BlogVulnerability Report
Vulnerability Report

WordPress Vulnerability Report: January 29 – February 5, 2026

43 WordPress vulnerabilities disclosed between January 29 – February 5, 2026. 1 critical, 13 high severity. 1 patched, 42 unpatched.

WPSentryMarch 8, 202611 min read

During the reporting period (January 29 – February 5, 2026), 43 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.

Summary

43
Total
1
Critical
13
High
29
Medium
0
Low
1
Patched
Table of Contents 48 plugins & components

WordPress Plugin Vulnerabilities (43)

User Profile Builder

critical
Vulnerability
User Profile Builder — Have a proper password reset process
Severity
critical Critical risk
Affected Versions
<=3.15.2
CVE Reference
Patch Status
No patch
Source
NVD

CMSMasters Content Composer

high
Vulnerability
CMSMasters Content Composer <= 1.4.5 - Authenticated (Contributor+) Local File Inclusion
Severity
high High risk
Affected Versions
<=1.4.5
CVE Reference
Patch Status
1.4.6
Source
Wordfence
Plugin Page

Custom Login Page Customizer

high
Vulnerability
Custom Login Page Customizer — Have a proper password reset process
Severity
high High risk
Affected Versions
<=2.5.4
CVE Reference
Patch Status
No patch
Source
NVD

Sell BTC - Cryptocurrency Selling Calculator

high
Vulnerability
Sell BTC - Cryptocurrency Selling Calculator — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Library Viewer

high
Vulnerability
Library Viewer — Sanitise and escape some parameters before outputting them back in the page
Severity
high High risk
Affected Versions
<=3.2.0
CVE Reference
Patch Status
No patch
Source
NVD

LatePoint – Calendar Booking Plugin for Appointments and Events

high
Vulnerability
LatePoint – Calendar Booking Plugin for Appointments and Events — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=5.2.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Form Maker

high
Vulnerability
Form Maker — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.15.35
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Form Maker by 10Web

high
Vulnerability
Form Maker by 10Web — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.15.35
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Tutor LMS – eLearning and online course solution

high
Vulnerability
Tutor LMS – eLearning and online course solution — Insecure Direct Object References (IDOR)
Severity
high High risk
Affected Versions
<=3.9.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

OS DataHub Maps

high
Vulnerability
OS DataHub Maps — Arbitrary file uploads
Severity
high High risk
Affected Versions
<=1.8.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP FOFT Loader

high
Vulnerability
WP FOFT Loader — Arbitrary file uploads
Severity
high High risk
Affected Versions
<=2.1.39
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Infility Global

high
Vulnerability
Infility Global — Unauthenticated SQL Injection
Severity
high High risk
Affected Versions
<=2.14.46
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

SEO Flow by LupsOnline

high
Vulnerability
SEO Flow by LupsOnline — Unauthorized modification of data
Severity
high High risk
Affected Versions
<=2.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

SportsPress

high
Vulnerability
SportsPress — Local File Inclusion
Severity
high High risk
Affected Versions
<=2.7.26
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

NEX-Forms – Ultimate Forms

medium
Vulnerability
NEX-Forms – Ultimate Forms — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=9.1.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Ajax Load More – Infinite Scroll, Load More, & Lazy Load

medium
Vulnerability
Ajax Load More – Infinite Scroll, Load More, & Lazy Load — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=7.8.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Booking Calendar

medium
Vulnerability
Booking Calendar — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=10.14.13
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

SupportCandy – Helpdesk & Customer Support Ticket System

medium
Vulnerability
SupportCandy – Helpdesk & Customer Support Ticket System — SQL Injection
Severity
medium Medium risk
Affected Versions
<=3.4.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

SupportCandy – Helpdesk & Customer Support Ticket System

medium
Vulnerability
SupportCandy – Helpdesk & Customer Support Ticket System — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=3.4.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Popup Box

medium
Vulnerability
Popup Box — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=6.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Stripe Green Downloads

medium
Vulnerability
Stripe Green Downloads — CVE-2022-50797
Severity
medium Medium risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD

Five Star Restaurant Reservations

medium
Vulnerability
Five Star Restaurant Reservations — Have CSRF checks in some bulk actions
Severity
medium Medium risk
Affected Versions
<=2.7.9
CVE Reference
Patch Status
No patch
Source
NVD

WP ULike

medium
Vulnerability
WP ULike — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=4.8.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Unlimited Elements for Elementor

medium
Vulnerability
Unlimited Elements for Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Spectra Gutenberg Blocks – Website Builder for the Block Editor

medium
Vulnerability
Spectra Gutenberg Blocks – Website Builder for the Block Editor — Information Disclosure
Severity
medium Medium risk
Affected Versions
<=2.19.17
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Happy Addons for Elementor

medium
Vulnerability
Happy Addons for Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.20.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Mail Mint

medium
Vulnerability
Mail Mint — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.19.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Tutor LMS – eLearning and online course solution

medium
Vulnerability
Tutor LMS – eLearning and online course solution — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=3.9.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Hustle

medium
Vulnerability
Hustle — Retrieve Embedded Sensitive Data
Severity
medium Medium risk
Affected Versions
<=7.8.9.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Menu Icons by ThemeIsle

medium
Vulnerability
Menu Icons by ThemeIsle — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.13.20
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Xendit Payment

medium
Vulnerability
Xendit Payment — Unauthorized order status manipulation
Severity
medium Medium risk
Affected Versions
<=6.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

MyRewards – Loyalty Points and Rewards for WooCommerce

medium
Vulnerability
MyRewards – Loyalty Points and Rewards for WooCommerce — Missing authorization
Severity
medium Medium risk
Affected Versions
<=5.6.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Chapa Payment Gateway Plugin for WooCommerce

medium
Vulnerability
Chapa Payment Gateway Plugin for WooCommerce — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=1.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Code Explorer

medium
Vulnerability
Code Explorer — Path Traversal
Severity
medium Medium risk
Affected Versions
<=1.4.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Magic Import Document Extractor

medium
Vulnerability
Magic Import Document Extractor — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Magic Import Document Extractor

medium
Vulnerability
Magic Import Document Extractor — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=1.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WebPurify Profanity Filter

medium
Vulnerability
WebPurify Profanity Filter — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=4.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Fortis for WooCommerce

medium
Vulnerability
Fortis for WooCommerce — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=1.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Extended Random Number Generator

medium
Vulnerability
Extended Random Number Generator — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Smart Appointment & Booking

medium
Vulnerability
Smart Appointment & Booking — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Content Permission

medium
Vulnerability
WP Content Permission — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

All push notification for WP

medium
Vulnerability
All push notification for WP — Time-based SQL Injection
Severity
medium Medium risk
Affected Versions
<=1.5.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

SIBS woocommerce payment gateway

medium
Vulnerability
SIBS woocommerce payment gateway — Time-based SQL Injection
Severity
medium Medium risk
Affected Versions
<=2.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WordPress Theme Vulnerabilities (0)

No vulnerabilities reported in this category this week.

WordPress Core Vulnerabilities (0)

No vulnerabilities reported in this category this week.

Recommendations

1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.

Methodology

This report is compiled automatically from multiple trusted sources:

NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans

Vulnerabilities are deduplicated by CVE ID. Severity ratings follow the CVSS v3.x scoring system. This report is generated automatically and may not capture every vulnerability disclosed during the period.

Tags

vulnerabilitieswordpress-securityweekly-reportcve

Related Posts

Vulnerability Report

WordPress Vulnerability Report: May 17 – May 24, 2026

81 WordPress vulnerabilities disclosed between May 17 – May 24, 2026. 8 critical, 20 high severity. 2 patched, 79 unpatched.

WPSentry·May 24, 2026
Vulnerability Report

WordPress Vulnerability Report: May 9 – May 16, 2026

104 WordPress vulnerabilities disclosed between May 9 – May 16, 2026. 6 critical, 23 high severity. 1 patched, 103 unpatched.

WPSentry·May 24, 2026
Vulnerability Report

WordPress Vulnerability Report: May 1 – May 8, 2026

96 WordPress vulnerabilities disclosed between May 1 – May 8, 2026. 6 critical, 35 high severity. 1 patched, 95 unpatched.

WPSentry·May 24, 2026
Back to Blog