During the reporting period (January 15 – January 22, 2026), 71 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.
Summary
71
Total
4
Critical
9
High
56
Medium
2
Low
2
Patched
Table of Contents 76 plugins & components
WordPress Plugin Vulnerabilities (70)
RegistrationMagic
critical
Vulnerability
RegistrationMagic — Privilege Escalation
Severity
critical Critical risk
Affected Versions
<=6.0.7.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Registration & Login with Mobile Phone Number for WooCommerce
critical
Vulnerability
Registration & Login with Mobile Phone Number for WooCommerce — Authentication Bypass
Severity
critical Critical risk
Affected Versions
<=1.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Advanced Custom Fields: Extended
critical
Vulnerability
Advanced Custom Fields: Extended — Privilege Escalation
Severity
critical Critical risk
Affected Versions
<=0.9.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Academy LMS – WordPress LMS Plugin for Complete eLearning Solution
critical
Vulnerability
Academy LMS – WordPress LMS Plugin for Complete eLearning Solution — Privilege escalation
Severity
critical Critical risk
Affected Versions
<=3.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Quiz, Poll & Survey Maker by Opinion Stage
high
Vulnerability
Poll, Survey & Quiz Maker Plugin by Opinion Stage < 19.6.25 - Unauthenticated Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<19.6.25
CVE Reference
N/A
Patch Status
19.6.25
Source
Wordfence
Plugin Page
Supreme Modules Lite
high
Vulnerability
Supreme Modules Lite — Arbitrary file upload
Severity
high High risk
Affected Versions
<=2.5.62
CVE Reference
Patch Status
No patch
Source
NVD
All-in-One Video Gallery
high
Vulnerability
All-in-One Video Gallery — Arbitrary file upload
Severity
high High risk
Affected Versions
<=4.5.7
CVE Reference
Patch Status
No patch
Source
NVD
Membership Plugin – Restrict Content
high
Vulnerability
Membership Plugin – Restrict Content — Missing Authentication
Severity
high High risk
Affected Versions
<=3.2.16
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Demo Importer Plus
high
Vulnerability
Demo Importer Plus — XML External Entity Injection (XXE)
Severity
high High risk
Affected Versions
<=2.0.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
high
Vulnerability
Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy — Insecure Direct Object Reference
Severity
high High risk
Affected Versions
<=4.2.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Creator LMS – The LMS for Creators, Coaches, and Trainers
high
Vulnerability
Creator LMS – The LMS for Creators, Coaches, and Trainers — Unauthorized modification of data
Severity
high High risk
Affected Versions
<=1.1.12
CVE Reference
Patch Status
No patch
Source
NVD
NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar
high
Vulnerability
NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar — DOM-Based Cross-Site Scripting
Severity
high High risk
Affected Versions
<=3.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Nexter Extension – Site Enhancements Toolkit
high
Vulnerability
Nexter Extension – Site Enhancements Toolkit — PHP Object Injection
Severity
high High risk
Affected Versions
<=4.4.6
CVE Reference
Patch Status
No patch
Source
NVD
Fraud Prevention For WooCommerce and EDD
medium
Vulnerability
Fraud Prevention For Woocommerce <= 2.3.2 - Authenticated (Subscriber+) Information Exposure
Severity
medium Medium risk
Affected Versions
<=2.3.2
CVE Reference
Patch Status
2.3.3
Source
Wordfence
Plugin Page
WP-Members Membership Plugin
medium
Vulnerability
WP-Members Membership Plugin — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.5.4.3
CVE Reference
Patch Status
No patch
Source
NVD
AffiliateX – Amazon Affiliate Plugin
medium
Vulnerability
AffiliateX – Amazon Affiliate Plugin — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Uploadify
medium
Vulnerability
Uploadify — CVE-2011-10041
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Awesome Support - WordPress HelpDesk & Support
medium
Vulnerability
Awesome Support - WordPress HelpDesk & Support — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=6.3.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
medium
Vulnerability
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=4.9.2
CVE Reference
Patch Status
No patch
Source
NVD
Booking Calendar
medium
Vulnerability
Booking Calendar — Missing Authorization leading to Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=10.14.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Shield: Blocks Bots, Protects Users, and Prevents Security Breaches
medium
Vulnerability
Shield: Blocks Bots, Protects Users, and Prevents Security Breaches — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=21.0.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Fancy Product Designer
medium
Vulnerability
Fancy Product Designer — Full Path Disclosure
Severity
medium Medium risk
Affected Versions
<=6.4.8
CVE Reference
Patch Status
No patch
Source
NVD
WP Recipe Maker
medium
Vulnerability
WP Recipe Maker — Information Exposure
Severity
medium Medium risk
Affected Versions
<=10.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MailerLite - WooCommerce integration
medium
Vulnerability
MailerLite - WooCommerce integration — Unauthorized data modification and deletion
Severity
medium Medium risk
Affected Versions
<=3.1.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
DK PDF – WordPress PDF Generator
medium
Vulnerability
DK PDF – WordPress PDF Generator — Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=2.3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
LEAV Last Email Address Validator
medium
Vulnerability
LEAV Last Email Address Validator — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Related Posts by Taxonomy
medium
Vulnerability
Related Posts by Taxonomy — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.7.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Rede Itaú for WooCommerce
medium
Vulnerability
Rede Itaú for WooCommerce — Order status manipulation
Severity
medium Medium risk
Affected Versions
<=5.1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit
medium
Vulnerability
Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=5.1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
medium
Vulnerability
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.0.10
CVE Reference
Patch Status
No patch
Source
NVD
GetGenie
medium
Vulnerability
GetGenie — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=4.3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Cost Calculator Builder
medium
Vulnerability
Cost Calculator Builder — Unauthenticated Payment Status Bypass
Severity
medium Medium risk
Affected Versions
<=3.6.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
User Submitted Posts – Enable Users to Submit Posts from the Front End
medium
Vulnerability
User Submitted Posts – Enable Users to Submit Posts from the Front End — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=20260110
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Essential Addons for Elementor
medium
Vulnerability
Essential Addons for Elementor — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=6.5.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Poll, Survey & Quiz Maker Plugin by Opinion Stage
medium
Vulnerability
Poll, Survey & Quiz Maker Plugin by Opinion Stage — CVE-2019-25297
Severity
medium Medium risk
Affected Versions
<=19.6.25
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Feeds for YouTube Pro
medium
Vulnerability
Feeds for YouTube Pro — Arbitrary file read
Severity
medium Medium risk
Affected Versions
<=2.6.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Quick Contact Form
medium
Vulnerability
Quick Contact Form — Open Mail Relay
Severity
medium Medium risk
Affected Versions
<=8.2.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Hotel Booking
medium
Vulnerability
WP Hotel Booking — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=2.2.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Wallet System for WooCommerce
medium
Vulnerability
Wallet System for WooCommerce — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=2.7.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Filr – Secure document library
medium
Vulnerability
Filr – Secure document library — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Gutenberg Thim Blocks – Page Builder, Gutenberg Blocks for the Block Editor
medium
Vulnerability
Gutenberg Thim Blocks – Page Builder, Gutenberg Blocks for the Block Editor — Arbitrary file reads
Severity
medium Medium risk
Affected Versions
<=1.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Payment Button for PayPal
medium
Vulnerability
Payment Button for PayPal — Unauthorized order creation
Severity
medium Medium risk
Affected Versions
<=1.2.3.41
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
RepairBuddy – Repair Shop CRM & Booking
medium
Vulnerability
RepairBuddy – Repair Shop CRM & Booking — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=4.1116
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Phrase TMS Integration for WordPress
medium
Vulnerability
Phrase TMS Integration for WordPress — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=4.7.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
User Registration Using Contact Form 7
medium
Vulnerability
User Registration Using Contact Form 7 — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=2.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Community Events
medium
Vulnerability
Community Events — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.5.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Advanced Ads – Ad Manager & AdSense
medium
Vulnerability
Advanced Ads – Ad Manager & AdSense — SQL Injection
Severity
medium Medium risk
Affected Versions
<=2.0.15
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
CM E-Mail Blacklist – Simple email filtering for safer registration
medium
Vulnerability
CM E-Mail Blacklist – Simple email filtering for safer registration — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.6.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Spin Wheel
medium
Vulnerability
Spin Wheel — Client-side prize manipulation
Severity
medium Medium risk
Affected Versions
<=2.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Team Section Block
medium
Vulnerability
Team Section Block — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
CubeWP – All-in-One Dynamic Content Framework
medium
Vulnerability
CubeWP – All-in-One Dynamic Content Framework — Information Exposure
Severity
medium Medium risk
Affected Versions
<=1.1.27
CVE Reference
Patch Status
No patch
Source
NVD
PAYGENT for WooCommerce
medium
Vulnerability
PAYGENT for WooCommerce — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=2.4.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
CubeWP
medium
Vulnerability
CubeWP — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1.26
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Integrate Dynamics 365 CRM
medium
Vulnerability
Integrate Dynamics 365 CRM — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Image Photo Gallery Final Tiles Grid
medium
Vulnerability
Image Photo Gallery Final Tiles Grid — Unauthorized access and modification of data
Severity
medium Medium risk
Affected Versions
<=3.6.9
CVE Reference
Patch Status
No patch
Source
NVD
PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net)
medium
Vulnerability
PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.119.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Newsletter – Send awesome emails from WordPress
medium
Vulnerability
Newsletter – Send awesome emails from WordPress — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=9.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Custom Fonts – Host Your Fonts Locally
medium
Vulnerability
Custom Fonts – Host Your Fonts Locally — Unauthorized loss of data
Severity
medium Medium risk
Affected Versions
<=2.1.16
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
LearnPress – WordPress LMS
medium
Vulnerability
LearnPress – WordPress LMS — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=4.3.2.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation
medium
Vulnerability
weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=2.0.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Bookingor
medium
Vulnerability
Bookingor — CVE-2025-12573
Severity
medium Medium risk
Affected Versions
<=1.0.12
CVE Reference
Patch Status
No patch
Source
NVD
WP Hello Bar
medium
Vulnerability
WP Hello Bar — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.02
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Viet contact
medium
Vulnerability
Viet contact — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.3.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
The Events Calendar
medium
Vulnerability
The Events Calendar — Unauthorized access
Severity
medium Medium risk
Affected Versions
<=6.15.13
CVE Reference
Patch Status
No patch
Source
NVD
Tutor LMS – eLearning and online course solution
medium
Vulnerability
Tutor LMS – eLearning and online course solution — Unauthorized attachment deletion
Severity
medium Medium risk
Affected Versions
<=3.9.4
CVE Reference
Patch Status
No patch
Source
NVD
NotificationX
medium
Vulnerability
NotificationX — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=3.1.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Head Meta Data
medium
Vulnerability
Head Meta Data — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=20251118
CVE Reference
Patch Status
No patch
Source
NVD
FlatPM – Ad Manager, AdSense and Custom Code
medium
Vulnerability
FlatPM – Ad Manager, AdSense and Custom Code — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Drag and Drop Multiple File Upload for Contact Form 7
low
Vulnerability
Drag and Drop Multiple File Upload for Contact Form 7 — Unauthorized modification of data
Severity
low Low risk
Affected Versions
<=1.3.9.2
CVE Reference
Patch Status
No patch
Source
NVD
Church Admin
low
Vulnerability
Church Admin — Server-Side Request Forgery
Severity
low Low risk
Affected Versions
<=5.0.28
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WordPress Theme Vulnerabilities (1)
Kalium 3 | Creative WordPress & WooCommerce Theme
medium
Vulnerability
Kalium 3 | Creative WordPress & WooCommerce Theme — Unauthorized email sending
Severity
medium Medium risk
Affected Versions
<=3.29
CVE Reference
Patch Status
No patch
Source
NVD
WordPress Core Vulnerabilities (0)
No vulnerabilities reported in this category this week.
Recommendations
1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.
Set up uptime monitoring and periodic security scans to catch issues early.
Methodology
This report is compiled automatically from multiple trusted sources:
NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans
Tags
Related Posts
Vulnerability Report
WordPress Vulnerability Report: May 17 – May 24, 2026
81 WordPress vulnerabilities disclosed between May 17 – May 24, 2026. 8 critical, 20 high severity. 2 patched, 79 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 9 – May 16, 2026
104 WordPress vulnerabilities disclosed between May 9 – May 16, 2026. 6 critical, 23 high severity. 1 patched, 103 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 1 – May 8, 2026
96 WordPress vulnerabilities disclosed between May 1 – May 8, 2026. 6 critical, 35 high severity. 1 patched, 95 unpatched.
WPSentry·May 24, 2026