow, Squarespace, Wix) have their own vulnerability and platform-lock-in trade-offs.

Do we have to tell our customers if we were compromised?

Under UK GDPR you must notify the ICO within 72 hours of becoming aware of a personal data breach that “is likely to result in a risk to the rights and freedoms of natural persons.” If the breach is “likely to result in a high risk,” you must also notify the affected individuals without undue delay. A confirmed WordPress administrator compromise on a site holding customer enquiries or accounts almost always meets the “likely” threshold. Speak to your DPO or an external data-protection adviser before deciding to delay notification.

Will an edge WAF like Cloudflare protect us if we cannot patch immediately?

A WAF with virtual-patching capability (Cloudflare Pro/Business with the Managed WordPress ruleset, Patchstack, Wordfence Premium, Sucuri) significantly reduces exposure but is not a substitute for patching. WAFs block known exploit signatures, but skilled attackers vary their payloads to evade signature matching. Treat the WAF as a defence-in-depth layer and a time-buying mechanism, not a permanent control.

What is the realistic cost of putting all this in place?

For a typical UK SME running a single primary website, a managed WordPress retainer with Cloudswitched usually runs £180–£420 per month all-in, including hosting, edge WAF, daily off-site backups, monthly vulnerability scan, plugin patching within 14 days, an annual restore drill, and a quarterly written security review. Compared to the £4,000–£55,000 typical cost envelope of a compromise for a 10–49 staff business, the maths is unambiguous.

Our hosting provider says they handle security. Does that cover us?

Almost never, in our experience. Mainstream UK shared hosting covers the underlying server stack — PHP, MySQL, Linux, the web server — but explicitly excludes the WordPress application layer, the plugin layer and the theme layer in their terms of service. Read the “security shared responsibility” section of your hosting contract carefully. The application-layer responsibility almost always sits with you or your appointed agency.

How does this affect our cyber insurance?

Most UK cyber policies underwritten in 2026 contain an “unpatched known vulnerability” exclusion that activates once a CVE has been public for 30 days. After 3 June 2026, any compromise traceable to these specific CVEs is likely to fall outside cover. Insurers are also increasingly asking for evidence of a documented patch-management process at renewal — the absence of one is now itself a premium-loading factor.

The seven-day window is now

Bring forward your WordPress audit before this advisory ages past the cyber-insurance and Cyber Essentials cut-offs. Cloudswitched Web Development runs the full audit, patch, WAF, backup and runbook end-to-end — with the retainer to keep you out of next month’s advisory cycle too.

Start your Cloudswitched WordPress audit

Tags:Web DevelopmentCyber SecurityIT Support

CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.