During the reporting period (January 8 – January 15, 2026), 109 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.
Summary
109
Total
7
Critical
14
High
88
Medium
0
Low
0
Patched
Table of Contents 114 plugins & components
WordPress Plugin Vulnerabilities (107)
WP Cost Estimation
critical
Vulnerability
WP Cost Estimation — Arbitrary file uploads and deletion
Severity
critical Critical risk
Affected Versions
<=9.642
CVE Reference
Patch Status
No patch
Source
NVD
Frontend Admin by DynamiApps
critical
Vulnerability
Frontend Admin by DynamiApps — Privilege Escalation
Severity
critical Critical risk
Affected Versions
<=3.28.25
CVE Reference
Patch Status
No patch
Source
NVD
Frontend Admin by DynamiApps
critical
Vulnerability
Frontend Admin by DynamiApps — Missing authorization to unauthorized data modification and deletion
Severity
critical Critical risk
Affected Versions
<=3.28.25
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
E-xact | Hosted Payment |
critical
Vulnerability
E-xact | Hosted Payment | — Arbitrary file deletion
Severity
critical Critical risk
Affected Versions
<=2.0
CVE Reference
Patch Status
No patch
Source
NVD
Integration Opvius AI for WooCommerce
critical
Vulnerability
Integration Opvius AI for WooCommerce — Path Traversal
Severity
critical Critical risk
Affected Versions
<=1.3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
News and Blog Designer Bundle
critical
Vulnerability
News and Blog Designer Bundle — Local File Inclusion
Severity
critical Critical risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP-BusinessDirectory
high
Vulnerability
WP-BusinessDirectory — Reflected XSS
Severity
high High risk
Affected Versions
<=3.1.5
CVE Reference
Patch Status
No patch
Source
NVD
Brevo for WooCommerce
high
Vulnerability
Brevo for WooCommerce — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=4.0.49
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
SlimStat Analytics
high
Vulnerability
SlimStat Analytics — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=5.3.4
CVE Reference
Patch Status
No patch
Source
NVD
SlimStat Analytics
high
Vulnerability
SlimStat Analytics — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=5.3.3
CVE Reference
Patch Status
No patch
Source
NVD
Eventin – Event Manager, Events Calendar, Event Tickets and Registrations
high
Vulnerability
Eventin – Event Manager, Events Calendar, Event Tickets and Registrations — Unauthorized modification of data
Severity
high High risk
Affected Versions
<=4.0.51
CVE Reference
Patch Status
No patch
Source
NVD
Frontend Admin by DynamiApps
high
Vulnerability
Frontend Admin by DynamiApps — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=3.28.23
CVE Reference
Patch Status
No patch
Source
NVD
WooCommerce Square
high
Vulnerability
WooCommerce Square — Insecure Direct Object Reference
Severity
high High risk
Affected Versions
<=5.1.1
CVE Reference
Patch Status
No patch
Source
NVD
GetContentFromURL
high
Vulnerability
GetContentFromURL — Server-Side Request Forgery
Severity
high High risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
DASHBOARD BUILDER – WordPress plugin for Charts and Graphs
high
Vulnerability
DASHBOARD BUILDER – WordPress plugin for Charts and Graphs — Cross-Site Request Forgery
Severity
high High risk
Affected Versions
<=1.5.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation
high
Vulnerability
GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.1.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Name Directory
high
Vulnerability
Name Directory — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.30.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AJS Footnotes
high
Vulnerability
AJS Footnotes — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Shipping Rate By Cities
high
Vulnerability
Shipping Rate By Cities — SQL Injection
Severity
high High risk
Affected Versions
<=2.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
high
Vulnerability
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin — Blind SQL Injection
Severity
high High risk
Affected Versions
<=1.6.9.9
CVE Reference
Patch Status
No patch
Source
NVD
WP Cost Estimation
medium
Vulnerability
WP Cost Estimation — Upload Directory Traversal
Severity
medium Medium risk
Affected Versions
<=9.660
CVE Reference
Patch Status
No patch
Source
NVD
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
medium
Vulnerability
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager — Unauthorized Arbitrary Media Replacement
Severity
medium Medium risk
Affected Versions
<=3.1.5
CVE Reference
Patch Status
No patch
Source
NVD
Jeg Elementor Kit
medium
Vulnerability
Jeg Elementor Kit — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Tutor LMS – eLearning and online course solution
medium
Vulnerability
Tutor LMS – eLearning and online course solution — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=3.9.3
CVE Reference
Patch Status
No patch
Source
NVD
Gutenverse Form
medium
Vulnerability
Gutenverse Form — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.3.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Famous - Responsive Image And Video Grid Gallery WordPress Plugin
medium
Vulnerability
Famous - Responsive Image And Video Grid Gallery WordPress Plugin — Reflected XSS
Severity
medium Medium risk
Affected Versions
<=1.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Campaign Monitor
medium
Vulnerability
Campaign Monitor — Exploiting Incorrectly Configured Access Control Security Levels
Severity
medium Medium risk
Affected Versions
<=2.9.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Bulk Landing Page Creator for WordPress LPagery
medium
Vulnerability
Bulk Landing Page Creator for WordPress LPagery — Exploiting Incorrectly Configured Access Control Security Levels
Severity
medium Medium risk
Affected Versions
<=2.4.9
CVE Reference
Patch Status
No patch
Source
NVD
GA4WP: Google Analytics
medium
Vulnerability
GA4WP: Google Analytics — Exploiting Incorrectly Configured Access Control Security Levels
Severity
medium Medium risk
Affected Versions
<=2.10.0
CVE Reference
Patch Status
No patch
Source
NVD
Japanized for WooCommerce
medium
Vulnerability
Japanized for WooCommerce — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=2.7.17
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer
medium
Vulnerability
Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=2.4.0
CVE Reference
Patch Status
No patch
Source
NVD
NEX-Forms
medium
Vulnerability
NEX-Forms — Sanitise and escape some of its settings
Severity
medium Medium risk
Affected Versions
<=9.1.8
CVE Reference
Patch Status
No patch
Source
NVD
weDocs
medium
Vulnerability
weDocs — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=2.1.15
CVE Reference
Patch Status
No patch
Source
NVD
Schedule Post Changes With PublishPress Future
medium
Vulnerability
Schedule Post Changes With PublishPress Future — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=4.9.3
CVE Reference
Patch Status
No patch
Source
NVD
Booking for Appointments and Events Calendar – Amelia
medium
Vulnerability
Booking for Appointments and Events Calendar – Amelia — Unauthorized access
Severity
medium Medium risk
Affected Versions
<=1.2.38
CVE Reference
Patch Status
No patch
Source
NVD
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
medium
Vulnerability
Forminator Forms – Contact Form, Payment Form & Custom Form Builder — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=1.49.1
CVE Reference
Patch Status
No patch
Source
NVD
IndieWeb
medium
Vulnerability
IndieWeb — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.0.5
CVE Reference
Patch Status
No patch
Source
NVD
BetterDocs
medium
Vulnerability
BetterDocs — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=4.3.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce
medium
Vulnerability
BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.2.1
CVE Reference
Patch Status
No patch
Source
NVD
WP Google Street View (with 360° virtual tour) & Google maps + Local SEO
medium
Vulnerability
WP Google Street View (with 360° virtual tour) & Google maps + Local SEO — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1.8
CVE Reference
Patch Status
No patch
Source
NVD
Tutor LMS – eLearning and online course solution
medium
Vulnerability
Tutor LMS – eLearning and online course solution — Unauthorized modification and deletion of data
Severity
medium Medium risk
Affected Versions
<=3.9.3
CVE Reference
Patch Status
No patch
Source
NVD
WP Table Builder – Drag & Drop Table Builder
medium
Vulnerability
WP Table Builder – Drag & Drop Table Builder — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=2.0.19
CVE Reference
Patch Status
No patch
Source
NVD
Tutor LMS – eLearning and online course solution
medium
Vulnerability
Tutor LMS – eLearning and online course solution — Unauthorized course enrollment
Severity
medium Medium risk
Affected Versions
<=3.9.3
CVE Reference
Patch Status
No patch
Source
NVD
Tutor LMS – eLearning and online course solution
medium
Vulnerability
Tutor LMS – eLearning and online course solution — Unauthorized course completion
Severity
medium Medium risk
Affected Versions
<=3.9.2
CVE Reference
Patch Status
No patch
Source
NVD
Booking Calendar
medium
Vulnerability
Booking Calendar — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=10.14.10
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AMP for WP
medium
Vulnerability
AMP for WP — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1.10
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Entry Views
medium
Vulnerability
Entry Views — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Nearby Now Reviews
medium
Vulnerability
Nearby Now Reviews — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Top Position Google Finance
medium
Vulnerability
Top Position Google Finance — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Popup Magic
medium
Vulnerability
WP Popup Magic — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Header and Footer Scripts
medium
Vulnerability
Header and Footer Scripts — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Shabat Keeper
medium
Vulnerability
Shabat Keeper — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.4.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Autogen Headers Menu
medium
Vulnerability
Autogen Headers Menu — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Contact Form vCard Generator
medium
Vulnerability
Contact Form vCard Generator — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=2.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Debt.com Business in a Box
medium
Vulnerability
Debt.com Business in a Box — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Curved Text
medium
Vulnerability
Curved Text — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Menu Card
medium
Vulnerability
Menu Card — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.8.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MG AdvancedOptions
medium
Vulnerability
MG AdvancedOptions — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Lesson Plan Book
medium
Vulnerability
Lesson Plan Book — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Client Testimonial Slider
medium
Vulnerability
Client Testimonial Slider — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
PullQuote
medium
Vulnerability
PullQuote — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
The Tooltip
medium
Vulnerability
The Tooltip — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Woodpecker for WordPress
medium
Vulnerability
Woodpecker for WordPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Page Permalink Extension
medium
Vulnerability
WP Page Permalink Extension — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=1.5.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AccessAlly
medium
Vulnerability
AccessAlly — CVE-2020-36875
Severity
medium Medium risk
Affected Versions
<=3.3.2
CVE Reference
Patch Status
No patch
Source
NVD
Blog2Social: Social Media Auto Post & Scheduler
medium
Vulnerability
Blog2Social: Social Media Auto Post & Scheduler — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=8.7.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
miniOrange OTP Verification and SMS Notification for WooCommerce
medium
Vulnerability
miniOrange OTP Verification and SMS Notification for WooCommerce — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=4.3.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin
medium
Vulnerability
User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=4.4.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Templately
medium
Vulnerability
Templately — Arbitrary File Write
Severity
medium Medium risk
Affected Versions
<=3.4.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ConvertForce Popup Builder
medium
Vulnerability
ConvertForce Popup Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.0.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Countdown Timer – Widget Countdown
medium
Vulnerability
Countdown Timer – Widget Countdown — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.7.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Shortcodes and extra features for Phlox theme
medium
Vulnerability
Shortcodes and extra features for Phlox theme — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.17.13
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Featured Image from URL (FIFU)
medium
Vulnerability
Featured Image from URL (FIFU) — Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=5.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Quiz Maker
medium
Vulnerability
Quiz Maker — Sanitise and escape some of its settings
Severity
medium Medium risk
Affected Versions
<=6.7.0.89
CVE Reference
Patch Status
No patch
Source
NVD
WP Duplicate Page
medium
Vulnerability
WP Duplicate Page — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
EventPrime - Events Calendar, Bookings and Tickets
medium
Vulnerability
EventPrime - Events Calendar, Bookings and Tickets — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=4.2.7.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
CP Image Store with Slideshow
medium
Vulnerability
CP Image Store with Slideshow — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=1.1.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
SpiceForms Form Builder
medium
Vulnerability
SpiceForms Form Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Makesweat
medium
Vulnerability
Makesweat — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Testimonials Creator
medium
Vulnerability
Testimonials Creator — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WPBlogSyn
medium
Vulnerability
WPBlogSyn — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
PDF Resume Parser
medium
Vulnerability
PDF Resume Parser — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Crush.pics Image Optimizer - Image Compression and Optimization
medium
Vulnerability
Crush.pics Image Optimizer - Image Compression and Optimization — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.8.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Internal Link Builder
medium
Vulnerability
Internal Link Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP-CRM System
medium
Vulnerability
WP-CRM System — Unauthorized access
Severity
medium Medium risk
Affected Versions
<=3.4.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Netcash WooCommerce Payment Gateway
medium
Vulnerability
Netcash WooCommerce Payment Gateway — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=4.1.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Gotham Block Extra Light
medium
Vulnerability
Gotham Block Extra Light — Arbitrary File Read
Severity
medium Medium risk
Affected Versions
<=1.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Gotham Block Extra Light
medium
Vulnerability
Gotham Block Extra Light — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Sosh Share Buttons
medium
Vulnerability
Sosh Share Buttons — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Kunze Law
medium
Vulnerability
Kunze Law — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
List Site Contributors
medium
Vulnerability
List Site Contributors — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Responsive Accordion Slider
medium
Vulnerability
Responsive Accordion Slider — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Flat Shipping Rate by City for WooCommerce
medium
Vulnerability
Flat Shipping Rate by City for WooCommerce — Time-based SQL Injection
Severity
medium Medium risk
Affected Versions
<=1.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Real Post Slider Lite
medium
Vulnerability
Real Post Slider Lite — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
SearchWiz
medium
Vulnerability
SearchWiz — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
LottieFiles – Lottie block for Gutenberg
medium
Vulnerability
LottieFiles – Lottie block for Gutenberg — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=3.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Perfit WooCommerce
medium
Vulnerability
Perfit WooCommerce — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=1.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
SocialChamp with WordPress
medium
Vulnerability
SocialChamp with WordPress — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.3.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Stopwords for comments
medium
Vulnerability
Stopwords for comments — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
PayHere Payment Gateway Plugin for WooCommerce
medium
Vulnerability
PayHere Payment Gateway Plugin for WooCommerce — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=2.3.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Aplazo Payment Gateway
medium
Vulnerability
Aplazo Payment Gateway — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.4.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Float Payment Gateway
medium
Vulnerability
Float Payment Gateway — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.1.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Allowed Hosts
medium
Vulnerability
WP Allowed Hosts — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WMF Mobile Redirector
medium
Vulnerability
WMF Mobile Redirector — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Electric Studio Download Counter
medium
Vulnerability
Electric Studio Download Counter — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
LinkedIn SC
medium
Vulnerability
LinkedIn SC — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Short Link
medium
Vulnerability
Short Link — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WordPress Theme Vulnerabilities (2)
Dreamer Blog
critical
Vulnerability
Dreamer Blog — Arbitrary installations
Severity
critical Critical risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Dreamer Blog
medium
Vulnerability
Dreamer Blog <= 1.2 - Missing Authorization
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
Wordfence
WordPress Core Vulnerabilities (0)
No vulnerabilities reported in this category this week.
Recommendations
1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.
Set up uptime monitoring and periodic security scans to catch issues early.
Methodology
This report is compiled automatically from multiple trusted sources:
NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans
Tags
Related Posts
Vulnerability Report
WordPress Vulnerability Report: May 17 – May 24, 2026
81 WordPress vulnerabilities disclosed between May 17 – May 24, 2026. 8 critical, 20 high severity. 2 patched, 79 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 9 – May 16, 2026
104 WordPress vulnerabilities disclosed between May 9 – May 16, 2026. 6 critical, 23 high severity. 1 patched, 103 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 1 – May 8, 2026
96 WordPress vulnerabilities disclosed between May 1 – May 8, 2026. 6 critical, 35 high severity. 1 patched, 95 unpatched.
WPSentry·May 24, 2026