BlogVulnerability Report
Vulnerability Report

WordPress Vulnerability Report: April 15 – April 16, 2026

24 WordPress vulnerabilities disclosed between April 15 – April 16, 2026. 2 critical, 4 high severity. 0 patched, 24 unpatched.

WPSentryApril 15, 20268 min read

During the reporting period (April 15 – April 16, 2026), 24 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.

Summary

24
Total
2
Critical
4
High
18
Medium
0
Low
0
Patched
Table of Contents 29 plugins & components

WordPress Plugin Vulnerabilities (22)

Visa Acceptance Solutions

critical
Vulnerability
Visa Acceptance Solutions — Authentication Bypass
Severity
critical Critical risk
Affected Versions
<=2.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Age Verification & Identity Verification by Token of Trust

high
Vulnerability
Age Verification & Identity Verification by Token of Trust — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=3.32.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Accessibly

high
Vulnerability
Accessibly — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=3.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Login as User

high
Vulnerability
Login as User — Privilege Escalation
Severity
high High risk
Affected Versions
<=1.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Quick Interest Slider

high
Vulnerability
Quick Interest Slider — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=3.1.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery

medium
Vulnerability
3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=1.16.17
CVE Reference
Patch Status
No patch
Source
NVD

Avada (Fusion) Builder

medium
Vulnerability
Avada (Fusion) Builder — Arbitrary WordPress Action Execution
Severity
medium Medium risk
Affected Versions
<=3.15.1
CVE Reference
Patch Status
No patch
Source
NVD

Avada (Fusion) Builder

medium
Vulnerability
Avada (Fusion) Builder — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=3.15.1
CVE Reference
Patch Status
No patch
Source
NVD

List View Google Calendar

medium
Vulnerability
List View Google Calendar — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=7.4.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Advanced Custom Fields (ACF)

medium
Vulnerability
Advanced Custom Fields (ACF) — Missing Authorization to Arbitrary Post/Page Disclosure
Severity
medium Medium risk
Affected Versions
<=6.7.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Inquiry Form to Posts or Pages

medium
Vulnerability
Inquiry Form to Posts or Pages — Cross-Site Request Forgery leading to Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

MetForm Pro

medium
Vulnerability
MetForm Pro — Improper Input Validation
Severity
medium Medium risk
Affected Versions
<=3.9.7
CVE Reference
Patch Status
No patch
Source
NVD

e-shot™ form builder

medium
Vulnerability
e-shot™ form builder — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Katalogportal PDF Sync

medium
Vulnerability
Katalogportal PDF Sync — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Circliful

medium
Vulnerability
WP Circliful — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WM JqMath

medium
Vulnerability
WM JqMath — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Petje.af

medium
Vulnerability
Petje.af — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=2.1.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Coachific Shortcode

medium
Vulnerability
Coachific Shortcode — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Power Charts Lite

medium
Vulnerability
Power Charts Lite — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

OPEN-BRAIN

medium
Vulnerability
OPEN-BRAIN — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=0.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

VI: Include Post By

medium
Vulnerability
VI: Include Post By — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.4.200706
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Product Pricing Table by WooBeWoo

medium
Vulnerability
Product Pricing Table by WooBeWoo — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.1.0
CVE Reference
Patch Status
No patch
Source
NVD

WordPress Theme Vulnerabilities (2)

WebStack

critical
Vulnerability
WebStack — Arbitrary file uploads
Severity
critical Critical risk
Affected Versions
<=1.2024
CVE Reference
Patch Status
No patch
Source
NVD

Eleganzo

medium
Vulnerability
Eleganzo — Arbitrary directory deletion
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD

WordPress Core Vulnerabilities (0)

No vulnerabilities reported in this category this week.

Recommendations

1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.

Methodology

This report is compiled automatically from multiple trusted sources:

NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans

Vulnerabilities are deduplicated by CVE ID. Severity ratings follow the CVSS v3.x scoring system. This report is generated automatically and may not capture every vulnerability disclosed during the period.

Tags

vulnerabilitieswordpress-securityweekly-reportcve

Related Posts

Vulnerability Report

WordPress Vulnerability Report: May 17 – May 24, 2026

81 WordPress vulnerabilities disclosed between May 17 – May 24, 2026. 8 critical, 20 high severity. 2 patched, 79 unpatched.

WPSentry·May 24, 2026
Vulnerability Report

WordPress Vulnerability Report: May 9 – May 16, 2026

104 WordPress vulnerabilities disclosed between May 9 – May 16, 2026. 6 critical, 23 high severity. 1 patched, 103 unpatched.

WPSentry·May 24, 2026
Vulnerability Report

WordPress Vulnerability Report: May 1 – May 8, 2026

96 WordPress vulnerabilities disclosed between May 1 – May 8, 2026. 6 critical, 35 high severity. 1 patched, 95 unpatched.

WPSentry·May 24, 2026
Back to Blog