Vulnerability Report

WordPress Vulnerability Report: July 11 – July 18, 2026

103 WordPress vulnerabilities disclosed between July 11 – July 18, 2026. 8 critical, 27 high severity. 1 patched, 102 unpatched.

WPSentryJuly 18, 202625 min read

During the reporting period (July 11 – July 18, 2026), 103 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.

Summary

103
Total
8
Critical
27
High
66
Medium
2
Low
1
Patched
Table of Contents 108 plugins & components

WordPress Plugin Vulnerabilities (103)

User Registration & Membership

critical
Vulnerability
User Registration & Membership — Verify the authenticity of incoming payment-provider webhook notifications before acting on them
Severity
critical Critical risk
Affected Versions
<=5.2.2
CVE Reference
Patch Status
No patch
Source
NVD

Word Count and Social Shares

critical
Vulnerability
Word Count and Social Shares — Validate a user-supplied file path before deletion
Severity
critical Critical risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD

Podlove Podcast Publisher

critical
Vulnerability
Podlove Podcast Publisher — Arbitrary file uploads
Severity
critical Critical risk
Affected Versions
<=4.5.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

SAML Single Sign On – SSO Login

critical
Vulnerability
SAML Single Sign On – SSO Login — Authentication Bypass
Severity
critical Critical risk
Affected Versions
<=5.4.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Happy Coders OTP Login for WooCommerce

critical
Vulnerability
Happy Coders OTP Login for WooCommerce — Verify that a one-time password was actually validated before authenticating a user based on a suppl
Severity
critical Critical risk
Affected Versions
<=2.8
CVE Reference
Patch Status
No patch
Source
NVD

Bricksforge

critical
Vulnerability
Bricksforge — Privilege Escalation
Severity
critical Critical risk
Affected Versions
<=3.1.8.6
CVE Reference
Patch Status
No patch
Source
NVD

Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit

critical
Vulnerability
Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit — Privilege Escalation
Severity
critical Critical risk
Affected Versions
<=2.8.4
CVE Reference
Patch Status
No patch
Source
NVD

AI Copilot

critical
Vulnerability
AI Copilot — Bind OAuth access tokens to a WordPress user
Severity
critical Critical risk
Affected Versions
<=1.5.4
CVE Reference
Patch Status
No patch
Source
NVD

Genolve – AI image AI video generation

high
Vulnerability
Genolve – AI image AI video generation — Unauthorized modification of data
Severity
high High risk
Affected Versions
<=5.0.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

User Registration & Membership

high
Vulnerability
User Registration & Membership — Perform an authorization check on a membership-upgrade action and derives the user to modify from a
Severity
high High risk
Affected Versions
<=5.2.2
CVE Reference
Patch Status
No patch
Source
NVD

Tutor LMS

high
Vulnerability
Tutor LMS — CVE-2026-12275
Severity
high High risk
Affected Versions
<=3.9.13
CVE Reference
Patch Status
No patch
Source
NVD

Library Management System

high
Vulnerability
Library Management System — Sanitize and escape a user-supplied parameter before using it in a SQL statement
Severity
high High risk
Affected Versions
<=3.5.8
CVE Reference
Patch Status
No patch
Source
NVD

PDF Generator

high
Vulnerability
PDF Generator — Server Side Request Forgery
Severity
high High risk
Affected Versions
<=1.6.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Forminator

high
Vulnerability
Forminator — DOM-Based XSS
Severity
high High risk
Affected Versions
<=1.55.0.1
CVE Reference
Patch Status
No patch
Source
NVD

Forminator

high
Vulnerability
Forminator — Path Traversal
Severity
high High risk
Affected Versions
<=1.55.0.2
CVE Reference
Patch Status
No patch
Source
NVD

AI Engine

high
Vulnerability
AI Engine — Sanitize a user-supplied filename before using it to write a downloaded file
Severity
high High risk
Affected Versions
<=3.5.5
CVE Reference
Patch Status
No patch
Source
NVD

Newsletters

high
Vulnerability
Newsletters — Prevent deserialization of untrusted input that is stored through a public form
Severity
high High risk
Affected Versions
<=4.15
CVE Reference
Patch Status
No patch
Source
NVD

Shibboleth

high
Vulnerability
Shibboleth — Fail closed when its HTTP header identity mode is enabled without an anti-spoofing key
Severity
high High risk
Affected Versions
<=2.5.4
CVE Reference
Patch Status
No patch
Source
NVD

Quotes llama

high
Vulnerability
Quotes llama — Properly sanitize and escape a user-supplied parameter before using it in a SQL query
Severity
high High risk
Affected Versions
<=3.1.6
CVE Reference
Patch Status
No patch
Source
NVD

Gravity Forms

high
Vulnerability
Gravity Forms — Directory Traversal
Severity
high High risk
Affected Versions
<=2.10.4
CVE Reference
Patch Status
No patch
Source
NVD

Advance Product Search- Voice & Ajax Search for WooCommerce

high
Vulnerability
Advance Product Search- Voice & Ajax Search for WooCommerce — Generic SQL Injection
Severity
high High risk
Affected Versions
<=1.4.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

RPB Chessboard

high
Vulnerability
RPB Chessboard — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=8.1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Redux Framework

high
Vulnerability
Redux Framework — Restrict which user meta keys can be written when saving custom profile fields
Severity
high High risk
Affected Versions
<=4.5.13
CVE Reference
Patch Status
No patch
Source
NVD

Abandoned Cart Lite for WooCommerce

high
Vulnerability
Abandoned Cart Lite for WooCommerce — Protect the integrity of its cart-recovery tokens or bind them to the requesting account
Severity
high High risk
Affected Versions
<=6.8.2
CVE Reference
Patch Status
No patch
Source
NVD

FunnelKit

high
Vulnerability
FunnelKit — Escape a user-supplied parameter before reflecting it into the HTML response of one of its page-buil
Severity
high High risk
Affected Versions
<=3.15.0.6
CVE Reference
Patch Status
No patch
Source
NVD

Digits: WordPress Mobile Number Signup and Login

high
Vulnerability
Digits: WordPress Mobile Number Signup and Login — Privilege Escalation
Severity
high High risk
Affected Versions
<=9.1.0.5
CVE Reference
Patch Status
No patch
Source
NVD

Loco Translate

high
Vulnerability
Loco Translate — Cross-Site Request Forgery
Severity
high High risk
Affected Versions
<=2.8.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin

high
Vulnerability
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin — Arbitrary file deletion
Severity
high High risk
Affected Versions
<=7.3.1.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell

high
Vulnerability
WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell — Privilege Escalation
Severity
high High risk
Affected Versions
<=3.12.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Breakdance

high
Vulnerability
Breakdance — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=2.7.1
CVE Reference
Patch Status
No patch
Source
NVD

Kali Forms — Contact Form & Drag-and-Drop Builder

high
Vulnerability
Kali Forms — Contact Form & Drag-and-Drop Builder — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=2.4.18
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

high
Vulnerability
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress — Arbitrary File Upload
Severity
high High risk
Affected Versions
<=4.16.18
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

LearnPress – WordPress LMS Plugin for Create and Sell Online Courses

high
Vulnerability
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses — Sensitive Information Exposure
Severity
high High risk
Affected Versions
<=4.4.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

PhonePe Payment Solutions

high
Vulnerability
PhonePe Payment Solutions — Properly verify the authenticity of incoming payment callbacks: the secret used to validate the call
Severity
high High risk
Affected Versions
<=3.1.0
CVE Reference
Patch Status
No patch
Source
NVD

User Registration & Membership

high
Vulnerability
User Registration & Membership — Validate that the membership tier submitted during public registration is one of the tiers allowed b
Severity
high High risk
Affected Versions
<=5.2.3
CVE Reference
Patch Status
No patch
Source
NVD

Kirki – Freeform Page Builder, Website Builder & Customizer

medium
Vulnerability
Kirki <= 6.0.13 - Authenticated (Editor+) Path Traversal to Arbitrary Directory Deletion via 'family' Parameter
Severity
medium Medium risk
Affected Versions
<=6.0.13
CVE Reference
Patch Status
6.0.14
Source
Wordfence
Plugin Page

Breeze Cache

medium
Vulnerability
Breeze Cache — Unauthenticated Stored Cross-Site Scripting (XSS)
Severity
medium Medium risk
Affected Versions
<=2.5.6
CVE Reference
Patch Status
No patch
Source
NVD

Database for Contact Form 7, WPforms, Elementor forms

medium
Vulnerability
Database for Contact Form 7, WPforms, Elementor forms — Restrict the PHP classes allowed when unserializing an attacker-supplied form-field value
Severity
medium Medium risk
Affected Versions
<=1.5.2
CVE Reference
Patch Status
No patch
Source
NVD

Tutor LMS

medium
Vulnerability
Tutor LMS — Verify ownership of the targeted quiz attempt before writing to it
Severity
medium Medium risk
Affected Versions
<=3.9.13
CVE Reference
Patch Status
No patch
Source
NVD

Tutor LMS

medium
Vulnerability
Tutor LMS — Perform any authorization or post-target validation before creating a comment in one of its handlers
Severity
medium Medium risk
Affected Versions
<=3.9.13
CVE Reference
Patch Status
No patch
Source
NVD

Tutor LMS

medium
Vulnerability
Tutor LMS — Verify that the requesting user is allowed to edit a target post before overwriting it in one of its
Severity
medium Medium risk
Affected Versions
<=3.9.13
CVE Reference
Patch Status
No patch
Source
NVD

WP Job Portal

medium
Vulnerability
WP Job Portal — Perform capability or ownership checks before
Severity
medium Medium risk
Affected Versions
<=2.5.5
CVE Reference
Patch Status
No patch
Source
NVD

WP Job Portal

medium
Vulnerability
WP Job Portal — Verify ownership when returning an employer's contact email for a given job
Severity
medium Medium risk
Affected Versions
<=2.5.5
CVE Reference
Patch Status
No patch
Source
NVD

Smart Slider 3

medium
Vulnerability
Smart Slider 3 — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=3.5.1.37
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Avada (Fusion) Builder

medium
Vulnerability
Avada (Fusion) Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.15.5
CVE Reference
Patch Status
No patch
Source
NVD

News Kit Addons For Elementor

medium
Vulnerability
News Kit Addons For Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.4.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

FoodBook Lite - Online Food Ordering System

medium
Vulnerability
FoodBook Lite - Online Food Ordering System — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=1.5.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Customer Area

medium
Vulnerability
WP Customer Area — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=8.3.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Ultimate Before After Image Slider & Gallery

medium
Vulnerability
Ultimate Before After Image Slider & Gallery — Escape the value of the BEAF Slider widget's shortcode field before outputting it on the front end (
Severity
medium Medium risk
Affected Versions
<=4.7.1
CVE Reference
Patch Status
No patch
Source
NVD

SureForms

medium
Vulnerability
SureForms — Properly validate the payment amount on forms that use a dynamically-sourced (variable/hidden) payme
Severity
medium Medium risk
Affected Versions
<=2.11.1
CVE Reference
Patch Status
No patch
Source
NVD

WP 2FA

medium
Vulnerability
WP 2FA — Verify that the email address supplied during two-factor authentication setup belongs to the user
Severity
medium Medium risk
Affected Versions
<=3.1.1.2
CVE Reference
Patch Status
No patch
Source
NVD

Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

medium
Vulnerability
Academy LMS – WordPress LMS Plugin for Complete eLearning Solution — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=3.8.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Kali Forms — Contact Form & Drag-and-Drop Builder

medium
Vulnerability
Kali Forms — Contact Form & Drag-and-Drop Builder — Verify that a file upload is made against an existing form configured with a file-upload field
Severity
medium Medium risk
Affected Versions
<=2.4.17
CVE Reference
Patch Status
No patch
Source
NVD

Kali Forms — Contact Form & Drag-and-Drop Builder

medium
Vulnerability
Kali Forms — Contact Form & Drag-and-Drop Builder — Perform a per-object capability check in its post-duplication AJAX action
Severity
medium Medium risk
Affected Versions
<=2.4.17
CVE Reference
Patch Status
No patch
Source
NVD

Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages

medium
Vulnerability
Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.5.3.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

List category posts

medium
Vulnerability
List category posts — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=0.95.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

MultiVendorX – WooCommerce Multivendor Marketplace AI Powered Solutions

medium
Vulnerability
MultiVendorX – WooCommerce Multivendor Marketplace AI Powered Solutions — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=5.0.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

MxChat – AI Chatbot & Content Generation for WordPress

medium
Vulnerability
MxChat – AI Chatbot & Content Generation for WordPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.2.10
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

GiveWP – Donation Plugin and Fundraising Platform

medium
Vulnerability
GiveWP – Donation Plugin and Fundraising Platform — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.16.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Catch Themes Demo Import

medium
Vulnerability
Catch Themes Demo Import — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=3.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Easy Accordion – AI-Powered FAQ & Accordion Blocks, Product FAQ

medium
Vulnerability
Easy Accordion – AI-Powered FAQ & Accordion Blocks, Product FAQ — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.1.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Product Feed Manager For WooCommerce – Sell on 200+ Online Marketplaces

medium
Vulnerability
Product Feed Manager For WooCommerce – Sell on 200+ Online Marketplaces — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=7.6.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

SEO Booster

medium
Vulnerability
SEO Booster — Time-based SQL Injection
Severity
medium Medium risk
Affected Versions
<=7.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

SEO Booster

medium
Vulnerability
SEO Booster — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=7.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

BetterDocs

medium
Vulnerability
BetterDocs — Sanitise an AI-generated documentation summary before storing and outputting it
Severity
medium Medium risk
Affected Versions
<=4.5.5
CVE Reference
Patch Status
No patch
Source
NVD

Appointment Booking Plugin

medium
Vulnerability
Appointment Booking Plugin — Validate a CSRF nonce on several state-changing actions handled by its central request dispatcher
Severity
medium Medium risk
Affected Versions
<=5.6.3
CVE Reference
Patch Status
No patch
Source
NVD

WP Job Portal

medium
Vulnerability
WP Job Portal — Properly sanitize and escape a parameter before using it in a SQL query
Severity
medium Medium risk
Affected Versions
<=2.5.5
CVE Reference
Patch Status
No patch
Source
NVD

AI Engine

medium
Vulnerability
AI Engine — Verify that a user owns the chatbot conversation referenced by a client-supplied identifier
Severity
medium Medium risk
Affected Versions
<=3.5.5
CVE Reference
Patch Status
No patch
Source
NVD

Customer Reviews for WooCommerce

medium
Vulnerability
Customer Reviews for WooCommerce — Perform authentication
Severity
medium Medium risk
Affected Versions
<=5.113.0
CVE Reference
Patch Status
No patch
Source
NVD

Header Footer Builder for Elementor

medium
Vulnerability
Header Footer Builder for Elementor — Require an administrative capability for its dashboard template-import action (it allows any edit_po
Severity
medium Medium risk
Affected Versions
<=1.2.1
CVE Reference
Patch Status
No patch
Source
NVD

FunnelKit

medium
Vulnerability
FunnelKit — Validate a user-supplied path before deleting a file during a template-import operation
Severity
medium Medium risk
Affected Versions
<=3.15.0.6
CVE Reference
Patch Status
No patch
Source
NVD

Tickera – Sell Tickets & Manage Events

medium
Vulnerability
Tickera – Sell Tickets & Manage Events — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=3.6.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Tickera – Sell Tickets & Manage Events

medium
Vulnerability
Tickera – Sell Tickets & Manage Events — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.6.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Quiz Master Next

medium
Vulnerability
Quiz Master Next — SQL Injection
Severity
medium Medium risk
Affected Versions
<=11.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

wpForo Forum

medium
Vulnerability
wpForo Forum — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Tutor LMS – eLearning and online course solution

medium
Vulnerability
Tutor LMS – eLearning and online course solution — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=4.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Delicious Recipes

medium
Vulnerability
Delicious Recipes — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.10.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services

medium
Vulnerability
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=8.5.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

SysBasics Customize My Account for WooCommerce – Live My Account Customizer

medium
Vulnerability
SysBasics Customize My Account for WooCommerce – Live My Account Customizer — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.4.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

The Cache Purger

medium
Vulnerability
The Cache Purger — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=2.3.20
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Themify Builder

medium
Vulnerability
Themify Builder — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=7.7.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services

medium
Vulnerability
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=8.5.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP TripAdvisor Review Slider

medium
Vulnerability
WP TripAdvisor Review Slider — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=14.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Bulk Delete

medium
Vulnerability
WP Bulk Delete — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=1.4.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Booking for Appointments and Events Calendar – Amelia

medium
Vulnerability
Booking for Appointments and Events Calendar – Amelia — SQL Injection
Severity
medium Medium risk
Affected Versions
<=2.4.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Smart Custom Fields

medium
Vulnerability
Smart Custom Fields — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.0.7
CVE Reference
Patch Status
No patch
Source
NVD

Ninja Forms - Excel Export

medium
Vulnerability
Ninja Forms - Excel Export — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=3.3.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Ninja Forms - Excel Export

medium
Vulnerability
Ninja Forms - Excel Export — Directory Traversal
Severity
medium Medium risk
Affected Versions
<=3.3.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Fense Proxy & VPN Blocker

medium
Vulnerability
Fense Proxy & VPN Blocker — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=3.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

pCloud WP Backup

medium
Vulnerability
pCloud WP Backup — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=2.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Ninja Forms - Excel Export

medium
Vulnerability
Ninja Forms - Excel Export — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.3.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce

medium
Vulnerability
ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=1.17.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Kirki – Freeform Page Builder, Website Builder & Customizer

medium
Vulnerability
Kirki – Freeform Page Builder, Website Builder & Customizer — Directory Traversal
Severity
medium Medium risk
Affected Versions
<=6.0.13
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form

medium
Vulnerability
ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.5.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Hotel Booking

medium
Vulnerability
WP Hotel Booking — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.3.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

NEX-Forms

medium
Vulnerability
NEX-Forms — Sanitise and escape some submitted form data before storing it and outputting it back in the admin d
Severity
medium Medium risk
Affected Versions
<=9.2.3
CVE Reference
Patch Status
No patch
Source
NVD

User Registration & Membership

medium
Vulnerability
User Registration & Membership — Perform a capability check for unauthenticated callers on one of its membership payment actions and
Severity
medium Medium risk
Affected Versions
<=5.2.3
CVE Reference
Patch Status
No patch
Source
NVD

WPS Bookings for WooCommerce

medium
Vulnerability
WPS Bookings for WooCommerce — Verify that a booking order belongs to the requesting user before cancelling it
Severity
medium Medium risk
Affected Versions
<=3.11.7
CVE Reference
Patch Status
No patch
Source
NVD

Royal Addons for Elementor

medium
Vulnerability
Royal Addons for Elementor — Check the post status of menu items or the templates they reference in one of its REST endpoints
Severity
medium Medium risk
Affected Versions
<=1.7.1063
CVE Reference
Patch Status
No patch
Source
NVD

HubSpot All-In-One Marketing – Forms, Popups, Live Chat

medium
Vulnerability
HubSpot All-In-One Marketing – Forms, Popups, Live Chat — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=11.3.62
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

W3SC Elementor to Zoho CRM

medium
Vulnerability
W3SC Elementor to Zoho CRM — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=2.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

RTMKit

low
Vulnerability
RTMKit — Perform a capability check in one of its AJAX actions and resolves a request-supplied post identifie
Severity
low Low risk
Affected Versions
<=2.0.9
CVE Reference
Patch Status
No patch
Source
NVD

RTMKit

low
Vulnerability
RTMKit — Perform a proper capability check on one of its -builder AJAX actions
Severity
low Low risk
Affected Versions
<=2.0.9
CVE Reference
Patch Status
No patch
Source
NVD

WordPress Theme Vulnerabilities (0)

No vulnerabilities reported in this category this week.

WordPress Core Vulnerabilities (0)

No vulnerabilities reported in this category this week.

Recommendations

1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.

Methodology

This report is compiled automatically from multiple trusted sources:

NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans

Tags

Related Posts