Vulnerability Report

WordPress Vulnerability Report: July 1 – July 8, 2026

103 WordPress vulnerabilities disclosed between July 1 – July 8, 2026. 9 critical, 37 high severity. 0 patched, 103 unpatched.

WPSentryJuly 8, 202624 min read

During the reporting period (July 1 – July 8, 2026), 103 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.

Summary

103
Total
9
Critical
37
High
55
Medium
2
Low
0
Patched
Table of Contents 108 plugins & components

WordPress Plugin Vulnerabilities (97)

Divi Form Builder

critical
Vulnerability
Divi Form Builder — Arbitrary File Upload leading to Remote Code Execution
Severity
critical Critical risk
Affected Versions
<=5.1.8
CVE Reference
Patch Status
No patch
Source
NVD

Printcart Web to Print Product Designer for WooCommerce

critical
Vulnerability
Printcart Web to Print Product Designer for WooCommerce — Arbitrary File Deletion
Severity
critical Critical risk
Affected Versions
<=2.5.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

FileOrganizer

critical
Vulnerability
FileOrganizer — CVE-2026-6382
Severity
critical Critical risk
Affected Versions
<=1.1.9
CVE Reference
Patch Status
No patch
Source
NVD

uncanny-automator-pro

critical
Vulnerability
uncanny-automator-pro — CVE-2026-12375
Severity
critical Critical risk
Affected Versions
<=7.3.0.6
CVE Reference
Patch Status
No patch
Source
NVD

WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell

critical
Vulnerability
WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell — Remote Code Execution
Severity
critical Critical risk
Affected Versions
<=3.12.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

DoLeads Integrator

critical
Vulnerability
DoLeads Integrator — CVE-2026-4375
Severity
critical Critical risk
Affected Versions
<=0.65
CVE Reference
Patch Status
No patch
Source
NVD

Simple Coherent Form

critical
Vulnerability
Simple Coherent Form — Arbitrary file deletion
Severity
critical Critical risk
Affected Versions
<=2.4.13
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Eventer

critical
Vulnerability
Eventer — An insecure password reset mechanism
Severity
critical Critical risk
Affected Versions
<=4.4.2
CVE Reference
Patch Status
No patch
Source
NVD

WP Learn Manager

critical
Vulnerability
WP Learn Manager — Authorization bypass
Severity
critical Critical risk
Affected Versions
<=1.1.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

TheGem Theme Elements

high
Vulnerability
TheGem Theme Elements <= 5.11.1 - Authenticated (Contributor+) Local File Inclusion
Severity
high High risk
Affected Versions
<=5.11.1
CVE Reference
Patch Status
No patch
Source
Wordfence
Plugin Page

Request a Quote

high
Vulnerability
Request a Quote — Code Injection
Severity
high High risk
Affected Versions
<=2.5.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Image Optimizer

high
Vulnerability
Image Optimizer — Arbitrary file deletion
Severity
high High risk
Affected Versions
<=1.7.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Perfmatters

high
Vulnerability
Perfmatters — Directory Traversal
Severity
high High risk
Affected Versions
<=2.6.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Ninja Forms - File Uploads

high
Vulnerability
Ninja Forms - File Uploads — Arbitrary File Read
Severity
high High risk
Affected Versions
<=3.3.29
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Review Slider Pro

high
Vulnerability
WP Review Slider Pro — SQL Injection
Severity
high High risk
Affected Versions
<=12.7.2
CVE Reference
Patch Status
No patch
Source
NVD

WP Database Backup – Unlimited Database & Files Backup by Backup for WP

high
Vulnerability
WP Database Backup – Unlimited Database & Files Backup by Backup for WP — OS Command Injection
Severity
high High risk
Affected Versions
<=7.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

TinyPNG – JPEG, PNG & WebP image compression

high
Vulnerability
TinyPNG – JPEG, PNG & WebP image compression — Arbitrary file deletion
Severity
high High risk
Affected Versions
<=3.6.13
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

AR for WordPress

high
Vulnerability
AR for WordPress — Directory Traversal
Severity
high High risk
Affected Versions
<=8.40
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

NEX-Forms – Ultimate Forms

high
Vulnerability
NEX-Forms – Ultimate Forms — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=9.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

AR for WooCommerce

high
Vulnerability
AR for WooCommerce — Directory Traversal
Severity
high High risk
Affected Versions
<=8.40
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Comments – wpDiscuz

high
Vulnerability
Comments – wpDiscuz — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=7.6.56
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Notifications for Forms & WordPress Actions

high
Vulnerability
Notifications for Forms & WordPress Actions — Validate a user-supplied value before using it to build a server-side file inclusion path
Severity
high High risk
Affected Versions
<=2.6
CVE Reference
Patch Status
No patch
Source
NVD

AllCoach

high
Vulnerability
AllCoach — Verify that an email address submitted to a public account-registration endpoint is not already asso
Severity
high High risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD

Ultimate Member

high
Vulnerability
Ultimate Member — Properly sanitise and escape the value of custom textarea profile fields before outputting it on use
Severity
high High risk
Affected Versions
<=2.12.0
CVE Reference
Patch Status
No patch
Source
NVD

Simple Membership

high
Vulnerability
Simple Membership — Verify the authenticity of Stripe webhook requests when no signing secret is configured
Severity
high High risk
Affected Versions
<=4.7.5
CVE Reference
Patch Status
No patch
Source
NVD

FileOrganizer

high
Vulnerability
FileOrganizer — Validate the file type on several of its file-management operations
Severity
high High risk
Affected Versions
<=1.2.0
CVE Reference
Patch Status
No patch
Source
NVD

Admin and Site Enhancements (ASE)

high
Vulnerability
Admin and Site Enhancements (ASE) — Perform authentication
Severity
high High risk
Affected Versions
<=8.8.4
CVE Reference
Patch Status
No patch
Source
NVD

Frontend File Manager Plugin

high
Vulnerability
Frontend File Manager Plugin — Validate a file path derived from user input before deleting the referenced file
Severity
high High risk
Affected Versions
<=23.6
CVE Reference
Patch Status
No patch
Source
NVD

AMP for WP – Accelerated Mobile Pages

high
Vulnerability
AMP for WP – Accelerated Mobile Pages — Arbitrary File Write
Severity
high High risk
Affected Versions
<=1.1.12
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Widget Logic Visual

high
Vulnerability
Widget Logic Visual — Remote Code Execution
Severity
high High risk
Affected Versions
<=1.52
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Jssor Slider by jssor.com

high
Vulnerability
Jssor Slider by jssor.com — Directory Traversal
Severity
high High risk
Affected Versions
<=3.1.24
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

多说社会化评论框

high
Vulnerability
多说社会化评论框 — Privilege Escalation
Severity
high High risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Backstage - Customizer Demo Access

high
Vulnerability
Backstage - Customizer Demo Access — Privilege Escalation
Severity
high High risk
Affected Versions
<=1.4.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WHMCS Bridge

high
Vulnerability
WHMCS Bridge — Arbitrary file uploads
Severity
high High risk
Affected Versions
<=6.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

DoLogin Security

high
Vulnerability
DoLogin Security — Authentication Bypass
Severity
high High risk
Affected Versions
<=4.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Eventer

high
Vulnerability
Eventer — Time-based SQL Injection
Severity
high High risk
Affected Versions
<=4.4.2
CVE Reference
Patch Status
No patch
Source
NVD

Appointment Booking Calendar Plugin and Scheduling Plugin

high
Vulnerability
Appointment Booking Calendar Plugin and Scheduling Plugin — Validate data before passing it to a PHP deserialization function
Severity
high High risk
Affected Versions
<=1.1.28
CVE Reference
Patch Status
No patch
Source
NVD

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace

high
Vulnerability
WCFM Membership – WooCommerce Memberships for Multivendor Marketplace — Insecure Direct Object Reference
Severity
high High risk
Affected Versions
<=2.11.10
CVE Reference
Patch Status
No patch
Source
NVD

Tainacan

high
Vulnerability
Tainacan — Time-based blind SQL Injection
Severity
high High risk
Affected Versions
<=1.0.3
CVE Reference
Patch Status
No patch
Source
NVD

VikBooking Hotel Booking Engine & PMS

high
Vulnerability
VikBooking Hotel Booking Engine & PMS — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.8.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

My Calendar – Accessible Event Manager

high
Vulnerability
My Calendar – Accessible Event Manager — Time-based blind SQL Injection
Severity
high High risk
Affected Versions
<=3.7.8
CVE Reference
Patch Status
No patch
Source
NVD

LatePoint – Calendar Booking Plugin for Appointments and Events

high
Vulnerability
LatePoint – Calendar Booking Plugin for Appointments and Events — Improper Input Validation
Severity
high High risk
Affected Versions
<=5.4.0
CVE Reference
Patch Status
No patch
Source
NVD

VikBooking Hotel Booking Engine & PMS

high
Vulnerability
VikBooking Hotel Booking Engine & PMS — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.8.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Insert Pages

medium
Vulnerability
Insert Pages — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.11.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter

medium
Vulnerability
Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=5.9.27
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Envo's Templates & Widgets for Elementor and WooCommerce

medium
Vulnerability
Envo's Templates & Widgets for Elementor and WooCommerce — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=1.4.26
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

User Registration & Membership

medium
Vulnerability
User Registration & Membership — Enforce payment completion before activating a paid membership subscription
Severity
medium Medium risk
Affected Versions
<=5.2.0
CVE Reference
Patch Status
No patch
Source
NVD

Houzez Property Feed

medium
Vulnerability
Houzez Property Feed — SQL Injection
Severity
medium Medium risk
Affected Versions
<=2.5.46
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

GiveWP – Donation Plugin and Fundraising Platform

medium
Vulnerability
GiveWP – Donation Plugin and Fundraising Platform — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.16.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

medium
Vulnerability
Academy LMS – WordPress LMS Plugin for Complete eLearning Solution — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=3.8.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Product Video Gallery for Woocommerce

medium
Vulnerability
Product Video Gallery for Woocommerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.5.1.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

My Calendar – Accessible Event Manager

medium
Vulnerability
My Calendar – Accessible Event Manager — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=3.7.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Kirki – Freeform Page Builder, Website Builder & Customizer

medium
Vulnerability
Kirki – Freeform Page Builder, Website Builder & Customizer — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=6.0.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

JoomSport – for Sports: Team & League, Football, Hockey & more

medium
Vulnerability
JoomSport – for Sports: Team & League, Football, Hockey & more — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=5.7.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Kirki – Freeform Page Builder, Website Builder & Customizer

medium
Vulnerability
Kirki – Freeform Page Builder, Website Builder & Customizer — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=6.0.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

LatePoint – Calendar Booking Plugin for Appointments and Events

medium
Vulnerability
LatePoint – Calendar Booking Plugin for Appointments and Events — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=5.6.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator

medium
Vulnerability
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

JetFormBuilder — Dynamic Blocks Form Builder

medium
Vulnerability
JetFormBuilder — Dynamic Blocks Form Builder — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=3.6.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Groundhogg — CRM, Newsletters, and Marketing Automation

medium
Vulnerability
Groundhogg — CRM, Newsletters, and Marketing Automation — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=4.5.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Database for Contact Form 7, WPforms, Elementor forms

medium
Vulnerability
Database for Contact Form 7, WPforms, Elementor forms — Arbitrary File Copy
Severity
medium Medium risk
Affected Versions
<=1.5.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Appointment Bookings for Zoom GoogleMeet and more – Wappointment

medium
Vulnerability
Appointment Bookings for Zoom GoogleMeet and more – Wappointment — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=2.7.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot

medium
Vulnerability
weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=2.3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot

medium
Vulnerability
weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot

medium
Vulnerability
weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Cookie Banner for GDPR / CCPA – WPLP Cookie Consent

medium
Vulnerability
Cookie Banner for GDPR / CCPA – WPLP Cookie Consent — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=4.3.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Import Export Lite

medium
Vulnerability
WP Import Export Lite — Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=3.9.30
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Ninja Forms - File Uploads

medium
Vulnerability
Ninja Forms - File Uploads — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=3.3.29
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

medium
Vulnerability
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.11.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

CM Business Directory – Optimise and showcase local business

medium
Vulnerability
CM Business Directory – Optimise and showcase local business — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.5.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

MotoPress Appointment Booking

medium
Vulnerability
MotoPress Appointment Booking — Authorization Bypass
Severity
medium Medium risk
Affected Versions
<=2.4.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

JSON API User

medium
Vulnerability
JSON API User — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

RTMKit

medium
Vulnerability
RTMKit — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.0.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

medium
Vulnerability
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=11.1.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

LatePoint – Calendar Booking Plugin for Appointments and Events

medium
Vulnerability
LatePoint – Calendar Booking Plugin for Appointments and Events — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=5.6.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x

medium
Vulnerability
The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x — Arbitrary shortcode execution
Severity
medium Medium risk
Affected Versions
<=2.2.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Ad Inserter – Ad Manager & AdSense Ads

medium
Vulnerability
Ad Inserter – Ad Manager & AdSense Ads — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=2.8.16
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

GenerateBlocks

medium
Vulnerability
GenerateBlocks — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

RTMKit (rometheme-for-elementor)

medium
Vulnerability
RTMKit (rometheme-for-elementor) — Local File Inclusion
Severity
medium Medium risk
Affected Versions
<=2.0.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Reviews Widgets for Google, Yelp & TripAdvisor

medium
Vulnerability
Reviews Widgets for Google, Yelp & TripAdvisor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.7.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Exclusive Addons for Elementor

medium
Vulnerability
Exclusive Addons for Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.7.9.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Travel Engine

medium
Vulnerability
WP Travel Engine — Properly validate the source of a user-supplied profile image path before moving the file
Severity
medium Medium risk
Affected Versions
<=6.8.1
CVE Reference
Patch Status
No patch
Source
NVD

Sympl Repeater for ACF and Elementor

medium
Vulnerability
Sympl Repeater for ACF and Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Social Share, Social Login and Social Comments Plugin – Super Socializer

medium
Vulnerability
Social Share, Social Login and Social Comments Plugin – Super Socializer — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=7.14.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Chatra Live Chat + ChatBot + Cart Saver

medium
Vulnerability
Chatra Live Chat + ChatBot + Cart Saver — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.12
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

User Management

medium
Vulnerability
User Management — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Bulk Order Update for WooCommerce

medium
Vulnerability
Bulk Order Update for WooCommerce — Arbitrary File Read
Severity
medium Medium risk
Affected Versions
<=1.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Wp Js Detect

medium
Vulnerability
Wp Js Detect — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Website Builder by SeedProd - Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode

medium
Vulnerability
Website Builder by SeedProd - Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=6.20.2
CVE Reference
Patch Status
No patch
Source
NVD

Recurio – Ultimate Subscription for WooCommerce

medium
Vulnerability
Recurio – Ultimate Subscription for WooCommerce — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=1.1.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Themehunk Login Registration

medium
Vulnerability
Themehunk Login Registration — Privilege escalation
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Advanced iFrame

medium
Vulnerability
Advanced iFrame — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2026.1
CVE Reference
Patch Status
No patch
Source
NVD

Smash Balloon Social Photo Feed – Easy Social Feeds Plugin

medium
Vulnerability
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=6.11.1
CVE Reference
Patch Status
No patch
Source
NVD

User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration

medium
Vulnerability
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=4.3.1
CVE Reference
Patch Status
No patch
Source
NVD

Essential Addons for Elementor – Popular Elementor Templates & Widgets

medium
Vulnerability
Essential Addons for Elementor – Popular Elementor Templates & Widgets — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=6.6.2
CVE Reference
Patch Status
No patch
Source
NVD

Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder

medium
Vulnerability
Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.7.4
CVE Reference
Patch Status
No patch
Source
NVD

Fluent Forms

low
Vulnerability
Fluent Forms — Properly restrict the deletion of form submission entries to the forms a restricted Manager is autho
Severity
low Low risk
Affected Versions
<=6.2.5
CVE Reference
Patch Status
No patch
Source
NVD

Adminify

low
Vulnerability
Adminify — Perform per-user read-capability checks on the results returned by one of its administration search
Severity
low Low risk
Affected Versions
<=4.2.10
CVE Reference
Patch Status
No patch
Source
NVD

WordPress Theme Vulnerabilities (6)

Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon

high
Vulnerability
Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon — CVE-2025-69154
Severity
high High risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD

Unauthenticated Cross Site Scripting (XSS) in Fitness Zone

high
Vulnerability
Unauthenticated Cross Site Scripting (XSS) in Fitness Zone — CVE-2025-69155
Severity
high High risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD

Unauthenticated Cross Site Scripting (XSS) in Kids Zone - Children

high
Vulnerability
Unauthenticated Cross Site Scripting (XSS) in Kids Zone - Children — CVE-2025-69156
Severity
high High risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD

yootheme

medium
Vulnerability
yootheme — Prevent its bundled front-end framework from treating certain HTML attributes
Severity
medium Medium risk
Affected Versions
<=5.0.35
CVE Reference
Patch Status
No patch
Source
NVD

Subscriber Broken Access Control in Martfury - WooCommerce Marketplace

medium
Vulnerability
Subscriber Broken Access Control in Martfury - WooCommerce Marketplace — CVE-2026-57685
Severity
medium Medium risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD

Zakra

medium
Vulnerability
Zakra — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.2.0
CVE Reference
Patch Status
No patch
Source
NVD

WordPress Core Vulnerabilities (0)

No vulnerabilities reported in this category this week.

Recommendations

1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.

Methodology

This report is compiled automatically from multiple trusted sources:

NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans

Tags

Related Posts