During the reporting period (January 22 – January 29, 2026), 106 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.
Summary
106
Total
3
Critical
17
High
85
Medium
1
Low
1
Patched
Table of Contents 111 plugins & components
WordPress Plugin Vulnerabilities (104)
LA-Studio Element Kit for Elementor
critical
Vulnerability
LA-Studio Element Kit for Elementor — Administrative User Creation
Severity
critical Critical risk
Affected Versions
<=1.5.6.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Kalrav AI Agent
critical
Vulnerability
Kalrav AI Agent — Arbitrary file uploads
Severity
critical Critical risk
Affected Versions
<=2.3.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Snow Monkey Forms
critical
Vulnerability
Snow Monkey Forms — Arbitrary file deletion
Severity
critical Critical risk
Affected Versions
<=12.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
amr cron manager
high
Vulnerability
amr cron manager <= 2.3 - Unauthenticated Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=2.3
CVE Reference
Patch Status
No patch
Source
Wordfence
Plugin Page
TelSender – Сontact form 7, Events, Wpforms, ninja forms and woocommerce to telegram bot
high
Vulnerability
TelSender <= 1.14.14 - Unauthenticated Stored Cross-Site Scripting via Telegram Chat Title
Severity
high High risk
Affected Versions
<=1.14.14
CVE Reference
N/A
Patch Status
1.14.15
Source
Wordfence
Plugin Page
The BuddyPress
high
Vulnerability
The BuddyPress — Arbitrary shortcode execution
Severity
high High risk
Affected Versions
<=14.3.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Melapress Role Editor
high
Vulnerability
Melapress Role Editor — Privilege Escalation
Severity
high High risk
Affected Versions
<=1.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Frontis Blocks
high
Vulnerability
Frontis Blocks — Server-Side Request Forgery
Severity
high High risk
Affected Versions
<=1.1.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Administrative Shortcodes
high
Vulnerability
Administrative Shortcodes — Local File Inclusion
Severity
high High risk
Affected Versions
<=0.3.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
User Submitted Posts – Enable Users to Submit Posts from the Front End
high
Vulnerability
User Submitted Posts – Enable Users to Submit Posts from the Front End — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=20251210
CVE Reference
Patch Status
No patch
Source
NVD
Hustle – Email Marketing, Lead Generation, Optins, Popups
high
Vulnerability
Hustle – Email Marketing, Lead Generation, Optins, Popups — Arbitrary file uploads
Severity
high High risk
Affected Versions
<=7.8.9.2
CVE Reference
Patch Status
No patch
Source
NVD
AhaChat Messenger Marketing
high
Vulnerability
AhaChat Messenger Marketing — Sanitise and escape a parameter before outputting it back in the page
Severity
high High risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
TableMaster for Elementor
high
Vulnerability
TableMaster for Elementor — Server-Side Request Forgery
Severity
high High risk
Affected Versions
<=1.3.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
New User Approve
high
Vulnerability
New User Approve — Unauthorized access of data and modification of data
Severity
high High risk
Affected Versions
<=3.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
VidShop – Shoppable Videos for WooCommerce
high
Vulnerability
VidShop – Shoppable Videos for WooCommerce — Time-based SQL Injection
Severity
high High risk
Affected Versions
<=1.1.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AI Engine – The Chatbot and AI Framework for WordPress
high
Vulnerability
AI Engine – The Chatbot and AI Framework for WordPress — Arbitrary file uploads
Severity
high High risk
Affected Versions
<=3.3.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization
high
Vulnerability
Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization — Authentication bypass
Severity
high High risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Simple User Registration
high
Vulnerability
Simple User Registration — Privilege escalation
Severity
high High risk
Affected Versions
<=6.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Frontend File Manager
high
Vulnerability
Frontend File Manager — Unauthorized file sharing
Severity
high High risk
Affected Versions
<=23.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Photo Gallery by 10Web – Mobile-Friendly Image Gallery
medium
Vulnerability
Photo Gallery by 10Web – Mobile-Friendly Image Gallery — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.8.36
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Magic Responsive Slider and Carousel WordPress
medium
Vulnerability
Magic Responsive Slider and Carousel WordPress — Reflected XSS
Severity
medium Medium risk
Affected Versions
<=1.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WordPress Photo Gallery
medium
Vulnerability
WordPress Photo Gallery — Reflected XSS
Severity
medium Medium risk
Affected Versions
<=1.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Electrician - Electrical Service WordPress
medium
Vulnerability
Electrician - Electrical Service WordPress — Server Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=5.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Wordpress Movies Bulk Importer
medium
Vulnerability
Wordpress Movies Bulk Importer — Cross Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
medium
Vulnerability
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=6.10.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Schema & Structured Data for WP & AMP
medium
Vulnerability
Schema & Structured Data for WP & AMP — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.54
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
medium
Vulnerability
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.0.10
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
KiviCare – Clinic & Patient Management System (EHR)
medium
Vulnerability
KiviCare – Clinic & Patient Management System (EHR) — Arbitrary file uploads
Severity
medium Medium risk
Affected Versions
<=3.6.15
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP DSGVO Tools (GDPR)
medium
Vulnerability
WP DSGVO Tools (GDPR) — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.1.36
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot
medium
Vulnerability
weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot — Unauthorized modification or loss of data
Severity
medium Medium risk
Affected Versions
<=2.1.16
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Related Posts Thumbnails Plugin
medium
Vulnerability
Related Posts Thumbnails Plugin — Cross Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=4.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Trusona
medium
Vulnerability
Trusona — Exploiting Incorrectly Configured Access Control Security Levels
Severity
medium Medium risk
Affected Versions
<=2.0.0
CVE Reference
Patch Status
No patch
Source
NVD
All-in-One Video Gallery
medium
Vulnerability
All-in-One Video Gallery — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=4.6.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
VK Google Job Posting Manager
medium
Vulnerability
VK Google Job Posting Manager — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2.20
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
JustClick registration
medium
Vulnerability
JustClick registration — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Wise Analytics
medium
Vulnerability
Wise Analytics — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=1.1.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Alchemist Ajax Upload
medium
Vulnerability
Alchemist Ajax Upload — Unauthorized media file deletion
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Same Category Posts
medium
Vulnerability
Same Category Posts — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1.19
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Wizit Gateway for WooCommerce
medium
Vulnerability
Wizit Gateway for WooCommerce — Unauthenticated Arbitrary Order Cancellation
Severity
medium Medium risk
Affected Versions
<=1.2.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Simple Crypto Shortcodes
medium
Vulnerability
Simple Crypto Shortcodes — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Youtube Video Gallery
medium
Vulnerability
WP Youtube Video Gallery — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
GZSEO
medium
Vulnerability
GZSEO — Authorization bypass leading to Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.0.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Alpha Blocks
medium
Vulnerability
Alpha Blocks — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP-ClanWars
medium
Vulnerability
WP-ClanWars — SQL Injection
Severity
medium Medium risk
Affected Versions
<=2.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Alex User Counter
medium
Vulnerability
Alex User Counter — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=6.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ZT Captcha
medium
Vulnerability
ZT Captcha — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Star Review Manager
medium
Vulnerability
Star Review Manager — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Set Bulk Post Categories
medium
Vulnerability
Set Bulk Post Categories — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Cookie consent for developers
medium
Vulnerability
Cookie consent for developers — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.7.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Login Page Editor
medium
Vulnerability
Login Page Editor — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Canto Testimonials
medium
Vulnerability
Canto Testimonials — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ThemeRuby Multi Authors – Assign Multiple Writers to Posts
medium
Vulnerability
ThemeRuby Multi Authors – Assign Multiple Writers to Posts — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Administrative Shortcodes
medium
Vulnerability
Administrative Shortcodes — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.3.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AIKTP
medium
Vulnerability
AIKTP — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=5.0.04
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
SurveyJS: Drag & Drop WordPress Form Builder
medium
Vulnerability
SurveyJS: Drag & Drop WordPress Form Builder — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.12.20
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity
medium
Vulnerability
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.12.20
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity
medium
Vulnerability
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.12.20
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AdminQuickbar
medium
Vulnerability
AdminQuickbar — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.9.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Moderate Selected Posts
medium
Vulnerability
Moderate Selected Posts — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
All-in-One Video Gallery
medium
Vulnerability
All-in-One Video Gallery — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Meta-box GalleryMeta
medium
Vulnerability
Meta-box GalleryMeta — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=3.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
CM CSS Columns
medium
Vulnerability
CM CSS Columns — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Timeline Event History
medium
Vulnerability
Timeline Event History — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
LeadBI
medium
Vulnerability
LeadBI — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
JavaScript Notifier
medium
Vulnerability
JavaScript Notifier — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Friendly Functions for Welcart
medium
Vulnerability
Friendly Functions for Welcart — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.2.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Postalicious
medium
Vulnerability
Postalicious — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Responsive Header
medium
Vulnerability
Responsive Header — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Meta-box GalleryMeta
medium
Vulnerability
Meta-box GalleryMeta — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Directory Kit
medium
Vulnerability
WP Directory Kit — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=1.4.9
CVE Reference
Patch Status
No patch
Source
NVD
Save as PDF Plugin by PDFCrowd
medium
Vulnerability
Save as PDF Plugin by PDFCrowd — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.5.5
CVE Reference
Patch Status
No patch
Source
NVD
WP Go Maps (formerly WP Google Maps)
medium
Vulnerability
WP Go Maps (formerly WP Google Maps) — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=10.0.04
CVE Reference
Patch Status
No patch
Source
NVD
CubeWP – All-in-One Dynamic Content Framework
medium
Vulnerability
CubeWP – All-in-One Dynamic Content Framework — Information Exposure
Severity
medium Medium risk
Affected Versions
<=1.1.27
CVE Reference
Patch Status
No patch
Source
NVD
Recipe Card Blocks Lite
medium
Vulnerability
Recipe Card Blocks Lite — Sanitize and escape a parameter before using it in a SQL statement
Severity
medium Medium risk
Affected Versions
<=3.4.13
CVE Reference
Patch Status
No patch
Source
NVD
Link Invoice Payment for WooCommerce
medium
Vulnerability
Link Invoice Payment for WooCommerce — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=2.8.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AI Engine
medium
Vulnerability
AI Engine — Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=3.3.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
User Activity Log
medium
Vulnerability
User Activity Log — Properly handle failed login attempts in some cases
Severity
medium Medium risk
Affected Versions
<=2.2
CVE Reference
Patch Status
No patch
Source
NVD
Target Video Easy Publish
medium
Vulnerability
Target Video Easy Publish — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.8.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Appointment Hour Booking – Booking Calendar
medium
Vulnerability
Appointment Hour Booking – Booking Calendar — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.5.60
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Easy Replace Image
medium
Vulnerability
Easy Replace Image — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=3.5.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Interactions – Create Interactive Experiences in the Block Editor
medium
Vulnerability
Interactions – Create Interactive Experiences in the Block Editor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Simple Folio
medium
Vulnerability
Simple Folio — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WPBITS Addons For Elementor
medium
Vulnerability
WPBITS Addons For Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Database for Contact Form 7, WPforms, Elementor forms
medium
Vulnerability
Database for Contact Form 7, WPforms, Elementor forms — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=1.4.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Forms Bridge – Infinite integrations
medium
Vulnerability
Forms Bridge – Infinite integrations — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.2.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Buy Now Plus – Buy Now buttons for Stripe
medium
Vulnerability
Buy Now Plus – Buy Now buttons for Stripe — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Simple calendar for Elementor
medium
Vulnerability
Simple calendar for Elementor — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=1.6.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
RegistrationMagic
medium
Vulnerability
RegistrationMagic — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=6.0.7.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Document Embedder – Embed PDFs, Word, Excel, and Other Files
medium
Vulnerability
Document Embedder – Embed PDFs, Word, Excel, and Other Files — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=2.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Ivory Search – WordPress Search Plugin
medium
Vulnerability
Ivory Search – WordPress Search Plugin — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.5.13
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Order Minimum/Maximum Amount Limits for WooCommerce
medium
Vulnerability
Order Minimum/Maximum Amount Limits for WooCommerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.6.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
SEO Links Interlinking
medium
Vulnerability
SEO Links Interlinking — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.7.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library
medium
Vulnerability
BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.2.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Recooty – Job Widget (Old Dashboard)
medium
Vulnerability
Recooty – Job Widget (Old Dashboard) — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Rupantorpay
medium
Vulnerability
Rupantorpay — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=2.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
imwptip
medium
Vulnerability
imwptip — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Bitcoin Donate Button
medium
Vulnerability
Bitcoin Donate Button — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Vzaar Media Management
medium
Vulnerability
Vzaar Media Management — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Change WP URL
medium
Vulnerability
Change WP URL — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Google Ad Manager Plugin
medium
Vulnerability
WP Google Ad Manager Plugin — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Passster – Password Protect Pages and Content
medium
Vulnerability
Passster – Password Protect Pages and Content — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.2.24
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Stop Spammers Classic
medium
Vulnerability
Stop Spammers Classic — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=2026.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Adminify
medium
Vulnerability
WP Adminify — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=4.0.7.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
low
Vulnerability
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor — Sensitive Information Exposure
Severity
low Low risk
Affected Versions
<=4.1.0
CVE Reference
Patch Status
No patch
Source
NVD
WordPress Theme Vulnerabilities (2)
Bajaar - Highly Customizable WooCommerce
high
Vulnerability
Bajaar - Highly Customizable WooCommerce — PHP Local File Inclusion
Severity
high High risk
Affected Versions
<=2.1.0
CVE Reference
Patch Status
No patch
Source
NVD
PawFriends - Pet Shop and Veterinary
medium
Vulnerability
PawFriends - Pet Shop and Veterinary — Cross Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.3
CVE Reference
Patch Status
No patch
Source
NVD
WordPress Core Vulnerabilities (0)
No vulnerabilities reported in this category this week.
Recommendations
1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.
Set up uptime monitoring and periodic security scans to catch issues early.
Methodology
This report is compiled automatically from multiple trusted sources:
NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans
Tags
Related Posts
Vulnerability Report
WordPress Vulnerability Report: May 17 – May 24, 2026
81 WordPress vulnerabilities disclosed between May 17 – May 24, 2026. 8 critical, 20 high severity. 2 patched, 79 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 9 – May 16, 2026
104 WordPress vulnerabilities disclosed between May 9 – May 16, 2026. 6 critical, 23 high severity. 1 patched, 103 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 1 – May 8, 2026
96 WordPress vulnerabilities disclosed between May 1 – May 8, 2026. 6 critical, 35 high severity. 1 patched, 95 unpatched.
WPSentry·May 24, 2026