BlogVulnerability Report
Vulnerability Report

WordPress Vulnerability Report: February 26 – March 5, 2026

55 WordPress vulnerabilities disclosed between February 26 – March 5, 2026. 3 critical, 19 high severity. 1 patched, 54 unpatched.

WPSentryMarch 8, 202614 min read

During the reporting period (February 26 – March 5, 2026), 55 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.

Summary

55
Total
3
Critical
19
High
33
Medium
0
Low
1
Patched
Table of Contents 60 plugins & components

WordPress Plugin Vulnerabilities (52)

All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login

critical
Vulnerability
All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login — Authentication bypass
Severity
critical Critical risk
Affected Versions
<=2.2.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin

critical
Vulnerability
User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin — Improper privilege management
Severity
critical Critical risk
Affected Versions
<=5.1.2
CVE Reference
Patch Status
No patch
Source
NVD

Tutor LMS – eLearning and online course solution

high
Vulnerability
Tutor LMS <= 3.9.6 - Unauthenticated SQL Injection via coupon_code
Severity
high High risk
Affected Versions
<=3.9.6
CVE Reference
Patch Status
3.9.7
Source
Wordfence
Plugin Page

WP Responsive Images

high
Vulnerability
WP Responsive Images — Path Traversal
Severity
high High risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

User Registration & Membership

high
Vulnerability
User Registration & Membership — Authentication bypass
Severity
high High risk
Affected Versions
<=5.1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Worry Proof Backup

high
Vulnerability
Worry Proof Backup — Path Traversal
Severity
high High risk
Affected Versions
<=0.2.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration

high
Vulnerability
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration — Arbitrary file uploads
Severity
high High risk
Affected Versions
<=4.2.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Fluent Forms Pro Add On Pack

high
Vulnerability
Fluent Forms Pro Add On Pack — Insufficient Verification of Data Authenticity
Severity
high High risk
Affected Versions
<=6.1.17
CVE Reference
Patch Status
No patch
Source
NVD

WP Mail Logging

high
Vulnerability
WP Mail Logging — PHP Object Injection
Severity
high High risk
Affected Versions
<=1.15.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Tutor LMS – eLearning and online course solution

high
Vulnerability
Tutor LMS – eLearning and online course solution — SQL Injection
Severity
high High risk
Affected Versions
<=3.9.6
CVE Reference
Patch Status
No patch
Source
NVD

Wpforo Forum

high
Vulnerability
Wpforo Forum — CVE-2026-28562
Severity
high High risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Master Addons for Elementor Premium

high
Vulnerability
Master Addons for Elementor Premium — Remote Code Execution
Severity
high High risk
Affected Versions
<=2.1.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe

high
Vulnerability
Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe — Blind SQL Injection
Severity
high High risk
Affected Versions
<=28.1.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

LatePoint – Calendar Booking Plugin for Appointments and Events

high
Vulnerability
LatePoint – Calendar Booking Plugin for Appointments and Events — Privilege escalation
Severity
high High risk
Affected Versions
<=5.2.7
CVE Reference
Patch Status
No patch
Source
NVD

Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin

high
Vulnerability
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin — Server-Side Request Forgery
Severity
high High risk
Affected Versions
<=7.0.0.3
CVE Reference
Patch Status
No patch
Source
NVD

Page Builder by SiteOrigin

high
Vulnerability
Page Builder by SiteOrigin — Local File Inclusion
Severity
high High risk
Affected Versions
<=2.33.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms

high
Vulnerability
WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.1.5
CVE Reference
Patch Status
No patch
Source
NVD

Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX

high
Vulnerability
Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX — Server-Side Request Forgery
Severity
high High risk
Affected Versions
<=5.0.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WPBookit

high
Vulnerability
WPBookit — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.0.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Mail Mint

high
Vulnerability
Mail Mint — Have authorization in one of its REST API endpoint
Severity
high High risk
Affected Versions
<=1.19.5
CVE Reference
Patch Status
No patch
Source
NVD

JS Help Desk – AI-Powered Support & Ticketing System

high
Vulnerability
JS Help Desk – AI-Powered Support & Ticketing System — SQL Injection
Severity
high High risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD

Livemesh Addons for Beaver Builder

medium
Vulnerability
Livemesh Addons for Beaver Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.9.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

TP2WP Importer

medium
Vulnerability
TP2WP Importer — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Social Meta

medium
Vulnerability
WP Social Meta — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
medium
Vulnerability
Custom Logo — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

EM Cost Calculator

medium
Vulnerability
EM Cost Calculator — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

User Registration & Membership – Custom Registration Form, Login Form, and User Profile

medium
Vulnerability
User Registration & Membership – Custom Registration Form, Login Form, and User Profile — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=5.1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Recipe Maker

medium
Vulnerability
WP Recipe Maker — An Insecure Direct Object Reference (IDOR)
Severity
medium Medium risk
Affected Versions
<=10.3.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Xpro Addons — 140+ Widgets for Elementor

medium
Vulnerability
Xpro Addons — 140+ Widgets for Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.4.24
CVE Reference
Patch Status
No patch
Source
NVD

WP Accessibility

medium
Vulnerability
WP Accessibility — Stored DOM-Based Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Simple Download Monitor

medium
Vulnerability
Simple Download Monitor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.0.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

OVRI Payment

medium
Vulnerability
OVRI Payment — CVE-2024-10938
Severity
medium Medium risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Electric Enquiries

medium
Vulnerability
Electric Enquiries — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Japanized for WooCommerce

medium
Vulnerability
Japanized for WooCommerce — Improper Authentication
Severity
medium Medium risk
Affected Versions
<=2.8.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

MailArchiver

medium
Vulnerability
MailArchiver — SQL Injection
Severity
medium Medium risk
Affected Versions
<=4.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Featured Image from Content

medium
Vulnerability
Featured Image from Content — Author-level users to fetch internal HTTP resources. Attackers can exploit insecure URL fetching and
Severity
medium Medium risk
Affected Versions
<=1.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Super Stage WP

medium
Vulnerability
Super Stage WP — CVE-2026-1542
Severity
medium Medium risk
Affected Versions
<=1.0.1
CVE Reference
Patch Status
No patch
Source
NVD

Wpforo Forum

medium
Vulnerability
Wpforo Forum — Authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX ha
Severity
medium Medium risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

AI ChatBot with ChatGPT and Content Generator by AYS

medium
Vulnerability
AI ChatBot with ChatGPT and Content Generator by AYS — Unauthorized access and modification of data
Severity
medium Medium risk
Affected Versions
<=2.7.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

LatePoint – Calendar Booking Plugin for Appointments and Events

medium
Vulnerability
LatePoint – Calendar Booking Plugin for Appointments and Events — SQL Injection
Severity
medium Medium risk
Affected Versions
<=5.2.7
CVE Reference
Patch Status
No patch
Source
NVD

Email Subscribers by Icegram Express

medium
Vulnerability
Email Subscribers by Icegram Express — SQL Injection
Severity
medium Medium risk
Affected Versions
<=5.9.16
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WPBookit

medium
Vulnerability
WPBookit — Unauthorized data disclosure
Severity
medium Medium risk
Affected Versions
<=1.0.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Taskbuilder

medium
Vulnerability
Taskbuilder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Morkva UA Shipping

medium
Vulnerability
Morkva UA Shipping — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.7.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP-Members Membership Plugin

medium
Vulnerability
WP-Members Membership Plugin — SQL Injection
Severity
medium Medium risk
Affected Versions
<=3.5.5.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Enable Media Replace

medium
Vulnerability
Enable Media Replace — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=4.1.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Envira Gallery for WordPress

medium
Vulnerability
Envira Gallery for WordPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.12.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

All-in-One Video Gallery

medium
Vulnerability
All-in-One Video Gallery — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.7.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder

medium
Vulnerability
Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.6.0
CVE Reference
Patch Status
No patch
Source
NVD

My Calendar – Accessible Event Manager

medium
Vulnerability
My Calendar – Accessible Event Manager — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.7.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Seraphinite Accelerator

medium
Vulnerability
Seraphinite Accelerator — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=2.28.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Seraphinite Accelerator

medium
Vulnerability
Seraphinite Accelerator — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=2.28.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WordPress Theme Vulnerabilities (3)

Listee

critical
Vulnerability
Listee — Privilege escalation
Severity
critical Critical risk
Affected Versions
<=1.1.6
CVE Reference
Patch Status
No patch
Source
NVD

Automotive Car Dealership Business WordPress

medium
Vulnerability
Automotive Car Dealership Business WordPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=13.4
CVE Reference
Patch Status
No patch
Source
NVD

Blocksy

medium
Vulnerability
Blocksy — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.1.30
CVE Reference
Patch Status
No patch
Source
NVD

WordPress Core Vulnerabilities (0)

No vulnerabilities reported in this category this week.

Recommendations

1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.

Methodology

This report is compiled automatically from multiple trusted sources:

NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans

Vulnerabilities are deduplicated by CVE ID. Severity ratings follow the CVSS v3.x scoring system. This report is generated automatically and may not capture every vulnerability disclosed during the period.

Tags

vulnerabilitieswordpress-securityweekly-reportcve

Related Posts

Vulnerability Report

WordPress Vulnerability Report: May 17 – May 24, 2026

81 WordPress vulnerabilities disclosed between May 17 – May 24, 2026. 8 critical, 20 high severity. 2 patched, 79 unpatched.

WPSentry·May 24, 2026
Vulnerability Report

WordPress Vulnerability Report: May 9 – May 16, 2026

104 WordPress vulnerabilities disclosed between May 9 – May 16, 2026. 6 critical, 23 high severity. 1 patched, 103 unpatched.

WPSentry·May 24, 2026
Vulnerability Report

WordPress Vulnerability Report: May 1 – May 8, 2026

96 WordPress vulnerabilities disclosed between May 1 – May 8, 2026. 6 critical, 35 high severity. 1 patched, 95 unpatched.

WPSentry·May 24, 2026
Back to Blog