External risk intelligence

WordPress Plugin RCE via Unauthorized Extension Installation

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-4375

This vulnerability affects WordPress plugins. WordPress sites are commonly deployed as public-facing web applications, making the attack surface directly reachable via the internet as part of the standard deployment pattern for web content management systems.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in certain WordPress plugins, specifically the DoLeads Integrator and wp2epub. This flaw allows for remote code execution, meaning an attacker could potentially control affected systems by exploiting a weakness in how WordPress extensions are managed. The primary concern at this time is to confirm if these specific plugins are in use within our environment to understand the potential exposure.

  • Flaw allows code execution via WordPress plugins.
  • Confirming plugin usage is key to assessing risk.
  • Prioritize confirming relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by first gaining the ability to install unauthorized WordPress plugins, potentially through another vulnerability or misconfiguration. Once a vulnerable plugin is installed on a blog, the attacker can then leverage a flaw within the plugin to achieve remote code execution, leading to a compromise of the affected site.

  • Unauthorized plugin installation required.
  • Vulnerable plugin feature is triggered.
  • Remote code execution is possible.

Live Threat

Current exploitation, exposure, and threat context

When unclosed extensions from WordPress.org can be installed by unauthorized users, the DoLeads Integrator and wp2epub WordPress plugins could be leveraged to achieve remote code execution. This means an attacker could potentially run arbitrary commands on the affected server, impacting the integrity and availability of the website and its hosted data.

  • WordPress plugins and data.
  • Unauthorized installation of extensions.
  • Compromised website and server access.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects WordPress plugins, indicating that website owners and their associated technical teams, such as application or infrastructure support, should investigate. The immediate priority is to identify all instances of the affected plugins within your environment, confirm their exposure and business criticality, and then determine the accountable owner for remediation planning.

  • Website owners, app/infra teams.
  • Confirm plugin presence and exposure.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the DoLeads Integrator and wp2epub software?

These are specific plugins designed for the WordPress content management system. WordPress users typically install such plugins to extend the core functionality of their websites, such as managing lead capture or converting blog content into digital book formats. Because these plugins integrate directly into the WordPress ecosystem, they operate with the same permissions and access levels as the host application.

What does Remote Code Execution mean in CVE-2026-4375?

Remote Code Execution, or RCE, is a critical security weakness where an attacker can force a server to run unauthorized commands or software. In the context of this CVE, the plugin fails to safely handle input or system functions, effectively allowing an attacker to bypass normal website controls to execute arbitrary actions on the underlying host, which can lead to a complete compromise of the site and its data.

How is the vulnerability triggered?

The flaw requires a multi-stage approach. First, an attacker must successfully install the vulnerable plugin on the target WordPress site, often by exploiting separate issues that permit unauthorized extension installation. Once the plugin is present on the system, the attacker triggers the specific insecure functionality within the plugin. Simply having the code on a server is not enough; the attacker must be able to initiate the prohibited installation and then invoke the plugin's flawed routines.

Is my website at risk if it runs these plugins?

According to Halo Surface Signal, WordPress sites are frequently deployed as public-facing web applications. This means that if you have these plugins installed and accessible over the internet, the attack surface is exposed to external actors. Websites configured for public use are the primary concern, as they do not require an attacker to have internal network access to attempt to reach or interact with these plugins.

When should I take action for CVE-2026-4375?

You should prioritize this investigation immediately. The first step is to audit your WordPress installations to see if DoLeads Integrator or wp2epub are currently active. If you find them, document their business use and determine if they can be removed or disabled. Coordinate with your technical or infrastructure teams to track these instances and ensure that any necessary updates or containment measures are applied promptly to protect your site.

References