During the reporting period (February 12 – February 19, 2026), 136 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.
Summary
136
Total
6
Critical
27
High
100
Medium
3
Low
3
Patched
Table of Contents 141 plugins & components
WordPress Plugin Vulnerabilities (134)
Prime Listing Manager
critical
Vulnerability
Prime Listing Manager — An attacker to gain administrative access without having any kind of account on the targeted site an
Severity
critical Critical risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
midi-Synth
critical
Vulnerability
midi-Synth — Arbitrary file uploads
Severity
critical Critical risk
Affected Versions
<=1.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Truelysell Core
critical
Vulnerability
Truelysell Core — Privilege escalation
Severity
critical Critical risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Spam protection, Anti-Spam, FireWall by CleanTalk
critical
Vulnerability
Spam protection, Anti-Spam, FireWall by CleanTalk — Unauthorized Arbitrary Plugin Installation
Severity
critical Critical risk
Affected Versions
<=6.71
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
YayMail – WooCommerce Email Customizer
critical
Vulnerability
YayMail – WooCommerce Email Customizer — Unauthorized modification of data
Severity
critical Critical risk
Affected Versions
<=4.3.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
SureForms – Contact Form, Payment Form & Other Custom Form Builder
high
Vulnerability
SureForms – Drag and Drop Form Builder for WordPress <= 2.2.1 - Unauthenticated Stripe Payment Amount Manipulation
Severity
high High risk
Affected Versions
<=2.2.1
CVE Reference
N/A
Patch Status
2.2.2
Source
Wordfence
Plugin Page
Customer Reviews for WooCommerce
high
Vulnerability
Customer Reviews for WooCommerce — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=5.97.0
CVE Reference
Patch Status
No patch
Source
NVD
Secure Copy Content Protection and Content Locking
high
Vulnerability
Secure Copy Content Protection and Content Locking — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=4.9.8
CVE Reference
Patch Status
No patch
Source
NVD
FastDup – Fastest WordPress Migration & Duplicator
high
Vulnerability
FastDup – Fastest WordPress Migration & Duplicator — Unauthorized backup creation and download
Severity
high High risk
Affected Versions
<=2.7.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Starfish Review Generation & Marketing for WordPress
high
Vulnerability
Starfish Review Generation & Marketing for WordPress — Unauthorized modification of data
Severity
high High risk
Affected Versions
<=3.1.19
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
PixelYourSite – Your smart PIXEL (TAG) & API Manager
high
Vulnerability
PixelYourSite – Your smart PIXEL (TAG) & API Manager — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=11.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
PixelYourSite PRO
high
Vulnerability
PixelYourSite PRO — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=12.4.0.2
CVE Reference
Patch Status
No patch
Source
NVD
BlueSnap Payment Gateway for WooCommerce
high
Vulnerability
BlueSnap Payment Gateway for WooCommerce — Missing Authorization
Severity
high High risk
Affected Versions
<=3.3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Magic Login Mail or QR Code
high
Vulnerability
Magic Login Mail or QR Code — Privilege Escalation
Severity
high High risk
Affected Versions
<=2.05
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
User Language Switch
high
Vulnerability
User Language Switch — Server-Side Request Forgery
Severity
high High risk
Affected Versions
<=1.6.10
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Super Simple Contact Form
high
Vulnerability
Super Simple Contact Form — Reflected Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.6.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Flexi Product Slider and Grid for WooCommerce
high
Vulnerability
Flexi Product Slider and Grid for WooCommerce — Local File Inclusion
Severity
high High risk
Affected Versions
<=1.0.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
PhotoStack Gallery
high
Vulnerability
PhotoStack Gallery — SQL Injection
Severity
high High risk
Affected Versions
<=0.4.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Super Page Cache
high
Vulnerability
Super Page Cache — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=5.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Ecwid by Lightspeed Ecommerce Shopping Cart
high
Vulnerability
Ecwid by Lightspeed Ecommerce Shopping Cart — Privilege Escalation
Severity
high High risk
Affected Versions
<=7.0.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WowRevenue
high
Vulnerability
WowRevenue — Unauthorized plugin installation
Severity
high High risk
Affected Versions
<=2.1.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
high
Vulnerability
WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters — Local File Inclusion
Severity
high High risk
Affected Versions
<=4.8.6
CVE Reference
Patch Status
No patch
Source
NVD
Zarinpal Gateway for WooCommerce
high
Vulnerability
Zarinpal Gateway for WooCommerce — Improper Access Control to Payment Status Update
Severity
high High risk
Affected Versions
<=5.0.16
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
RSS Aggregator
high
Vulnerability
RSS Aggregator — Reflected Cross-Site Scripting
Severity
high High risk
Affected Versions
<=5.0.10
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution
high
Vulnerability
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution — Email Relay Abuse
Severity
high High risk
Affected Versions
<=3.3.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Rent Fetch
high
Vulnerability
Rent Fetch — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=0.32.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Business Directory Plugin – Easy Listing Directories for WordPress
high
Vulnerability
Business Directory Plugin – Easy Listing Directories for WordPress — Time-based SQL Injection
Severity
high High risk
Affected Versions
<=6.4.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Video Conferencing with Zoom
high
Vulnerability
Video Conferencing with Zoom — CVE-2026-1368
Severity
high High risk
Affected Versions
<=4.6.6
CVE Reference
Patch Status
No patch
Source
NVD
Cart All In One For WooCommerce
high
Vulnerability
Cart All In One For WooCommerce — Code Injection
Severity
high High risk
Affected Versions
<=1.1.21
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Product Addons for Woocommerce – Product Options with Custom Fields
high
Vulnerability
Product Addons for Woocommerce – Product Options with Custom Fields — Code Injection
Severity
high High risk
Affected Versions
<=3.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WPNakama – Team and multi-Client Collaboration, Editorial and Project Management
high
Vulnerability
WPNakama – Team and multi-Client Collaboration, Editorial and Project Management — SQL Injection
Severity
high High risk
Affected Versions
<=0.6.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Advanced AJAX Product Filters
high
Vulnerability
Advanced AJAX Product Filters — PHP Object Injection
Severity
high High risk
Affected Versions
<=3.1.9.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
User Submitted Posts – Enable Users to Submit Posts from the Front End
medium
Vulnerability
User Submitted Posts <= 20260113 - Incorrect Authorization to Unauthenticated Category Restriction Bypass via 'user-submitted-category' Parameter
Severity
medium Medium risk
Affected Versions
<=20260113
CVE Reference
Patch Status
20260217
Source
Wordfence
Plugin Page
SureForms – Contact Form, Payment Form & Other Custom Form Builder
medium
Vulnerability
SureForms <= 2.2.1 - Missing Authorization
Severity
medium Medium risk
Affected Versions
<=2.2.1
CVE Reference
N/A
Patch Status
2.2.2
Source
Wordfence
Plugin Page
LatePoint – Calendar Booking Plugin for Appointments and Events
medium
Vulnerability
LatePoint – Calendar Booking Plugin for Appointments and Events — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=5.2.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Converter for Media – Optimize images | Convert WebP & AVIF
medium
Vulnerability
Converter for Media – Optimize images | Convert WebP & AVIF — Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=6.5.1
CVE Reference
Patch Status
No patch
Source
NVD
Activity Log for WordPress
medium
Vulnerability
Activity Log for WordPress — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=1.2.8
CVE Reference
Patch Status
No patch
Source
NVD
RegistrationMagic
medium
Vulnerability
RegistrationMagic — CVE-2025-15520
Severity
medium Medium risk
Affected Versions
<=6.0.7.2
CVE Reference
Patch Status
No patch
Source
NVD
BFG Tools – Extension Zipper
medium
Vulnerability
BFG Tools – Extension Zipper — Path Traversal
Severity
medium Medium risk
Affected Versions
<=1.0.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
StickEasy Protected Contact Form
medium
Vulnerability
StickEasy Protected Contact Form — Sensitive Information Disclosure
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Easy Form Builder
medium
Vulnerability
Easy Form Builder — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=3.9.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Last Modified Info
medium
Vulnerability
WP Last Modified Info — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=1.9.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Easy Voice Mail
medium
Vulnerability
Easy Voice Mail — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
personal-authors-category
medium
Vulnerability
personal-authors-category — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Simple Wp colorfull Accordion
medium
Vulnerability
Simple Wp colorfull Accordion — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Citations tools
medium
Vulnerability
Citations tools — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.3.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
SEATT: Simple Event Attendance
medium
Vulnerability
SEATT: Simple Event Attendance — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AMP Enhancer – Compatibility Layer for Official AMP
medium
Vulnerability
AMP Enhancer – Compatibility Layer for Official AMP — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.49
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Appointment Booking Calendar Plugin – Bookr
medium
Vulnerability
Appointment Booking Calendar Plugin – Bookr — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MDirector Newsletter
medium
Vulnerability
MDirector Newsletter — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=4.5.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
LatePoint – Calendar Booking Plugin for Appointments and Events
medium
Vulnerability
LatePoint – Calendar Booking Plugin for Appointments and Events — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=5.2.5
CVE Reference
Patch Status
No patch
Source
NVD
Link Hopper
medium
Vulnerability
Link Hopper — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
One to one user Chat by WPGuppy
medium
Vulnerability
One to one user Chat by WPGuppy — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=1.1.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Data Access
medium
Vulnerability
WP Data Access — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.5.63
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MasterStudy LMS WordPress Plugin – for Online Courses and Education
medium
Vulnerability
MasterStudy LMS WordPress Plugin – for Online Courses and Education — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.7.11
CVE Reference
Patch Status
No patch
Source
NVD
Allow HTML in Category Descriptions
medium
Vulnerability
Allow HTML in Category Descriptions — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Accordion and Accordion Slider
medium
Vulnerability
Accordion and Accordion Slider — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=1.4.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
User Language Switch
medium
Vulnerability
User Language Switch — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.6.10
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Chatbot for WordPress by Collect.chat
medium
Vulnerability
Chatbot for WordPress by Collect.chat — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.4.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Payment Page | Payment Form for Stripe
medium
Vulnerability
Payment Page | Payment Form for Stripe — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.4.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Best-wp-google-map
medium
Vulnerability
Best-wp-google-map — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ZoomifyWP Free
medium
Vulnerability
ZoomifyWP Free — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MailChimp Campaigns
medium
Vulnerability
MailChimp Campaigns — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=3.2.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Quick Contact Us
medium
Vulnerability
WP Quick Contact Us — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Geo Widget
medium
Vulnerability
Geo Widget — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Address Bar Ads
medium
Vulnerability
Address Bar Ads — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
StyleBidet
medium
Vulnerability
StyleBidet — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
QuestionPro Surveys
medium
Vulnerability
QuestionPro Surveys — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Ravelry Designs Widget
medium
Vulnerability
Ravelry Designs Widget — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Sphere Manager
medium
Vulnerability
Sphere Manager — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
UpMenu – Online ordering for restaurants
medium
Vulnerability
UpMenu – Online ordering for restaurants — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Simple Plyr
medium
Vulnerability
Simple Plyr — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Percent to Infograph
medium
Vulnerability
Percent to Infograph — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
CallbackKiller service widget
medium
Vulnerability
CallbackKiller service widget — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Press3D
medium
Vulnerability
Press3D — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Scheduler Widget
medium
Vulnerability
Scheduler Widget — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=0.1.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Smart Forms
medium
Vulnerability
Smart Forms — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=2.6.99
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
myCred
medium
Vulnerability
myCred — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.9.7.3
CVE Reference
Patch Status
No patch
Source
NVD
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar
medium
Vulnerability
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar — Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Modula Image Gallery – Photo Grid & Video Gallery
medium
Vulnerability
Modula Image Gallery – Photo Grid & Video Gallery — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=2.13.6
CVE Reference
Patch Status
No patch
Source
NVD
Mail Mint
medium
Vulnerability
Mail Mint — Blind SQL Injection
Severity
medium Medium risk
Affected Versions
<=1.19.2
CVE Reference
Patch Status
No patch
Source
NVD
Essential Addons for Elementor – Popular Elementor Templates & Widgets
medium
Vulnerability
Essential Addons for Elementor – Popular Elementor Templates & Widgets — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=6.5.9
CVE Reference
Patch Status
No patch
Source
NVD
Media Library Folders
medium
Vulnerability
Media Library Folders — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=8.3.6
CVE Reference
Patch Status
No patch
Source
NVD
Element Pack Addons for Elementor
medium
Vulnerability
Element Pack Addons for Elementor — Arbitrary file reads
Severity
medium Medium risk
Affected Versions
<=8.3.17
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
RegistrationMagic
medium
Vulnerability
RegistrationMagic — Have proper capability checks
Severity
medium Medium risk
Affected Versions
<=6.0.7.2
CVE Reference
Patch Status
No patch
Source
NVD
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
medium
Vulnerability
Forminator Forms – Contact Form, Payment Form & Custom Form Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.50.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
EventPrime
medium
Vulnerability
EventPrime — Unauthorized image file upload
Severity
medium Medium risk
Affected Versions
<=4.2.8.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Frontend File Manager Plugin
medium
Vulnerability
Frontend File Manager Plugin — Unauthenticated users to send emails through the site without any security checks. This lets attacke
Severity
medium Medium risk
Affected Versions
<=23.5
CVE Reference
Patch Status
No patch
Source
NVD
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor
medium
Vulnerability
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor — Unauthorized access
Severity
medium Medium risk
Affected Versions
<=3.5.32
CVE Reference
Patch Status
No patch
Source
NVD
WP 404 Auto Redirect to Similar Post
medium
Vulnerability
WP 404 Auto Redirect to Similar Post — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.5
CVE Reference
Patch Status
No patch
Source
NVD
Frontend User Notes
medium
Vulnerability
Frontend User Notes — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=2.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Order Splitter for WooCommerce
medium
Vulnerability
Order Splitter for WooCommerce — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=5.3.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Filestack
medium
Vulnerability
Filestack — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.0.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Display During Conditional Shortcode
medium
Vulnerability
Display During Conditional Shortcode — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
URL Shortify
medium
Vulnerability
URL Shortify — Open Redirect
Severity
medium Medium risk
Affected Versions
<=1.12.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Frontend Post Submission Manager Lite
medium
Vulnerability
Frontend Post Submission Manager Lite — Open Redirection
Severity
medium Medium risk
Affected Versions
<=1.2.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
EmailKit – Email Customizer for WooCommerce & WP
medium
Vulnerability
EmailKit – Email Customizer for WooCommerce & WP — Unauthorized data modification
Severity
medium Medium risk
Affected Versions
<=1.6.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
VK All in One Expansion Unit
medium
Vulnerability
VK All in One Expansion Unit — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=9.112.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Popup Box – Easily Create WordPress Popups
medium
Vulnerability
Popup Box – Easily Create WordPress Popups — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.2.12
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Tickera – Sell Tickets & Manage Events
medium
Vulnerability
Tickera – Sell Tickets & Manage Events — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=3.5.6.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Keybase.io Verification
medium
Vulnerability
Keybase.io Verification — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.4.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Taskbuilder – WordPress Project Management & Task Management
medium
Vulnerability
Taskbuilder – WordPress Project Management & Task Management — Time-based blind SQL Injection
Severity
medium Medium risk
Affected Versions
<=5.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
PDF Invoices & Packing Slips for WooCommerce
medium
Vulnerability
PDF Invoices & Packing Slips for WooCommerce — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=5.6.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Plugin Info Card
medium
Vulnerability
WP Plugin Info Card — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=6.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Taskbuilder – WordPress Project Management & Task Management
medium
Vulnerability
Taskbuilder – WordPress Project Management & Task Management — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=5.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Download Manager
medium
Vulnerability
Download Manager — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.3.46
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
InteractiveCalculator for WordPress
medium
Vulnerability
InteractiveCalculator for WordPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Gutenberg Blocks with AI by Kadence WP
medium
Vulnerability
Gutenberg Blocks with AI by Kadence WP — Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=3.6.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Private Comment
medium
Vulnerability
Private Comment — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Gutenberg Blocks with AI by Kadence WP
medium
Vulnerability
Gutenberg Blocks with AI by Kadence WP — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=3.6.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
EventPrime
medium
Vulnerability
EventPrime — Unauthorized post modification
Severity
medium Medium risk
Affected Versions
<=4.2.8.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Kali Forms
medium
Vulnerability
Kali Forms — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=2.4.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
YayMail – WooCommerce Email Customizer
medium
Vulnerability
YayMail – WooCommerce Email Customizer — Unauthorized license key deletion
Severity
medium Medium risk
Affected Versions
<=4.3.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
YayMail – WooCommerce Email Customizer
medium
Vulnerability
YayMail – WooCommerce Email Customizer — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.3.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Dam Spam
medium
Vulnerability
Dam Spam — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Community Events
medium
Vulnerability
Community Events — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.5.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Business Directory
medium
Vulnerability
Business Directory — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=6.4.20
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Event Aggregator
medium
Vulnerability
WP Event Aggregator — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.8.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
SiteOrigin Widgets Bundle
medium
Vulnerability
SiteOrigin Widgets Bundle — Unauthorized arbitrary shortcode execution
Severity
medium Medium risk
Affected Versions
<=1.70.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Complianz – GDPR/CCPA Cookie Consent
medium
Vulnerability
Complianz – GDPR/CCPA Cookie Consent — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=7.4.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Video Share VOD – Turnkey Video Site Builder Script
medium
Vulnerability
Video Share VOD – Turnkey Video Site Builder Script — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.7.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
User Submitted Posts – Enable Users to Submit Posts from the Front End
medium
Vulnerability
User Submitted Posts – Enable Users to Submit Posts from the Front End — Incorrect Authorization
Severity
medium Medium risk
Affected Versions
<=20260113
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
medium
Vulnerability
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login — Payment bypass
Severity
medium Medium risk
Affected Versions
<=6.0.6.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Blog2Social: Social Media Auto Post & Scheduler
medium
Vulnerability
Blog2Social: Social Media Auto Post & Scheduler — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=8.7.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP-DownloadManager
medium
Vulnerability
WP-DownloadManager — Path Traversal
Severity
medium Medium risk
Affected Versions
<=1.69
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Brevo - Email, SMS, Web Push, Chat, and more.
medium
Vulnerability
Brevo - Email, SMS, Web Push, Chat, and more. — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=3.3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Bookster – WordPress Appointment Booking Plugin
medium
Vulnerability
Bookster – WordPress Appointment Booking Plugin — SQL Injection
Severity
medium Medium risk
Affected Versions
<=2.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Import – Ultimate CSV XML Importer for WordPress
medium
Vulnerability
WP Import – Ultimate CSV XML Importer for WordPress — SQL Injection
Severity
medium Medium risk
Affected Versions
<=7.37
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
medium
Vulnerability
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce — Incorrect Authorization
Severity
medium Medium risk
Affected Versions
<=6.4.7
CVE Reference
Patch Status
No patch
Source
NVD
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
medium
Vulnerability
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.11.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Booking Calendar
medium
Vulnerability
Booking Calendar — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=10.14.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
YayMail - WooCommerce Email Customizer
low
Vulnerability
YayMail - WooCommerce Email Customizer — Unauthorized plugin installation and activation
Severity
low Low risk
Affected Versions
<=4.3.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP-DownloadManager
low
Vulnerability
WP-DownloadManager — Path Traversal
Severity
low Low risk
Affected Versions
<=1.69
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP All Export
low
Vulnerability
WP All Export — Sensitive Information Exposure
Severity
low Low risk
Affected Versions
<=1.4.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WordPress Theme Vulnerabilities (2)
AdForest
critical
Vulnerability
AdForest — Authentication bypass
Severity
critical Critical risk
Affected Versions
<=6.0.12
CVE Reference
Patch Status
No patch
Source
NVD
Context Blog
medium
Vulnerability
Context Blog — Information Exposure
Severity
medium Medium risk
Affected Versions
<=1.2.5
CVE Reference
Patch Status
No patch
Source
NVD
WordPress Core Vulnerabilities (0)
No vulnerabilities reported in this category this week.
Recommendations
1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.
Set up uptime monitoring and periodic security scans to catch issues early.
Methodology
This report is compiled automatically from multiple trusted sources:
NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans
Tags
Related Posts
Vulnerability Report
WordPress Vulnerability Report: May 17 – May 24, 2026
81 WordPress vulnerabilities disclosed between May 17 – May 24, 2026. 8 critical, 20 high severity. 2 patched, 79 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 9 – May 16, 2026
104 WordPress vulnerabilities disclosed between May 9 – May 16, 2026. 6 critical, 23 high severity. 1 patched, 103 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 1 – May 8, 2026
96 WordPress vulnerabilities disclosed between May 1 – May 8, 2026. 6 critical, 35 high severity. 1 patched, 95 unpatched.
WPSentry·May 24, 2026