During the reporting period (February 19 – February 26, 2026), 106 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.
Summary
106
Total
7
Critical
21
High
77
Medium
1
Low
1
Patched
Table of Contents 111 plugins & components
WordPress Plugin Vulnerabilities (96)
Clasifico Listing
critical
Vulnerability
Clasifico Listing — Privilege escalation
Severity
critical Critical risk
Affected Versions
<=2.0
CVE Reference
Patch Status
No patch
Source
NVD
Lizza LMS Pro
critical
Vulnerability
Lizza LMS Pro — Privilege Escalation
Severity
critical Critical risk
Affected Versions
<=1.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Buyent Classified
critical
Vulnerability
Buyent Classified — Privilege escalation
Severity
critical Critical risk
Affected Versions
<=1.0.7
CVE Reference
Patch Status
No patch
Source
NVD
Prodigy Commerce
critical
Vulnerability
Prodigy Commerce — Local File Inclusion
Severity
critical Critical risk
Affected Versions
<=3.2.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Slider Future
critical
Vulnerability
Slider Future — Arbitrary file uploads
Severity
critical Critical risk
Affected Versions
<=1.0.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
s2Member
critical
Vulnerability
s2Member — Privilege escalation
Severity
critical Critical risk
Affected Versions
<=260127
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor
critical
Vulnerability
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor — CVE-2026-23693
Severity
critical Critical risk
Affected Versions
<=3.7.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
GDPR Cookie Consent
high
Vulnerability
GDPR Cookie Consent — Unauthorized access of data
Severity
high High risk
Affected Versions
<=4.1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Library Management System
high
Vulnerability
Library Management System — SQL Injection
Severity
high High risk
Affected Versions
<=3.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent
high
Vulnerability
Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent — Unauthorized access of data
Severity
high High risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
CTX Feed – WooCommerce Product Feed Manager
high
Vulnerability
CTX Feed – WooCommerce Product Feed Manager — Unauthorized arbitrary plugin installation
Severity
high High risk
Affected Versions
<=6.6.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP AUDIO GALLERY
high
Vulnerability
WP AUDIO GALLERY — Unauthorized Arbitrary File Read
Severity
high High risk
Affected Versions
<=2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Customer Reviews
high
Vulnerability
WP Customer Reviews — Reflected Cross-Site Scripting
Severity
high High risk
Affected Versions
<=3.7.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
BackWPup – WordPress Backup & Restore Plugin
high
Vulnerability
BackWPup – WordPress Backup & Restore Plugin — Unauthorized modification of data
Severity
high High risk
Affected Versions
<=5.6.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
IDonate – Blood Donation, Request And Donor Management System
high
Vulnerability
IDonate – Blood Donation, Request And Donor Management System — Privilege Escalation
Severity
high High risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Toret Manager
high
Vulnerability
Toret Manager — Unauthorized modification of data
Severity
high High risk
Affected Versions
<=1.2.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin
high
Vulnerability
Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin — Unauthorized plugin installation
Severity
high High risk
Affected Versions
<=1.20.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Sales Countdown Timer for WooCommerce and WordPress
high
Vulnerability
Sales Countdown Timer for WooCommerce and WordPress — PHP Local File Inclusion
Severity
high High risk
Affected Versions
<=1.1.8.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
wpForo Forum
high
Vulnerability
wpForo Forum — Time-based SQL Injection
Severity
high High risk
Affected Versions
<=2.4.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Product Table and List Builder for WooCommerce Lite
high
Vulnerability
Product Table and List Builder for WooCommerce Lite — Time-based SQL Injection
Severity
high High risk
Affected Versions
<=4.6.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Responsive Lightbox & Gallery
high
Vulnerability
Responsive Lightbox & Gallery — An Unauthenticated Stored-XSS attack
Severity
high High risk
Affected Versions
<=2.6.1
CVE Reference
Patch Status
No patch
Source
NVD
WPGSI: Spreadsheet Integration
high
Vulnerability
WPGSI: Spreadsheet Integration — Unauthorized modification and loss of data
Severity
high High risk
Affected Versions
<=3.8.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Advanced Woo Labels
high
Vulnerability
Advanced Woo Labels — Remote Code Execution
Severity
high High risk
Affected Versions
<=2.37
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Geo Mashup
high
Vulnerability
Geo Mashup — SQL Injection
Severity
high High risk
Affected Versions
<=1.13.17
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ListingPro Plugin
medium
Vulnerability
ListingPro Plugin <= 2.9.8 - Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.9.8
CVE Reference
Patch Status
No patch
Source
Wordfence
Plugin Page
WPZOOM Addons for Elementor – Starter Templates & Widgets
medium
Vulnerability
WPZOOM Addons for Elementor – Starter Templates & Widgets <= 1.3.4 - Unauthenticated Reflected Cross-Site Scripting via 'title_tag' Parameter
Severity
medium Medium risk
Affected Versions
<=1.3.4
CVE Reference
N/A
Patch Status
1.3.5
Source
Wordfence
Plugin Page
Aruba HiSpeed Cache
medium
Vulnerability
Aruba HiSpeed Cache — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Aruba HiSpeed Cache
medium
Vulnerability
Aruba HiSpeed Cache — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=3.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Mesmerize Companion
medium
Vulnerability
Mesmerize Companion — Unauthorized access and modification of data
Severity
medium Medium risk
Affected Versions
<=1.6.158
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ACF Photo Gallery Field
medium
Vulnerability
ACF Photo Gallery Field — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Mailchimp List Subscribe Form
medium
Vulnerability
Mailchimp List Subscribe Form — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=2.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Printful Integration for WooCommerce
medium
Vulnerability
Printful Integration for WooCommerce — Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=2.2.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Smartsupp – live chat, AI shopping assistant and chatbots
medium
Vulnerability
Smartsupp – live chat, AI shopping assistant and chatbots — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.9.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Easy SVG Support
medium
Vulnerability
Easy SVG Support — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Checkout Field Manager (Checkout Manager) for WooCommerce
medium
Vulnerability
Checkout Field Manager (Checkout Manager) for WooCommerce — Unauthenticated limited file upload
Severity
medium Medium risk
Affected Versions
<=7.8.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Advanced Ads – Ad Manager & AdSense
medium
Vulnerability
Advanced Ads – Ad Manager & AdSense — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=2.0.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
StatCounter – Free Real Time Visitor Stats
medium
Vulnerability
StatCounter – Free Real Time Visitor Stats — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Popup Builder – Create highly converting, mobile friendly marketing popups.
medium
Vulnerability
Popup Builder – Create highly converting, mobile friendly marketing popups. — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=4.4.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Web Accessibility by accessiBe
medium
Vulnerability
Web Accessibility by accessiBe — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=2.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Country Blocker for AdSense
medium
Vulnerability
Country Blocker for AdSense — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Page Title, Description & Open Graph Updater
medium
Vulnerability
Page Title, Description & Open Graph Updater — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.02
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Two Factor (2FA) Authentication via Email
medium
Vulnerability
Two Factor (2FA) Authentication via Email — Two-Factor Authentication Bypass
Severity
medium Medium risk
Affected Versions
<=1.9.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Album and Image Gallery plus Lightbox
medium
Vulnerability
Album and Image Gallery plus Lightbox — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.1.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Apollo13 Framework Extensions
medium
Vulnerability
Apollo13 Framework Extensions — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.9.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions
medium
Vulnerability
s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=251005
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Easy Table of Contents
medium
Vulnerability
Easy Table of Contents — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.0.78
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Breadcrumb NavXT
medium
Vulnerability
Breadcrumb NavXT — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=7.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Breeze - WordPress Cache Plugin
medium
Vulnerability
Breeze - WordPress Cache Plugin — Unauthorized cache clearing
Severity
medium Medium risk
Affected Versions
<=2.2.21
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Checkout Field Manager (Checkout Manager) for WooCommerce
medium
Vulnerability
Checkout Field Manager (Checkout Manager) for WooCommerce — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=7.8.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
iXML – Google XML sitemap generator
medium
Vulnerability
iXML – Google XML sitemap generator — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Remove Post Type Slug
medium
Vulnerability
Remove Post Type Slug — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Razorpay for WooCommerce
medium
Vulnerability
Razorpay for WooCommerce — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=4.7.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
SEO Plugin by Squirrly SEO
medium
Vulnerability
SEO Plugin by Squirrly SEO — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=12.4.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches
medium
Vulnerability
Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=21.0.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Image Hotspot by DevVN
medium
Vulnerability
Image Hotspot by DevVN — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
YaMaps for WordPress
medium
Vulnerability
YaMaps for WordPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.6.40
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Virusdie - One-click website security
medium
Vulnerability
Virusdie - One-click website security — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=1.1.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Advanced Custom Fields: Font Awesome Field
medium
Vulnerability
Advanced Custom Fields: Font Awesome Field — Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Groups
medium
Vulnerability
Groups — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.10.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
XO Event Calendar
medium
Vulnerability
XO Event Calendar — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.2.10
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Shield Security
medium
Vulnerability
Shield Security — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=21.0.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Shield Security
medium
Vulnerability
Shield Security — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=21.0.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
PostmarkApp Email Integrator
medium
Vulnerability
PostmarkApp Email Integrator — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Tennis Court Bookings
medium
Vulnerability
Tennis Court Bookings — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
salavat counter Plugin
medium
Vulnerability
salavat counter Plugin — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.9.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
TalkJS
medium
Vulnerability
TalkJS — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.1.15
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Easy Author Image
medium
Vulnerability
Easy Author Image — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Whatsiplus Scheduled Notification for Woocommerce
medium
Vulnerability
Whatsiplus Scheduled Notification for Woocommerce — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Advance Block Extend
medium
Vulnerability
Advance Block Extend — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Slidorion
medium
Vulnerability
Slidorion — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
News Element Elementor Blog Magazine
medium
Vulnerability
News Element Elementor Blog Magazine — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=1.0.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
xmlrpc attacks blocker
medium
Vulnerability
xmlrpc attacks blocker — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Dealia – Request a quote
medium
Vulnerability
Dealia – Request a quote — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.0.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
rtMedia for WordPress, BuddyPress and bbPress
medium
Vulnerability
rtMedia for WordPress, BuddyPress and bbPress — Retrieve Embedded Sensitive Data
Severity
medium Medium risk
Affected Versions
<=4.7.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress
medium
Vulnerability
Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress — Phishing
Severity
medium Medium risk
Affected Versions
<=1.4.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar
medium
Vulnerability
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Simple Membership
medium
Vulnerability
Simple Membership — Improper Handling of Missing Values
Severity
medium Medium risk
Affected Versions
<=4.7.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Client Testimonial Slider
medium
Vulnerability
Client Testimonial Slider — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Dealia – Request a Quote
medium
Vulnerability
Dealia – Request a Quote — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Quiz Maker
medium
Vulnerability
Quiz Maker — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=6.7.1.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Master Addons For Elementor
medium
Vulnerability
Master Addons For Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.1.1
CVE Reference
Patch Status
No patch
Source
NVD
GA4WP: Google Analytics
medium
Vulnerability
GA4WP: Google Analytics — Exploiting Incorrectly Configured Access Control Security Levels
Severity
medium Medium risk
Affected Versions
<=2.10.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ELEX WordPress HelpDesk & Customer Ticketing System
medium
Vulnerability
ELEX WordPress HelpDesk & Customer Ticketing System — Exploiting Incorrectly Configured Access Control Security Levels
Severity
medium Medium risk
Affected Versions
<=3.3.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation
medium
Vulnerability
weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation — Unauthorized form deletion
Severity
medium Medium risk
Affected Versions
<=2.0.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
LearnPress Export Import – WordPress extension for LearnPress
medium
Vulnerability
LearnPress Export Import – WordPress extension for LearnPress — Unauthorized loss of data
Severity
medium Medium risk
Affected Versions
<=4.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Conditional CAPTCHA
medium
Vulnerability
Conditional CAPTCHA — Validate a parameter before redirecting the user to its value
Severity
medium Medium risk
Affected Versions
<=4.0.0
CVE Reference
Patch Status
No patch
Source
NVD
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
medium
Vulnerability
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce — Insufficient Verification of Data Authenticity
Severity
medium Medium risk
Affected Versions
<=6.4.7
CVE Reference
Patch Status
No patch
Source
NVD
Aruba HiSpeed Cache
medium
Vulnerability
Aruba HiSpeed Cache — CVE-2026-23694
Severity
medium Medium risk
Affected Versions
<=3.0.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Rise Blocks – A Complete Gutenberg Page Builder
medium
Vulnerability
Rise Blocks – A Complete Gutenberg Page Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Responsive Lightbox & Gallery
medium
Vulnerability
Responsive Lightbox & Gallery — Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=2.7.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Recipe Maker
medium
Vulnerability
WP Recipe Maker — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=10.2.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Post Duplicator
medium
Vulnerability
Post Duplicator — Unauthorized arbitrary protected post meta insertion
Severity
medium Medium risk
Affected Versions
<=3.0.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Secure Copy Content Protection and Content Locking
medium
Vulnerability
Secure Copy Content Protection and Content Locking — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Disable Admin Notices – Hide Dashboard Notifications
medium
Vulnerability
Disable Admin Notices – Hide Dashboard Notifications — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.4.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
The Events Calendar
medium
Vulnerability
The Events Calendar — Unauthorized modification of data and loss of data
Severity
medium Medium risk
Affected Versions
<=6.15.16
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
OneClick Chat to Order
low
Vulnerability
OneClick Chat to Order — Authorization bypass
Severity
low Low risk
Affected Versions
<=1.0.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WordPress Theme Vulnerabilities (10)
NewsBlogger
high
Vulnerability
NewsBlogger — Cross-Site Request Forgery
Severity
high High risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Oyster - Photography
high
Vulnerability
Oyster - Photography — DOM-Based XSS
Severity
high High risk
Affected Versions
<=4.4.3
CVE Reference
Patch Status
No patch
Source
NVD
SOHO - Photography
high
Vulnerability
SOHO - Photography — DOM-Based XSS
Severity
high High risk
Affected Versions
<=3.0.3
CVE Reference
Patch Status
No patch
Source
NVD
PawFriends - Pet Shop and Veterinary
high
Vulnerability
PawFriends - Pet Shop and Veterinary — PHP Local File Inclusion
Severity
high High risk
Affected Versions
<=1.3
CVE Reference
Patch Status
No patch
Source
NVD
Drift
medium
Vulnerability
Drift — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Renden
medium
Vulnerability
Renden — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.8.1
CVE Reference
Patch Status
No patch
Source
NVD
Shopire
medium
Vulnerability
Shopire — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.0.57
CVE Reference
Patch Status
No patch
Source
NVD
Mega Store Woocommerce
medium
Vulnerability
Mega Store Woocommerce — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=5.9
CVE Reference
Patch Status
No patch
Source
NVD
Cartify - WooCommerce Gutenberg
medium
Vulnerability
Cartify - WooCommerce Gutenberg — Exploiting Incorrectly Configured Access Control Security Levels
Severity
medium Medium risk
Affected Versions
<=1.3
CVE Reference
Patch Status
No patch
Source
NVD
PawFriends - Pet Shop and Veterinary
medium
Vulnerability
PawFriends - Pet Shop and Veterinary — Exploiting Incorrectly Configured Access Control Security Levels
Severity
medium Medium risk
Affected Versions
<=1.3
CVE Reference
Patch Status
No patch
Source
NVD
WordPress Core Vulnerabilities (0)
No vulnerabilities reported in this category this week.
Recommendations
1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.
Set up uptime monitoring and periodic security scans to catch issues early.
Methodology
This report is compiled automatically from multiple trusted sources:
NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans
Tags
Related Posts
Vulnerability Report
WordPress Vulnerability Report: May 17 – May 24, 2026
81 WordPress vulnerabilities disclosed between May 17 – May 24, 2026. 8 critical, 20 high severity. 2 patched, 79 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 9 – May 16, 2026
104 WordPress vulnerabilities disclosed between May 9 – May 16, 2026. 6 critical, 23 high severity. 1 patched, 103 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 1 – May 8, 2026
96 WordPress vulnerabilities disclosed between May 1 – May 8, 2026. 6 critical, 35 high severity. 1 patched, 95 unpatched.
WPSentry·May 24, 2026