During the reporting period (April 1 – April 8, 2026), 40 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.
Summary
40
Total
2
Critical
12
High
26
Medium
0
Low
0
Patched
Table of Contents 45 plugins & components
WordPress Plugin Vulnerabilities (40)
Order Notification for WooCommerce
critical
Vulnerability
Order Notification for WooCommerce — CVE-2025-15484
Severity
critical Critical risk
Affected Versions
<=3.6.3
CVE Reference
Patch Status
No patch
Source
NVD
Ninja Forms - File Uploads
critical
Vulnerability
Ninja Forms - File Uploads — Arbitrary file uploads
Severity
critical Critical risk
Affected Versions
<=3.3.26
CVE Reference
Patch Status
No patch
Source
NVD
Spam Protect for Contact Form 7
high
Vulnerability
Spam Protect for Contact Form 7 — CVE-2026-1540
Severity
high High risk
Affected Versions
<=1.2.10
CVE Reference
Patch Status
No patch
Source
NVD
MW WP Form
high
Vulnerability
MW WP Form — Arbitrary file moving
Severity
high High risk
Affected Versions
<=5.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Webmention
high
Vulnerability
Webmention — Server-Side Request Forgery
Severity
high High risk
Affected Versions
<=5.6.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
W3 Total Cache
high
Vulnerability
W3 Total Cache — Information exposure
Severity
high High risk
Affected Versions
<=2.9.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Perfmatters
high
Vulnerability
Perfmatters — Arbitrary file deletion
Severity
high High risk
Affected Versions
<=2.5.9.1
CVE Reference
Patch Status
No patch
Source
NVD
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
high
Vulnerability
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible — Insecure Direct Object Reference
Severity
high High risk
Affected Versions
<=6.7.25
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
high
Vulnerability
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress — Unauthorized membership payment bypass
Severity
high High risk
Affected Versions
<=4.16.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Widgets for Social Photo Feed
high
Vulnerability
Widgets for Social Photo Feed — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.7.9
CVE Reference
Patch Status
No patch
Source
NVD
Text to Speech for WP (AI Voices by Mementor)
high
Vulnerability
Text to Speech for WP (AI Voices by Mementor) — Sensitive information exposure
Severity
high High risk
Affected Versions
<=1.9.8
CVE Reference
Patch Status
No patch
Source
NVD
Visitor Traffic Real Time Statistics
high
Vulnerability
Visitor Traffic Real Time Statistics — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=8.4
CVE Reference
Patch Status
No patch
Source
NVD
wpForo Forum
high
Vulnerability
wpForo Forum — Arbitrary file deletion
Severity
high High risk
Affected Versions
<=2.4.16
CVE Reference
Patch Status
No patch
Source
NVD
Booking for Appointments and Events Calendar – Amelia
high
Vulnerability
Booking for Appointments and Events Calendar – Amelia — Insecure Direct Object Reference
Severity
high High risk
Affected Versions
<=2.1.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Booking for Appointments and Events Calendar - Amelia
medium
Vulnerability
Booking for Appointments and Events Calendar - Amelia — SQL Injection
Severity
medium Medium risk
Affected Versions
<=2.1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Database for Contact Form 7, WPforms, Elementor forms
medium
Vulnerability
Database for Contact Form 7, WPforms, Elementor forms — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=1.4.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Export All URLs
medium
Vulnerability
Export All URLs — CVE-2026-2696
Severity
medium Medium risk
Affected Versions
<=5.1
CVE Reference
Patch Status
No patch
Source
NVD
King Addons for Elementor
medium
Vulnerability
King Addons for Elementor — Multiple Contributor+ DOM-Based Stored Cross-Site Scripting vulnerabilities
Severity
medium Medium risk
Affected Versions
<=51.1.38
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Webmention
medium
Vulnerability
Webmention — Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=5.6.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Pie Register – User Registration, Profiles & Content Restriction
medium
Vulnerability
Pie Register – User Registration, Profiles & Content Restriction — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=3.8.4.8
CVE Reference
Patch Status
No patch
Source
NVD
Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem
medium
Vulnerability
Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.4.6
CVE Reference
Patch Status
No patch
Source
NVD
Xpro Addons — 140+ Widgets for Elementor
medium
Vulnerability
Xpro Addons — 140+ Widgets for Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.4.24
CVE Reference
Patch Status
No patch
Source
NVD
Xpro Addons — 140+ Widgets for Elementor
medium
Vulnerability
Xpro Addons — 140+ Widgets for Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.4.20
CVE Reference
Patch Status
No patch
Source
NVD
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
medium
Vulnerability
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.11.1
CVE Reference
Patch Status
No patch
Source
NVD
Simple Shopping Cart
medium
Vulnerability
Simple Shopping Cart — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.2.4
CVE Reference
Patch Status
No patch
Source
NVD
Royal Addons for Elementor
medium
Vulnerability
Royal Addons for Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.7.1049
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Shortcodes Plugin - Shortcodes Ultimate
medium
Vulnerability
WP Shortcodes Plugin - Shortcodes Ultimate — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=7.4.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Shortcodes Plugin - Shortcodes Ultimate
medium
Vulnerability
WP Shortcodes Plugin - Shortcodes Ultimate — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=7.4.8
CVE Reference
Patch Status
No patch
Source
NVD
ElementsKit Elementor Addons and Templates
medium
Vulnerability
ElementsKit Elementor Addons and Templates — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.7.9
CVE Reference
Patch Status
No patch
Source
NVD
WP Travel Engine – Tour Booking Plugin – Tour Operator Software
medium
Vulnerability
WP Travel Engine – Tour Booking Plugin – Tour Operator Software — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=6.7.5
CVE Reference
Patch Status
No patch
Source
NVD
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor
medium
Vulnerability
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=3.6.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Listeo Core
medium
Vulnerability
Listeo Core — Unauthenticated arbitrary media upload
Severity
medium Medium risk
Affected Versions
<=2.0.27
CVE Reference
Patch Status
No patch
Source
NVD
WPFunnels – Easy Funnel Builder To Optimize Buyer Journeys And Get More Leads & Sales
medium
Vulnerability
WPFunnels – Easy Funnel Builder To Optimize Buyer Journeys And Get More Leads & Sales — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.7.9
CVE Reference
Patch Status
No patch
Source
NVD
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
medium
Vulnerability
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress — Arbitrary shortcode execution
Severity
medium Medium risk
Affected Versions
<=4.16.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Popup Box
medium
Vulnerability
Popup Box — Properly validate nonces in the add_or_edit_popupbox() function before saving popup data
Severity
medium Medium risk
Affected Versions
<=5.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Link Whisper Free
medium
Vulnerability
Link Whisper Free — Unauthenticated settings updates
Severity
medium Medium risk
Affected Versions
<=0.9.1
CVE Reference
Patch Status
No patch
Source
NVD
SQL Chart Builder
medium
Vulnerability
SQL Chart Builder — Properly escape user input as it is concatened to SQL queries
Severity
medium Medium risk
Affected Versions
<=2.3.8
CVE Reference
Patch Status
No patch
Source
NVD
Charitable – Donation
medium
Vulnerability
Charitable – Donation — Insufficient Verification of Data Authenticity
Severity
medium Medium risk
Affected Versions
<=1.8.9.7
CVE Reference
Patch Status
No patch
Source
NVD
Backup Migration
medium
Vulnerability
Backup Migration — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=2.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Smart Slider 3
medium
Vulnerability
Smart Slider 3 — Unauthorized access and modification of data
Severity
medium Medium risk
Affected Versions
<=3.5.1.33
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WordPress Theme Vulnerabilities (0)
No vulnerabilities reported in this category this week.
WordPress Core Vulnerabilities (0)
No vulnerabilities reported in this category this week.
Recommendations
1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.
Set up uptime monitoring and periodic security scans to catch issues early.
Methodology
This report is compiled automatically from multiple trusted sources:
NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans
Tags
Related Posts
Vulnerability Report
WordPress Vulnerability Report: May 17 – May 24, 2026
81 WordPress vulnerabilities disclosed between May 17 – May 24, 2026. 8 critical, 20 high severity. 2 patched, 79 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 9 – May 16, 2026
104 WordPress vulnerabilities disclosed between May 9 – May 16, 2026. 6 critical, 23 high severity. 1 patched, 103 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 1 – May 8, 2026
96 WordPress vulnerabilities disclosed between May 1 – May 8, 2026. 6 critical, 35 high severity. 1 patched, 95 unpatched.
WPSentry·May 24, 2026