During the reporting period (April 8 – April 15, 2026), 106 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.
Summary
106
Total
6
Critical
18
High
82
Medium
0
Low
0
Patched
Table of Contents 111 plugins & components
WordPress Plugin Vulnerabilities (106)
Everest Forms
critical
Vulnerability
Everest Forms — PHP Object Injection
Severity
critical Critical risk
Affected Versions
<=3.4.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Users manager – PN
critical
Vulnerability
Users manager – PN — Privilege Escalation
Severity
critical Critical risk
Affected Versions
<=1.1.15
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
DSGVO Google Web Fonts GDPR
critical
Vulnerability
DSGVO Google Web Fonts GDPR — Arbitrary file upload
Severity
critical Critical risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ProSolution WP Client
critical
Vulnerability
ProSolution WP Client — Arbitrary file uploads
Severity
critical Critical risk
Affected Versions
<=1.9.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Quick Playground
critical
Vulnerability
Quick Playground — Remote Code Execution
Severity
critical Critical risk
Affected Versions
<=1.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
LearnPress
critical
Vulnerability
LearnPress — Unauthorized data deletion
Severity
critical Critical risk
Affected Versions
<=4.3.2.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce
high
Vulnerability
Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce — Cross-Site Request Forgery
Severity
high High risk
Affected Versions
<=13.5.2.1
CVE Reference
Patch Status
No patch
Source
NVD
ActivityPub
high
Vulnerability
ActivityPub — Properly filter posts to be displayed
Severity
high High risk
Affected Versions
<=8.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Gerador de Certificados – DevApps
high
Vulnerability
Gerador de Certificados – DevApps — Arbitrary file uploads
Severity
high High risk
Affected Versions
<=1.3.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Broken Link Checker
high
Vulnerability
Broken Link Checker — Blind SQL Injection
Severity
high High risk
Affected Versions
<=2.4.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Advanced Members for ACF
high
Vulnerability
Advanced Members for ACF — Arbitrary file deletion
Severity
high High risk
Affected Versions
<=1.2.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MW WP Form
high
Vulnerability
MW WP Form — Arbitrary File Move/Read
Severity
high High risk
Affected Versions
<=5.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Vertex Addons for Elementor
high
Vulnerability
Vertex Addons for Elementor — Missing Authorization
Severity
high High risk
Affected Versions
<=1.6.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Tutor LMS – eLearning and online course solution
high
Vulnerability
Tutor LMS – eLearning and online course solution — An Insecure Direct Object Reference
Severity
high High risk
Affected Versions
<=3.9.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Perfmatters
high
Vulnerability
Perfmatters — Arbitrary file overwrite
Severity
high High risk
Affected Versions
<=2.5.9
CVE Reference
Patch Status
No patch
Source
NVD
Gravity SMTP
high
Vulnerability
Gravity SMTP — Missing Authorization
Severity
high High risk
Affected Versions
<=2.1.4
CVE Reference
Patch Status
No patch
Source
NVD
BuddyPress Groupblog
high
Vulnerability
BuddyPress Groupblog — Privilege Escalation
Severity
high High risk
Affected Versions
<=1.9.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
high
Vulnerability
Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=4.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
wpForo Forum
high
Vulnerability
wpForo Forum — Arbitrary File Deletion
Severity
high High risk
Affected Versions
<=3.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Product Filter for WooCommerce by WBW
high
Vulnerability
Product Filter for WooCommerce by WBW — Sanitize and escape a parameter before using it in a SQL statement
Severity
high High risk
Affected Versions
<=3.1.3
CVE Reference
Patch Status
No patch
Source
NVD
JetEngine
high
Vulnerability
JetEngine — SQL Injection
Severity
high High risk
Affected Versions
<=3.8.6.1
CVE Reference
Patch Status
No patch
Source
NVD
Form Maker by 10Web
high
Vulnerability
Form Maker by 10Web — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.15.40
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
BackWPup
high
Vulnerability
BackWPup — Local File Inclusion
Severity
high High risk
Affected Versions
<=5.6.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts
high
Vulnerability
Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts — PHP Object Injection
Severity
high High risk
Affected Versions
<=3.0.12
CVE Reference
Patch Status
No patch
Source
NVD
Hustle – Email Marketing, Lead Generation, Optins, Popups
medium
Vulnerability
Hustle – Email Marketing, Lead Generation, Optins, Popups — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=7.8.10.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Gravity Forms
medium
Vulnerability
Gravity Forms — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.9.30
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Download Monitor
medium
Vulnerability
Download Monitor — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=5.1.10
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Gravity Forms
medium
Vulnerability
Gravity Forms — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.9.30
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Elementor Website Builder – More Than Just a Page Builder
medium
Vulnerability
Elementor Website Builder – More Than Just a Page Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.35.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Blubrry PowerPress
medium
Vulnerability
Blubrry PowerPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=11.15.15
CVE Reference
Patch Status
No patch
Source
NVD
LightPress Lightbox
medium
Vulnerability
LightPress Lightbox — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.3.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Strong Testimonials
medium
Vulnerability
Strong Testimonials — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.2.21
CVE Reference
Patch Status
No patch
Source
NVD
TableOn – WordPress Posts Table Filterable
medium
Vulnerability
TableOn – WordPress Posts Table Filterable — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.4.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Investi
medium
Vulnerability
Investi — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.26
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
LTL Freight Quotes – R+L Carriers Edition
medium
Vulnerability
LTL Freight Quotes – R+L Carriers Edition — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=3.3.13
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MainWP Child Reports
medium
Vulnerability
MainWP Child Reports — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=2.2.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
LearnPress – WordPress LMS Plugin
medium
Vulnerability
LearnPress – WordPress LMS Plugin — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.3.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Prime Slider – Addons for Elementor
medium
Vulnerability
Prime Slider – Addons for Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.1.10
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
LatePoint – Calendar Booking Plugin for Appointments and Events
medium
Vulnerability
LatePoint – Calendar Booking Plugin for Appointments and Events — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
medium
Vulnerability
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=6.4.9
CVE Reference
Patch Status
No patch
Source
NVD
AM LottiePlayer
medium
Vulnerability
AM LottiePlayer — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.6.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Whole Enquiry Cart for WooCommerce
medium
Vulnerability
Whole Enquiry Cart for WooCommerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Pinterest Site Verification plugin using Meta Tag
medium
Vulnerability
Pinterest Site Verification plugin using Meta Tag — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
PZ Frontend Manager
medium
Vulnerability
PZ Frontend Manager — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=1.0.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Blockade
medium
Vulnerability
WP Blockade — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=0.9.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Riaxe Product Customizer
medium
Vulnerability
Riaxe Product Customizer — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=2.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Columns by BestWebSoft
medium
Vulnerability
Columns by BestWebSoft — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Attendance Manager
medium
Vulnerability
Attendance Manager — SQL Injection
Severity
medium Medium risk
Affected Versions
<=0.6.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Quran Translations
medium
Vulnerability
Quran Translations — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Sports Club Management
medium
Vulnerability
Sports Club Management — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.12.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Masteriyo LMS – Online Course Builder for eLearning, LMS & Education
medium
Vulnerability
Masteriyo LMS – Online Course Builder for eLearning, LMS & Education — Authorization Bypass
Severity
medium Medium risk
Affected Versions
<=2.1.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Inquiry Form to Posts or Pages
medium
Vulnerability
Inquiry Form to Posts or Pages — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Wavr
medium
Vulnerability
Wavr — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.2.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WowPress
medium
Vulnerability
WowPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Blog2Social: Social Media Auto Post & Scheduler
medium
Vulnerability
Blog2Social: Social Media Auto Post & Scheduler — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=8.8.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Awesome Support – WordPress HelpDesk & Support Plugin
medium
Vulnerability
Awesome Support – WordPress HelpDesk & Support Plugin — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=6.3.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Element Pack Addons for Elementor
medium
Vulnerability
Element Pack Addons for Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=8.4.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Magic Conversation For Gravity Forms
medium
Vulnerability
Magic Conversation For Gravity Forms — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.0.97
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
JW Player
medium
Vulnerability
JW Player — Exploiting Incorrectly Configured Access Control Security Levels
Severity
medium Medium risk
Affected Versions
<=2.3.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
PrivateContent Free
medium
Vulnerability
PrivateContent Free — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
pdfl.io
medium
Vulnerability
pdfl.io — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Robo Gallery
medium
Vulnerability
Robo Gallery — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.1.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Visitor Statistics (Real Time Traffic)
medium
Vulnerability
WP Visitor Statistics (Real Time Traffic) — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=8.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
medium
Vulnerability
BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.1.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
medium
Vulnerability
BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.1.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
medium
Vulnerability
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder — SQL Injection
Severity
medium Medium risk
Affected Versions
<=5.1.2
CVE Reference
Patch Status
No patch
Source
NVD
Beaver Builder Page Builder – Drag and Drop Website Builder
medium
Vulnerability
Beaver Builder Page Builder – Drag and Drop Website Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.10.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Page Builder: Pagelayer
medium
Vulnerability
Page Builder: Pagelayer — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.0.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Advanced Contact form 7 DB
medium
Vulnerability
Advanced Contact form 7 DB — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=2.0.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Advanced Contact form 7 DB
medium
Vulnerability
Advanced Contact form 7 DB — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=2.0.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Extensions for Leaflet Map
medium
Vulnerability
Extensions for Leaflet Map — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Post Blocks & Tools
medium
Vulnerability
Post Blocks & Tools — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MStore API
medium
Vulnerability
MStore API — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=4.18.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Experto Dashboard for WooCommerce
medium
Vulnerability
Experto Dashboard for WooCommerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Ziggeo
medium
Vulnerability
Ziggeo — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=3.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
OSM – OpenStreetMap
medium
Vulnerability
OSM – OpenStreetMap — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=6.1.15
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Download Manager
medium
Vulnerability
Download Manager — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.3.52
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Ultimate FAQ Accordion
medium
Vulnerability
Ultimate FAQ Accordion — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.4.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
UsersWP
medium
Vulnerability
UsersWP — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2.60
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Online Scheduling and Appointment Booking System – Bookly
medium
Vulnerability
Online Scheduling and Appointment Booking System – Bookly — Price manipulation
Severity
medium Medium risk
Affected Versions
<=27.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
List category posts
medium
Vulnerability
List category posts — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.94.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Webling
medium
Vulnerability
Webling — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.9.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Aruba HiSpeed Cache
medium
Vulnerability
Aruba HiSpeed Cache — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=3.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP-Optimize
medium
Vulnerability
WP-Optimize — Unauthorized access of functionality
Severity
medium Medium risk
Affected Versions
<=4.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Download Manager
medium
Vulnerability
Download Manager — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=3.3.51
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Royal WordPress Backup & Restore Plugin
medium
Vulnerability
Royal WordPress Backup & Restore Plugin — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.16
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Customer Reviews for WooCommerce
medium
Vulnerability
Customer Reviews for WooCommerce — Authentication bypass
Severity
medium Medium risk
Affected Versions
<=5.103.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
UsersWP – Front-end login form, User Registration, User Profile & Members Directory
medium
Vulnerability
UsersWP – Front-end login form, User Registration, User Profile & Members Directory — Improper Access Control
Severity
medium Medium risk
Affected Versions
<=1.2.58
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AddFunc Head & Footer Code
medium
Vulnerability
AddFunc Head & Footer Code — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
YML for Yandex Market
medium
Vulnerability
YML for Yandex Market — Remote Code Execution
Severity
medium Medium risk
Affected Versions
<=5.0.26
CVE Reference
Patch Status
No patch
Source
NVD
YITH WooCommerce Wishlist
medium
Vulnerability
YITH WooCommerce Wishlist — Properly validate wishlist ownership in the save_title() AJAX handler before
Severity
medium Medium risk
Affected Versions
<=4.13.0
CVE Reference
Patch Status
No patch
Source
NVD
Tutor LMS – eLearning and online course solution
medium
Vulnerability
Tutor LMS – eLearning and online course solution — Unauthorized private course enrollment
Severity
medium Medium risk
Affected Versions
<=3.9.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Tutor LMS – eLearning and online course solution
medium
Vulnerability
Tutor LMS – eLearning and online course solution — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=3.9.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
BlockArt Blocks
medium
Vulnerability
BlockArt Blocks — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.2.15
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
GreenShift - Animation and Page Builder Blocks
medium
Vulnerability
GreenShift - Animation and Page Builder Blocks — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=12.8.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
medium
Vulnerability
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP — Blind Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.2.58
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
LifterLMS
medium
Vulnerability
LifterLMS — SQL Injection
Severity
medium Medium risk
Affected Versions
<=9.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Optimole – Optimize Images in Real Time
medium
Vulnerability
Optimole – Optimize Images in Real Time — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.2.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Form Maker by 10Web
medium
Vulnerability
Form Maker by 10Web — Properly prepare SQL queries when the "MySQL Mapping" feature is in use
Severity
medium Medium risk
Affected Versions
<=1.15.38
CVE Reference
Patch Status
No patch
Source
NVD
User Registration & Membership
medium
Vulnerability
User Registration & Membership — Open Redirect
Severity
medium Medium risk
Affected Versions
<=5.1.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Surbma | Booking.com Shortcode
medium
Vulnerability
Surbma | Booking.com Shortcode — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ShopLentor
medium
Vulnerability
ShopLentor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.3.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WholeSale Products Dynamic Pricing Management WooCommerce
medium
Vulnerability
WholeSale Products Dynamic Pricing Management WooCommerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
The Germanized for WooCommerce
medium
Vulnerability
The Germanized for WooCommerce — Arbitrary shortcode execution
Severity
medium Medium risk
Affected Versions
<=3.20.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered)
medium
Vulnerability
Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=4.1.8
CVE Reference
Patch Status
No patch
Source
NVD
Nexi XPay
medium
Vulnerability
Nexi XPay — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=8.3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WordPress Theme Vulnerabilities (0)
No vulnerabilities reported in this category this week.
WordPress Core Vulnerabilities (0)
No vulnerabilities reported in this category this week.
Recommendations
1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.
Set up uptime monitoring and periodic security scans to catch issues early.
Methodology
This report is compiled automatically from multiple trusted sources:
NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans
Tags
Related Posts
Vulnerability Report
WordPress Vulnerability Report: May 17 – May 24, 2026
81 WordPress vulnerabilities disclosed between May 17 – May 24, 2026. 8 critical, 20 high severity. 2 patched, 79 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 9 – May 16, 2026
104 WordPress vulnerabilities disclosed between May 9 – May 16, 2026. 6 critical, 23 high severity. 1 patched, 103 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 1 – May 8, 2026
96 WordPress vulnerabilities disclosed between May 1 – May 8, 2026. 6 critical, 35 high severity. 1 patched, 95 unpatched.
WPSentry·May 24, 2026