Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files and extract sensitive information from the database.

One of the flaws is tracked as CVE-2026–4782 and can be exploited in all versions of the plugin through 3.15.2 by an authenticated users with at least subscriber-level access to read the contents of any file on the server.

The other security issue received the identifier CVE-2026–4798 and is an SQL injection that can be leveraged without authentication. However, exploitation is possible only if the WooCommerce e-commerce plugin for WordPress has been enabled and then deactivated.

Microsoft is updating the Edge web browser to ensure it no longer loads saved passwords into process memory in clear text at startup after previously stating it was “by design.”

This behavior was disclosed on May 4 by security researcher Tom Jøran Sønstebyseter Rønning, who demonstrated that all credentials stored in the Edge built-in password manager were decrypted on launch and kept in memory even when not in use.

Rønning also released a proof-of-concept (PoC) tool that would allow attackers with Administrator privileges to dump passwords from other users’ Edge processes (without admin privileges, the PoC only allows accessing Edge processes launched by the same user).

According to Rapid7, which discovered CVE-2026–20182, the shortcoming has its echoes in CVE-2026–20127 (CVSS score: 10.0), another critical authentication bypass impacting the same component. The latter is said to have been exploited by a threat actor called UAT-8616 since at least 2023.

“This new authentication bypass vulnerability affects the ‘vdaemon’ service over DTLS (UDP port 12346), which is the same service that was vulnerable to CVE-2026–20127,” Rapid7 researchers Jonah Burgess and Stephen Fewer said. “The new vulnerability is not a patch bypass of CVE-2026–20127. It is a different issue located in a similar part of the ‘vdaemon’ networking stack.”

That said, the end result is the same: a remote unauthenticated attacker can abuse CVE-2026–20182 to become an authenticated peer of the target appliance and carry out privileged operations.

Hackers are leveraging a critical authentication bypass vulnerability in the WordPress plugin Burst Statistics to obtain admin-level access to websites.

Burst Statistics is a privacy-focused analytics plugin active on 200,000 WordPress sites and marketed as a lightweight alternative to Google Analytics.

The flaw, tracked as CVE-2026–8181, was introduced on April 23 with the release of version 3.4.0 of the plugin. The vulnerable code was also present in the following iteration, version 3.4.1.