During the reporting period (February 5 – February 12, 2026), 82 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.
Summary
82
Total
3
Critical
11
High
68
Medium
0
Low
2
Patched
Table of Contents 87 plugins & components
WordPress Plugin Vulnerabilities (82)
WP Duplicate
critical
Vulnerability
WP Duplicate — Missing Authorization leading to Arbitrary File Upload
Severity
critical Critical risk
Affected Versions
<=1.1.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
JAY Login & Register
critical
Vulnerability
JAY Login & Register — Privilege Escalation
Severity
critical Critical risk
Affected Versions
<=2.6.03
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Migration, Backup, Staging – WPvivid Backup & Migration
critical
Vulnerability
Migration, Backup, Staging – WPvivid Backup & Migration — Unauthenticated Arbitrary File Upload
Severity
critical Critical risk
Affected Versions
<=0.9.123
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers
high
Vulnerability
Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers — Generic SQL Injection
Severity
high High risk
Affected Versions
<=2.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
All In One Image Viewer Block
high
Vulnerability
All In One Image Viewer Block — Server-Side Request Forgery
Severity
high High risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
JAY Login & Register
high
Vulnerability
JAY Login & Register — Privilege Escalation
Severity
high High risk
Affected Versions
<=2.6.03
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
high
Vulnerability
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible — Unauthorized modification of data
Severity
high High risk
Affected Versions
<=6.7.24
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Name Directory
high
Vulnerability
Name Directory — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.32.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Ninja Forms
high
Vulnerability
Ninja Forms — Sensitive Information Exposure
Severity
high High risk
Affected Versions
<=3.14.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Lucky Wheel Giveaway
high
Vulnerability
Lucky Wheel Giveaway — Remote Code Execution
Severity
high High risk
Affected Versions
<=1.0.22
CVE Reference
Patch Status
No patch
Source
NVD
iONE360 configurator
high
Vulnerability
iONE360 configurator — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=2.0.57
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Custom Block Builder – Lazy Blocks
high
Vulnerability
Custom Block Builder – Lazy Blocks — Remote Code Execution
Severity
high High risk
Affected Versions
<=4.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
'Videospirecore Theme Plugin'
high
Vulnerability
'Videospirecore Theme Plugin' — Privilege escalation
Severity
high High risk
Affected Versions
<=1.0.6
CVE Reference
Patch Status
No patch
Source
NVD
wpForo Forum
high
Vulnerability
wpForo Forum — PHP Object Injection
Severity
high High risk
Affected Versions
<=2.4.13
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
medium
Vulnerability
Fluent Forms <= 6.1.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via AI Form Builder Module
Severity
medium Medium risk
Affected Versions
<=6.1.14
CVE Reference
Patch Status
6.1.15
Source
Wordfence
Plugin Page
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor
medium
Vulnerability
Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.5.32 - Incorrect Authorization to Authenticated (Contributor+) Post Publication
Severity
medium Medium risk
Affected Versions
<=3.5.32
CVE Reference
N/A
Patch Status
3.6.0
Source
Wordfence
Plugin Page
Sudoku Shortcode
medium
Vulnerability
Sudoku Shortcode <= 1.0.0 - Authenticated (Contributor+) Cross-Site Scripting via 'background' Shortcode Attribute
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
N/A
Patch Status
No patch
Source
Wordfence
Plugin Page
Sudoku Shortcode
medium
Vulnerability
Sudoku Shortcode <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
N/A
Patch Status
No patch
Source
Wordfence
Plugin Page
Essential Widgets
medium
Vulnerability
Essential Widgets — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.0
CVE Reference
Patch Status
No patch
Source
NVD
ShortPixel Image Optimizer
medium
Vulnerability
ShortPixel Image Optimizer — Arbitrary File Read
Severity
medium Medium risk
Affected Versions
<=6.4.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Dynamic Widget Content
medium
Vulnerability
Dynamic Widget Content — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.3.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ProfileGrid – User Profiles, Groups and Communities
medium
Vulnerability
ProfileGrid – User Profiles, Groups and Communities — Unauthorized user suspension
Severity
medium Medium risk
Affected Versions
<=5.9.7.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Robin Image Optimizer – Unlimited Image Optimization & WebP Converter
medium
Vulnerability
Robin Image Optimizer – Unlimited Image Optimization & WebP Converter — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.0.2
CVE Reference
Patch Status
No patch
Source
NVD
ELEX WordPress HelpDesk & Customer Ticketing System
medium
Vulnerability
ELEX WordPress HelpDesk & Customer Ticketing System — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=3.3.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ProfileGrid – User Profiles, Groups and Communities
medium
Vulnerability
ProfileGrid – User Profiles, Groups and Communities — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=5.9.7.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Peter's Date Countdown
medium
Vulnerability
Peter's Date Countdown — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Greenshift – animation and page builder blocks
medium
Vulnerability
Greenshift – animation and page builder blocks — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=12.6
CVE Reference
Patch Status
No patch
Source
NVD
Timeline Block – Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines)
medium
Vulnerability
Timeline Block – Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=1.3.3
CVE Reference
Patch Status
No patch
Source
NVD
OAuth Single Sign On – SSO (OAuth Client)
medium
Vulnerability
OAuth Single Sign On – SSO (OAuth Client) — Unauthorized access
Severity
medium Medium risk
Affected Versions
<=6.26.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Tune Library
medium
Vulnerability
Tune Library — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.6.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Orange Confort+ accessibility toolbar for WordPress
medium
Vulnerability
Orange Confort+ accessibility toolbar for WordPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Docus – YouTube Video Playlist
medium
Vulnerability
Docus – YouTube Video Playlist — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WaveSurfer-WP
medium
Vulnerability
WaveSurfer-WP — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.8.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Employee Directory
medium
Vulnerability
Employee Directory — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Events Listing Widget
medium
Vulnerability
Events Listing Widget — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.3.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Code Snippets
medium
Vulnerability
Code Snippets — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=3.9.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Yoast SEO – Advanced SEO with real-time guidance and built-in AI
medium
Vulnerability
Yoast SEO – Advanced SEO with real-time guidance and built-in AI — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=26.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Bold Page Builder
medium
Vulnerability
Bold Page Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.4.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Bold Page Builder
medium
Vulnerability
Bold Page Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.5.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Bold Page Builder
medium
Vulnerability
Bold Page Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.5.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Bold Page Builder
medium
Vulnerability
Bold Page Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.5.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Post Slides
medium
Vulnerability
Post Slides — Validate some shortcode attributes before using them to generate paths passed to include function/s
Severity
medium Medium risk
Affected Versions
<=1.0.1
CVE Reference
Patch Status
No patch
Source
NVD
The Bucketlister
medium
Vulnerability
The Bucketlister — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=0.1.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Bucketlister
medium
Vulnerability
Bucketlister — SQL Injection
Severity
medium Medium risk
Affected Versions
<=0.1.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Premmerce
medium
Vulnerability
Premmerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.3.20
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
TITLE ANIMATOR
medium
Vulnerability
TITLE ANIMATOR — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Simple Bible Verse via Shortcode
medium
Vulnerability
Simple Bible Verse via Shortcode — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
OMIGO
medium
Vulnerability
OMIGO — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Video Onclick
medium
Vulnerability
Video Onclick — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.4.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Wikiloops Track Player
medium
Vulnerability
Wikiloops Track Player — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Wonka Slide
medium
Vulnerability
Wonka Slide — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.3.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Subitem AL Slider
medium
Vulnerability
Subitem AL Slider — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MP-Ukagaka
medium
Vulnerability
MP-Ukagaka — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.5.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Advanced Country Blocker
medium
Vulnerability
Advanced Country Blocker — Authorization Bypass
Severity
medium Medium risk
Affected Versions
<=2.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Fluent Forms Pro Add On Pack
medium
Vulnerability
Fluent Forms Pro Add On Pack — Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=6.1.12
CVE Reference
Patch Status
No patch
Source
NVD
WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
medium
Vulnerability
WCFM Membership – WooCommerce Memberships for Multivendor Marketplace — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=2.11.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Fluent Forms
medium
Vulnerability
Fluent Forms — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=6.1.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WCFM Marketplace – Multivendor Marketplace for WooCommerce
medium
Vulnerability
WCFM Marketplace – Multivendor Marketplace for WooCommerce — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=3.7.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
PopupKit
medium
Vulnerability
PopupKit — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=2.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
The Events Calendar Shortcode & Block
medium
Vulnerability
The Events Calendar Shortcode & Block — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
SlimStat Analytics
medium
Vulnerability
SlimStat Analytics — Time-based SQL Injection
Severity
medium Medium risk
Affected Versions
<=5.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Gallery by FooGallery
medium
Vulnerability
Gallery by FooGallery — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=3.1.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Beaver Builder Page Builder – Drag and Drop Website Builder
medium
Vulnerability
Beaver Builder Page Builder – Drag and Drop Website Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.10.0.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Orbisius Random Name Generator
medium
Vulnerability
Orbisius Random Name Generator — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Pix para Woocommerce
medium
Vulnerability
Pix para Woocommerce — Any authenticated user to trigger AJAX actions that reset payment gateway configuration options with
Severity
medium Medium risk
Affected Versions
<=2.13.3
CVE Reference
Patch Status
No patch
Source
NVD
WP eCommerce
medium
Vulnerability
WP eCommerce — CVE-2026-1235
Severity
medium Medium risk
Affected Versions
<=3.15.1
CVE Reference
Patch Status
No patch
Source
NVD
WPlyr Media Block
medium
Vulnerability
WPlyr Media Block — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Category Image
medium
Vulnerability
Category Image — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MMA Call Tracking
medium
Vulnerability
MMA Call Tracking — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=2.3.15
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Invoct – PDF Invoices & Billing for WooCommerce
medium
Vulnerability
Invoct – PDF Invoices & Billing for WooCommerce — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=1.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Twitter posts to Blog
medium
Vulnerability
Twitter posts to Blog — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.11.25
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WDES Responsive Popup
medium
Vulnerability
WDES Responsive Popup — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.3.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
HTML Tag Shortcodes
medium
Vulnerability
HTML Tag Shortcodes — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Microtango
medium
Vulnerability
Microtango — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.9.29
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
OpenPOS Lite – Point of Sale for WooCommerce
medium
Vulnerability
OpenPOS Lite – Point of Sale for WooCommerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Flask Micro code-editor
medium
Vulnerability
Flask Micro code-editor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WaMate Confirm – Order Confirmation
medium
Vulnerability
WaMate Confirm – Order Confirmation — Unauthorized access
Severity
medium Medium risk
Affected Versions
<=2.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
BuddyHolis ListSearch
medium
Vulnerability
BuddyHolis ListSearch — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Slideshow Wp
medium
Vulnerability
Slideshow Wp — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WPZOOM Addons for Elementor – Starter Templates & Widgets
medium
Vulnerability
WPZOOM Addons for Elementor – Starter Templates & Widgets — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=1.3.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Yoast Duplicate-Post
medium
Vulnerability
Yoast Duplicate-Post — CVE-2019-25314
Severity
medium Medium risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium)
medium
Vulnerability
Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) — Unauthorized loss of data
Severity
medium Medium risk
Affected Versions
<=4.9.60
CVE Reference
Patch Status
No patch
Source
NVD
WordPress Theme Vulnerabilities (0)
No vulnerabilities reported in this category this week.
WordPress Core Vulnerabilities (0)
No vulnerabilities reported in this category this week.
Recommendations
1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.
Set up uptime monitoring and periodic security scans to catch issues early.
Methodology
This report is compiled automatically from multiple trusted sources:
NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans
Tags
Related Posts
Vulnerability Report
WordPress Vulnerability Report: May 17 – May 24, 2026
81 WordPress vulnerabilities disclosed between May 17 – May 24, 2026. 8 critical, 20 high severity. 2 patched, 79 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 9 – May 16, 2026
104 WordPress vulnerabilities disclosed between May 9 – May 16, 2026. 6 critical, 23 high severity. 1 patched, 103 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 1 – May 8, 2026
96 WordPress vulnerabilities disclosed between May 1 – May 8, 2026. 6 critical, 35 high severity. 1 patched, 95 unpatched.
WPSentry·May 24, 2026