During the reporting period (January 1 – January 8, 2026), 122 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.
Summary
122
Total
5
Critical
12
High
103
Medium
2
Low
0
Patched
Table of Contents 127 plugins & components
WordPress Plugin Vulnerabilities (119)
Branda
critical
Vulnerability
Branda — Privilege escalation
Severity
critical Critical risk
Affected Versions
<=3.4.24
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AS Password Field In Default Registration Form
critical
Vulnerability
AS Password Field In Default Registration Form — Privilege escalation
Severity
critical Critical risk
Affected Versions
<=2.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
FS Registration Password
critical
Vulnerability
FS Registration Password — Privilege escalation
Severity
critical Critical risk
Affected Versions
<=1.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Optional Email
critical
Vulnerability
Optional Email — Privilege Escalation
Severity
critical Critical risk
Affected Versions
<=1.3.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Team
high
Vulnerability
Team — Properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action avail
Severity
high High risk
Affected Versions
<=5.0.11
CVE Reference
Patch Status
No patch
Source
NVD
Download Manager
high
Vulnerability
Download Manager — Privilege escalation
Severity
high High risk
Affected Versions
<=3.3.40
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
BuddyPress Xprofile Custom Field Types
high
Vulnerability
BuddyPress Xprofile Custom Field Types — Arbitrary file deletion
Severity
high High risk
Affected Versions
<=1.2.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Premium Age Verification / Restriction
high
Vulnerability
Premium Age Verification / Restriction — Privilege Escalation
Severity
high High risk
Affected Versions
<=3.0.2
CVE Reference
Patch Status
No patch
Source
NVD
MoneySpace
high
Vulnerability
MoneySpace — Sensitive Information Exposure
Severity
high High risk
Affected Versions
<=2.13.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Latest Registered Users
high
Vulnerability
Latest Registered Users — Unauthorized user data export
Severity
high High risk
Affected Versions
<=1.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Yoco Payments
high
Vulnerability
Yoco Payments — Path Traversal
Severity
high High risk
Affected Versions
<=3.8.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Reviewify
high
Vulnerability
Reviewify — Unauthorized modification of data
Severity
high High risk
Affected Versions
<=1.0.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Frontend File Manager Plugin
high
Vulnerability
Frontend File Manager Plugin — CVE-2025-14804
Severity
high High risk
Affected Versions
<=23.5
CVE Reference
Patch Status
No patch
Source
NVD
WP Photo Album Plus
high
Vulnerability
WP Photo Album Plus — Reflected Cross-Site Scripting
Severity
high High risk
Affected Versions
<=9.1.05.008
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Enable WebP
high
Vulnerability
WP Enable WebP — Arbitrary file uploads
Severity
high High risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
iPaymu Payment Gateway for WooCommerce
high
Vulnerability
iPaymu Payment Gateway for WooCommerce — Missing Authentication
Severity
high High risk
Affected Versions
<=2.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
PhotoFade
medium
Vulnerability
PhotoFade <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Severity
medium Medium risk
Affected Versions
<=0.2.1
CVE Reference
Patch Status
No patch
Source
Wordfence
Plugin Page
Comments
medium
Vulnerability
Comments — Properly validate user's identity when using the disqus
Severity
medium Medium risk
Affected Versions
<=7.6.40
CVE Reference
Patch Status
No patch
Source
NVD
All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements
medium
Vulnerability
All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements — Unauthorized data loss
Severity
medium Medium risk
Affected Versions
<=2.3.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Import – Ultimate CSV XML Importer for WordPress
medium
Vulnerability
WP Import – Ultimate CSV XML Importer for WordPress — Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=7.35
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend
medium
Vulnerability
Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend — Unauthorized loss of data
Severity
medium Medium risk
Affected Versions
<=4.2.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WPBookit
medium
Vulnerability
WPBookit — CVE-2025-12685
Severity
medium Medium risk
Affected Versions
<=1.0.7
CVE Reference
Patch Status
No patch
Source
NVD
Logo Slider
medium
Vulnerability
Logo Slider — Validate and escape some of its slider options before outputting them back in the dashboard
Severity
medium Medium risk
Affected Versions
<=4.9.0
CVE Reference
Patch Status
No patch
Source
NVD
ShopBuilder
medium
Vulnerability
ShopBuilder — Sanitise and escape a parameter before outputting it back in the page
Severity
medium Medium risk
Affected Versions
<=3.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Ninja Forms
medium
Vulnerability
Ninja Forms — Unauthenticated attackers to generate valid access tokens via the REST API which can then be used to
Severity
medium Medium risk
Affected Versions
<=3.13.3
CVE Reference
Patch Status
No patch
Source
NVD
Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel
medium
Vulnerability
Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=4.0.7
CVE Reference
Patch Status
No patch
Source
NVD
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
medium
Vulnerability
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=1.6.9.5
CVE Reference
Patch Status
No patch
Source
NVD
Form Vibes – Database Manager for Forms
medium
Vulnerability
Form Vibes – Database Manager for Forms — SQL Injection
Severity
medium Medium risk
Affected Versions
<=1.4.13
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
CBX Bookmark & Favorite
medium
Vulnerability
CBX Bookmark & Favorite — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=2.0.4
CVE Reference
Patch Status
No patch
Source
NVD
ForumWP – Forum & Discussion Board
medium
Vulnerability
ForumWP – Forum & Discussion Board — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.1.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ilGhera Support System for WooCommerce
medium
Vulnerability
ilGhera Support System for WooCommerce — Unauthorized modification and loss of data
Severity
medium Medium risk
Affected Versions
<=1.2.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Page Expire Popup/Redirection for WordPress
medium
Vulnerability
Page Expire Popup/Redirection for WordPress — Time-based SQL Injection
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
FastDup – Fastest WordPress Migration & Duplicator
medium
Vulnerability
FastDup – Fastest WordPress Migration & Duplicator — Path Traversal
Severity
medium Medium risk
Affected Versions
<=2.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
URL Image Importer
medium
Vulnerability
URL Image Importer — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Xagio SEO – AI Powered SEO
medium
Vulnerability
Xagio SEO – AI Powered SEO — Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=7.1.0.30
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Popupkit
medium
Vulnerability
Popupkit — Arbitrary subscriber data deletion
Severity
medium Medium risk
Affected Versions
<=2.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Shortcodes and extra features for Phlox theme
medium
Vulnerability
Shortcodes and extra features for Phlox theme — Information Exposure
Severity
medium Medium risk
Affected Versions
<=2.17.13
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Table Field Add-on for ACF and SCF
medium
Vulnerability
Table Field Add-on for ACF and SCF — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.3.30
CVE Reference
Patch Status
No patch
Source
NVD
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress
medium
Vulnerability
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=7.6.1
CVE Reference
Patch Status
No patch
Source
NVD
Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI
medium
Vulnerability
Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=3.41.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MasterStudy LMS WordPress Plugin – for Online Courses and Education
medium
Vulnerability
MasterStudy LMS WordPress Plugin – for Online Courses and Education — Unauthorized modification and deletion of data
Severity
medium Medium risk
Affected Versions
<=3.7.6
CVE Reference
Patch Status
No patch
Source
NVD
LearnPress – WordPress LMS Plugin
medium
Vulnerability
LearnPress – WordPress LMS Plugin — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=4.3.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Appointment Booking and Scheduling Calendar Plugin – WP Timetics
medium
Vulnerability
Appointment Booking and Scheduling Calendar Plugin – WP Timetics — Unauthorized access and modification of data
Severity
medium Medium risk
Affected Versions
<=1.0.36
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
medium
Vulnerability
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker — Unauthorized loss of data
Severity
medium Medium risk
Affected Versions
<=10.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MediaPress
medium
Vulnerability
MediaPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.6.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
medium
Vulnerability
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker — Time-based SQL Injection
Severity
medium Medium risk
Affected Versions
<=10.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
medium
Vulnerability
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker — Unauthorized access and modification of data
Severity
medium Medium risk
Affected Versions
<=10.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Theater
medium
Vulnerability
Theater — Exploiting Incorrectly Configured Access Control Security Levels
Severity
medium Medium risk
Affected Versions
<=0.19
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ACF to REST API
medium
Vulnerability
ACF to REST API — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=3.3.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
aBlocks – WordPress Gutenberg Blocks
medium
Vulnerability
aBlocks – WordPress Gutenberg Blocks — Unauthorized modification of data and disclosure of sensitive information
Severity
medium Medium risk
Affected Versions
<=2.4.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ShareThis Dashboard for Google Analytics
medium
Vulnerability
ShareThis Dashboard for Google Analytics — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=3.2.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP-Members Membership
medium
Vulnerability
WP-Members Membership — Unauthorized file access
Severity
medium Medium risk
Affected Versions
<=3.5.4.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Premmerce WooCommerce Customers Manager
medium
Vulnerability
Premmerce WooCommerce Customers Manager — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Responsive Pricing Table
medium
Vulnerability
Responsive Pricing Table — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.1.12
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Guest posting / Frontend Posting / Front Editor – WP Front User Submit
medium
Vulnerability
Guest posting / Frontend Posting / Front Editor – WP Front User Submit — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=5.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Moosend Landing Pages
medium
Vulnerability
Moosend Landing Pages — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.1.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Recras WordPress
medium
Vulnerability
Recras WordPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=6.4.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
SVG Map Plugin
medium
Vulnerability
SVG Map Plugin — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MTCaptcha WordPress
medium
Vulnerability
MTCaptcha WordPress — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=2.7.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Status Notifier
medium
Vulnerability
WP Status Notifier — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
xShare
medium
Vulnerability
xShare — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Unify
medium
Vulnerability
Unify — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=3.4.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Stylish Order Form Builder
medium
Vulnerability
Stylish Order Form Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
HelpDesk contact form
medium
Vulnerability
HelpDesk contact form — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.1.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Recipe Manager
medium
Vulnerability
WP Recipe Manager — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AA Block Country
medium
Vulnerability
AA Block Country — IP Address Spoofing
Severity
medium Medium risk
Affected Versions
<=1.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
medium
Vulnerability
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=6.1.7
CVE Reference
Patch Status
No patch
Source
NVD
Smart App Banners
medium
Vulnerability
Smart App Banners — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
PhotoFade
medium
Vulnerability
PhotoFade — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
STM Gallery 1.9
medium
Vulnerability
STM Gallery 1.9 — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Cool YT Player
medium
Vulnerability
Cool YT Player — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AI BotKit – AI Chatbot & Live Support for WordPress
medium
Vulnerability
AI BotKit – AI Chatbot & Live Support for WordPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Email Customizer for WooCommerce
medium
Vulnerability
Email Customizer for WooCommerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.6.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Mamurjor Employee Info
medium
Vulnerability
Mamurjor Employee Info — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Contact Us Simple Form
medium
Vulnerability
Contact Us Simple Form — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Wish To Go
medium
Vulnerability
Wish To Go — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.5.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Multi-column Tag Map
medium
Vulnerability
Multi-column Tag Map — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=17.0.39
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
EmailKit
medium
Vulnerability
EmailKit — Arbitrary File Read
Severity
medium Medium risk
Affected Versions
<=1.6.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Simcast
medium
Vulnerability
Simcast — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AH Shortcodes
medium
Vulnerability
AH Shortcodes — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Js List Pages Shortcodes
medium
Vulnerability
WP Js List Pages Shortcodes — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.21
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Snillrik Restaurant
medium
Vulnerability
Snillrik Restaurant — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Viitor Button Shortcodes
medium
Vulnerability
Viitor Button Shortcodes — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
1180px Shortcodes
medium
Vulnerability
1180px Shortcodes — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Starred Review
medium
Vulnerability
Starred Review — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.4.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
EDD Download Info
medium
Vulnerability
EDD Download Info — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AD Sliding FAQ
medium
Vulnerability
AD Sliding FAQ — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Testimonial Master
medium
Vulnerability
Testimonial Master — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Stumble! for WordPress
medium
Vulnerability
Stumble! for WordPress — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Post Like Dislike
medium
Vulnerability
Post Like Dislike — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Widget Changer
medium
Vulnerability
WP Widget Changer — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Mstoic Shortcodes
medium
Vulnerability
Mstoic Shortcodes — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Niche Hero | Beautifully-designed blocks in seconds
medium
Vulnerability
Niche Hero | Beautifully-designed blocks in seconds — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Easy GitHub Gist Shortcodes
medium
Vulnerability
Easy GitHub Gist Shortcodes — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Awesome Hotel Booking
medium
Vulnerability
Awesome Hotel Booking — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Quote Comments
medium
Vulnerability
Quote Comments — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=3.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
My Album Gallery
medium
Vulnerability
My Album Gallery — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Piraeus Bank WooCommerce Payment Gateway
medium
Vulnerability
Piraeus Bank WooCommerce Payment Gateway — Unauthorized order status modification
Severity
medium Medium risk
Affected Versions
<=3.1.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Sticky Action Buttons
medium
Vulnerability
Sticky Action Buttons — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AMP for WP – Accelerated Mobile Pages
medium
Vulnerability
AMP for WP – Accelerated Mobile Pages — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.1.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
QR Code for WooCommerce order emails, PDF invoices, packing slips
medium
Vulnerability
QR Code for WooCommerce order emails, PDF invoices, packing slips — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.9.42
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Relevanssi
medium
Vulnerability
Relevanssi — CVE-2025-14719
Severity
medium Medium risk
Affected Versions
<=4.26.0
CVE Reference
Patch Status
No patch
Source
NVD
Key Figures
medium
Vulnerability
Key Figures — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
My Album Gallery
medium
Vulnerability
My Album Gallery — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
LearnPress – WordPress LMS
medium
Vulnerability
LearnPress – WordPress LMS — Unauthorized file deletion
Severity
medium Medium risk
Affected Versions
<=4.3.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Drag and Drop Multiple File Upload – Contact Form 7
medium
Vulnerability
Drag and Drop Multiple File Upload – Contact Form 7 — Limited upload of files with a dangerous type
Severity
medium Medium risk
Affected Versions
<=1.3.9.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
NS IE Compatibility Fixer
medium
Vulnerability
NS IE Compatibility Fixer — Cross-Site Request Forgery (CSRF)
Severity
medium Medium risk
Affected Versions
<=2.1.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Flashcard
medium
Vulnerability
Flashcard — Path Traversal
Severity
medium Medium risk
Affected Versions
<=0.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
HBLPAY Payment Gateway for WooCommerce
medium
Vulnerability
HBLPAY Payment Gateway for WooCommerce — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
twinklesmtp – Email Service Provider For WordPress
medium
Vulnerability
twinklesmtp – Email Service Provider For WordPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.03
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Simple User Meta Editor
medium
Vulnerability
Simple User Meta Editor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Customer Reviews for WooCommerce
medium
Vulnerability
Customer Reviews for WooCommerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.93.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Bit Form – Contact Form Plugin
medium
Vulnerability
Bit Form – Contact Form Plugin — Unauthorized workflow execution
Severity
medium Medium risk
Affected Versions
<=2.21.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Newsletter Email Subscribe
medium
Vulnerability
Newsletter Email Subscribe — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=2.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Latest Tabs
medium
Vulnerability
Latest Tabs — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Page Keys
medium
Vulnerability
Page Keys — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.3.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Responsive Pricing Table
medium
Vulnerability
Responsive Pricing Table — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.1.12
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
FlexTable
low
Vulnerability
FlexTable — Sanitise and escape the imported links from Google Sheet cells
Severity
low Low risk
Affected Versions
<=3.19.2
CVE Reference
Patch Status
No patch
Source
NVD
Rankology SEO and Analytics Tool
low
Vulnerability
Rankology SEO and Analytics Tool — Unauthorized modification of data
Severity
low Low risk
Affected Versions
<=2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WordPress Theme Vulnerabilities (3)
Themify Sidepane
critical
Vulnerability
Themify Sidepane — Upload a Web Shell to a Web Server
Severity
critical Critical risk
Affected Versions
<=1.9.8
CVE Reference
Patch Status
No patch
Source
NVD
Phlox
medium
Vulnerability
Phlox — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.17.7
CVE Reference
Patch Status
No patch
Source
NVD
Plant - Gardening & Houseplants
medium
Vulnerability
Plant - Gardening & Houseplants — Retrieve Embedded Sensitive Data
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
WordPress Core Vulnerabilities (0)
No vulnerabilities reported in this category this week.
Recommendations
1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.
Set up uptime monitoring and periodic security scans to catch issues early.
Methodology
This report is compiled automatically from multiple trusted sources:
NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans
Tags
Related Posts
Vulnerability Report
WordPress Vulnerability Report: May 17 – May 24, 2026
81 WordPress vulnerabilities disclosed between May 17 – May 24, 2026. 8 critical, 20 high severity. 2 patched, 79 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 9 – May 16, 2026
104 WordPress vulnerabilities disclosed between May 9 – May 16, 2026. 6 critical, 23 high severity. 1 patched, 103 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 1 – May 8, 2026
96 WordPress vulnerabilities disclosed between May 1 – May 8, 2026. 6 critical, 35 high severity. 1 patched, 95 unpatched.
WPSentry·May 24, 2026