Vulnerability Report

WordPress Vulnerability Report: June 26 – July 3, 2026

142 WordPress vulnerabilities disclosed between June 26 – July 3, 2026. 8 critical, 37 high severity. 2 patched, 140 unpatched.

WPSentryJuly 3, 202632 min read

During the reporting period (June 26 – July 3, 2026), 142 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.

Summary

142
Total
8
Critical
37
High
94
Medium
3
Low
2
Patched
Table of Contents 147 plugins & components

WordPress Plugin Vulnerabilities (134)

Blocksy Companion

critical
Vulnerability
Blocksy Companion <= 2.1.46 - Unauthenticated Arbitrary File Upload via 'blc-review-images[]' Parameter
Severity
critical Critical risk
Affected Versions
<=2.1.46
CVE Reference
N/A
Patch Status
2.1.47
Source
Wordfence
Plugin Page

Invoice Generator

critical
Vulnerability
Invoice Generator — Privilege escalation
Severity
critical Critical risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

ProfileGrid – User Profiles, Groups and Communities

critical
Vulnerability
ProfileGrid – User Profiles, Groups and Communities — Privilege escalation
Severity
critical Critical risk
Affected Versions
<=5.9.9.5
CVE Reference
Patch Status
No patch
Source
NVD

EventON - WordPress Virtual Event Calendar Plugin

critical
Vulnerability
EventON - WordPress Virtual Event Calendar Plugin — SQL Injection
Severity
critical Critical risk
Affected Versions
<=5.0.11
CVE Reference
Patch Status
No patch
Source
NVD

WP-BusinessDirectory

critical
Vulnerability
WP-BusinessDirectory — Unauthenticated Arbitrary File Deletion
Severity
critical Critical risk
Affected Versions
<=4.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery

critical
Vulnerability
SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery — Privilege escalation
Severity
critical Critical risk
Affected Versions
<=3.9.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Divi Form Builder

critical
Vulnerability
Divi Form Builder — Arbitrary File Upload leading to Remote Code Execution
Severity
critical Critical risk
Affected Versions
<=5.1.8
CVE Reference
Patch Status
No patch
Source
NVD

Printcart Web to Print Product Designer for WooCommerce

critical
Vulnerability
Printcart Web to Print Product Designer for WooCommerce — Arbitrary File Deletion
Severity
critical Critical risk
Affected Versions
<=2.5.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
high
Vulnerability
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content — Verify that the user performing a subscription action owns the targeted subscription
Severity
high High risk
Affected Versions
<=4.16.17
CVE Reference
Patch Status
No patch
Source
NVD

Frontend File Manager Plugin

high
Vulnerability
Frontend File Manager Plugin — Authenticated Arbitrary File Deletion
Severity
high High risk
Affected Versions
<=23.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

APCu Manager

high
Vulnerability
APCu Manager — Escape APCu object-cache keys before rendering them in an admin-area page
Severity
high High risk
Affected Versions
<=4.5.0
CVE Reference
Patch Status
No patch
Source
NVD

WP Support Plus Responsive Ticket System

high
Vulnerability
WP Support Plus Responsive Ticket System — Properly validate uploaded files
Severity
high High risk
Affected Versions
<=9.1.2
CVE Reference
Patch Status
No patch
Source
NVD

WP Support Plus Responsive Ticket System

high
Vulnerability
WP Support Plus Responsive Ticket System — Sanitize user-supplied array keys before using them in a SQL statement
Severity
high High risk
Affected Versions
<=9.1.2
CVE Reference
Patch Status
No patch
Source
NVD

Export User Data

high
Vulnerability
Export User Data — Arbitrary file deletion
Severity
high High risk
Affected Versions
<=2.2.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Ajax Load More - Filters

high
Vulnerability
Ajax Load More - Filters — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=3.4.1
CVE Reference
Patch Status
No patch
Source
NVD

Webmention

high
Vulnerability
Webmention — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=5.8.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Youtube Showcase

high
Vulnerability
Youtube Showcase — Arbitrary Function Call
Severity
high High risk
Affected Versions
<=4.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Visualizer – Tables & Charts Manager with Built-in AI Generator

high
Vulnerability
Visualizer – Tables & Charts Manager with Built-in AI Generator — Authorization bypass
Severity
high High risk
Affected Versions
<=4.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services

high
Vulnerability
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=8.4.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Custom Payment Gateways for WooCommerce

high
Vulnerability
Custom Payment Gateways for WooCommerce — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=2.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Royal MCP

high
Vulnerability
Royal MCP — Perform capability checks on the majority of its MCP tools after token authentication
Severity
high High risk
Affected Versions
<=1.4.26
CVE Reference
Patch Status
No patch
Source
NVD

Product Configurator for WooCommerce

high
Vulnerability
Product Configurator for WooCommerce — Perform any authorisation or post-status check before returning WooCommerce product data through a p
Severity
high High risk
Affected Versions
<=1.7.3
CVE Reference
Patch Status
No patch
Source
NVD

Advanced Form Integration — Connect Forms to 200+ Apps

high
Vulnerability
Advanced Form Integration — Connect Forms to 200+ Apps — Restrict the WordPress role assigned when it creates a user from a public form submission
Severity
high High risk
Affected Versions
<=2.1.1
CVE Reference
Patch Status
No patch
Source
NVD

BookingPress Appointment Booking Pro

high
Vulnerability
BookingPress Appointment Booking Pro — SQL Injection
Severity
high High risk
Affected Versions
<=5.7.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WebAuthn Provider for Two Factor

high
Vulnerability
WebAuthn Provider for Two Factor — Correctly validate the second-factor authentication response
Severity
high High risk
Affected Versions
<=2.5.6
CVE Reference
Patch Status
No patch
Source
NVD

Ninja Forms – The Contact Form Builder That Grows With You

high
Vulnerability
Ninja Forms – The Contact Form Builder That Grows With You — Unauthorized access of data
Severity
high High risk
Affected Versions
<=3.14.1
CVE Reference
Patch Status
No patch
Source
NVD

RegistrationMagic – User Registration Forms Plugin

high
Vulnerability
RegistrationMagic – User Registration Forms Plugin — Cross-Site Request Forgery
Severity
high High risk
Affected Versions
<=6.0.9.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Dokan Pro

high
Vulnerability
Dokan Pro — Privilege escalation
Severity
high High risk
Affected Versions
<=5.0.4
CVE Reference
Patch Status
No patch
Source
NVD

NEX-Forms – Ultimate Forms

high
Vulnerability
NEX-Forms – Ultimate Forms — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=9.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

LatePoint – Calendar Booking Plugin for Appointments and Events

high
Vulnerability
LatePoint – Calendar Booking Plugin for Appointments and Events — Privilege Escalation to Administrator
Severity
high High risk
Affected Versions
<=5.6.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Request a Quote

high
Vulnerability
Request a Quote — Code Injection
Severity
high High risk
Affected Versions
<=2.5.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Image Optimizer

high
Vulnerability
Image Optimizer — Arbitrary file deletion
Severity
high High risk
Affected Versions
<=1.7.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Perfmatters

high
Vulnerability
Perfmatters — Directory Traversal
Severity
high High risk
Affected Versions
<=2.6.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Ninja Forms - File Uploads

high
Vulnerability
Ninja Forms - File Uploads — Arbitrary File Read
Severity
high High risk
Affected Versions
<=3.3.29
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Review Slider Pro

high
Vulnerability
WP Review Slider Pro — SQL Injection
Severity
high High risk
Affected Versions
<=12.7.2
CVE Reference
Patch Status
No patch
Source
NVD

WP Database Backup – Unlimited Database & Files Backup by Backup for WP

high
Vulnerability
WP Database Backup – Unlimited Database & Files Backup by Backup for WP — OS Command Injection
Severity
high High risk
Affected Versions
<=7.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

TinyPNG – JPEG, PNG & WebP image compression

high
Vulnerability
TinyPNG – JPEG, PNG & WebP image compression — Arbitrary file deletion
Severity
high High risk
Affected Versions
<=3.6.13
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

AR for WordPress

high
Vulnerability
AR for WordPress — Directory Traversal
Severity
high High risk
Affected Versions
<=8.40
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

NEX-Forms – Ultimate Forms

high
Vulnerability
NEX-Forms – Ultimate Forms — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=9.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

AR for WooCommerce

high
Vulnerability
AR for WooCommerce — Directory Traversal
Severity
high High risk
Affected Versions
<=8.40
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Comments – wpDiscuz

high
Vulnerability
Comments – wpDiscuz — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=7.6.56
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

JoomSport – for Sports: Team & League, Football, Hockey & more

medium
Vulnerability
JoomSport <= 5.7.8 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Group Deletion via season_groupdel AJAX action
Severity
medium Medium risk
Affected Versions
<=5.7.8
CVE Reference
Patch Status
5.7.9
Source
Wordfence
Plugin Page

Ivory Search – WordPress Search Plugin

medium
Vulnerability
Ivory Search – WordPress Search Plugin — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.5.15
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Groundhogg — CRM, Newsletters, and Marketing Automation

medium
Vulnerability
Groundhogg — CRM, Newsletters, and Marketing Automation — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=4.5.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Groundhogg — CRM, Newsletters, and Marketing Automation

medium
Vulnerability
Groundhogg — CRM, Newsletters, and Marketing Automation — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=4.5.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

CodePeople Post Map for Google Maps

medium
Vulnerability
CodePeople Post Map for Google Maps — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

HD Quiz

medium
Vulnerability
HD Quiz — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

NEX-Forms – Ultimate Forms

medium
Vulnerability
NEX-Forms – Ultimate Forms — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=9.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

MaxButtons – Create buttons

medium
Vulnerability
MaxButtons – Create buttons — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=9.8.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Shariff for WordPress Shariff for

medium
Vulnerability
Shariff for WordPress Shariff for — Sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the gen
Severity
medium Medium risk
Affected Versions
<=1.0.11
CVE Reference
Patch Status
No patch
Source
NVD

Product Specifications for WooCommerce

medium
Vulnerability
Product Specifications for WooCommerce — Unauthorized modification, creation, and deletion of data
Severity
medium Medium risk
Affected Versions
<=0.8.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Surbma | Infusionsoft Shortcode

medium
Vulnerability
Surbma | Infusionsoft Shortcode — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Masteriyo LMS – LMS Course Builder, Quizzes & Certificates

medium
Vulnerability
Masteriyo LMS – LMS Course Builder, Quizzes & Certificates — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=2.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy

medium
Vulnerability
Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy

medium
Vulnerability
Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=5.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Gutenverse – WordPress Blocks, Page Builder & Site Editor

medium
Vulnerability
Gutenverse – WordPress Blocks, Page Builder & Site Editor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.8.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Full Stripe Free

medium
Vulnerability
WP Full Stripe Free — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=8.4.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Page Builder by SiteOrigin

medium
Vulnerability
Page Builder by SiteOrigin — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.34.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Frisbii Pay

medium
Vulnerability
Frisbii Pay — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.8.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

medium
Vulnerability
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=11.1.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

medium
Vulnerability
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login — Authentication Bypass
Severity
medium Medium risk
Affected Versions
<=6.0.8.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

F4 Post Tree

medium
Vulnerability
F4 Post Tree — Perform capability checks or CSRF/nonce verification on one of its AJAX actions
Severity
medium Medium risk
Affected Versions
<=2.0.5
CVE Reference
Patch Status
No patch
Source
NVD

Team Members – Multi Language Supported Team Plugin

medium
Vulnerability
Team Members – Multi Language Supported Team Plugin — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=8.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

PixMagix – WordPress Image Editor

medium
Vulnerability
PixMagix – WordPress Image Editor — Directory Traversal
Severity
medium Medium risk
Affected Versions
<=1.7.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Premium Addons for KingComposer

medium
Vulnerability
Premium Addons for KingComposer — Unauthorized modification and loss of data
Severity
medium Medium risk
Affected Versions
<=1.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Editorial Rating – Product Review & Rating System

medium
Vulnerability
Editorial Rating – Product Review & Rating System — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.0.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Plugin for Google Analytics by IO technologies

medium
Vulnerability
Plugin for Google Analytics by IO technologies — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Kali Forms — Contact Form & Drag-and-Drop Builder

medium
Vulnerability
Kali Forms — Contact Form & Drag-and-Drop Builder — Sanitise a form field's caption before outputting it as a column header on the administrator form-en
Severity
medium Medium risk
Affected Versions
<=2.4.13
CVE Reference
Patch Status
No patch
Source
NVD

Fluent Booking

medium
Vulnerability
Fluent Booking — Verify ownership of the requested group_id before exporting attendee data via the export endpoint
Severity
medium Medium risk
Affected Versions
<=2.1.2
CVE Reference
Patch Status
No patch
Source
NVD

JetWidgets For Elementor

medium
Vulnerability
JetWidgets For Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.21
CVE Reference
Patch Status
No patch
Source
NVD

GiveWP

medium
Vulnerability
GiveWP — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=4.15.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

LearnPress – WordPress LMS Plugin for Create and Sell Online Courses

medium
Vulnerability
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=4.3.9.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Taskbuilder – Project Management & Task Management Tool With Kanban Board

medium
Vulnerability
Taskbuilder – Project Management & Task Management Tool With Kanban Board — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=5.0.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Taskbuilder – Project Management & Task Management Tool With Kanban Board

medium
Vulnerability
Taskbuilder – Project Management & Task Management Tool With Kanban Board — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=5.0.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Appointment Booking Calendar

medium
Vulnerability
Appointment Booking Calendar — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=1.4.02
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

medium
Vulnerability
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More — Improper Neutralization of CRLF Sequences ('CRLF Injection')
Severity
medium Medium risk
Affected Versions
<=1.10.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

JoomSport – for Sports: Team & League, Football, Hockey & more

medium
Vulnerability
JoomSport – for Sports: Team & League, Football, Hockey & more — Missing Authorization to Arbitrary Group Deletion
Severity
medium Medium risk
Affected Versions
<=5.7.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

FV Flowplayer Video Player

medium
Vulnerability
FV Flowplayer Video Player — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=7.5.51.7212
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

medium
Vulnerability
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=3.7.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Kadence Blocks – Gutenberg Blocks for Page Builder Features

medium
Vulnerability
Kadence Blocks – Gutenberg Blocks for Page Builder Features — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=3.7.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Wp Google Places Review Slider

medium
Vulnerability
Wp Google Places Review Slider — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=18.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

GiveWP – Donation Plugin and Fundraising Platform

medium
Vulnerability
GiveWP – Donation Plugin and Fundraising Platform — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.16.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Tutor LMS – eLearning and online course solution

medium
Vulnerability
Tutor LMS – eLearning and online course solution — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.9.13
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Event Organiser

medium
Vulnerability
Event Organiser — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.12.9
CVE Reference
Patch Status
No patch
Source
NVD

Kali Forms — Contact Form & Drag-and-Drop Builder

medium
Vulnerability
Kali Forms — Contact Form & Drag-and-Drop Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.4.13
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WS Form LITE

medium
Vulnerability
WS Form LITE — Have a capability check on one of its settings-update actions
Severity
medium Medium risk
Affected Versions
<=1.11.8
CVE Reference
Patch Status
No patch
Source
NVD

User Submitted Posts

medium
Vulnerability
User Submitted Posts — Escape a submitted value before outputting it in an admin-configured display template
Severity
medium Medium risk
Affected Versions
<=20260608
CVE Reference
Patch Status
No patch
Source
NVD

Salon Booking System

medium
Vulnerability
Salon Booking System — Have proper authorisation checks on one of its AJAX actions
Severity
medium Medium risk
Affected Versions
<=10.30.20
CVE Reference
Patch Status
No patch
Source
NVD

Qi Blocks

medium
Vulnerability
Qi Blocks — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=1.4.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Slim SEO – A Fast & Automated SEO

medium
Vulnerability
Slim SEO – A Fast & Automated SEO — Unauthorized Private Content Disclosure
Severity
medium Medium risk
Affected Versions
<=4.9.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Motors – Car Dealership & Classified Listings Plugin

medium
Vulnerability
Motors – Car Dealership & Classified Listings Plugin — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=1.4.111
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

LearnPress

medium
Vulnerability
LearnPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.4.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Download Manager

medium
Vulnerability
Download Manager — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.3.60
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

VikBooking Hotel Booking Engine & PMS

medium
Vulnerability
VikBooking Hotel Booking Engine & PMS — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.8.12
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

MotoPress Appointment Booking

medium
Vulnerability
MotoPress Appointment Booking — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=2.4.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Photo Album Plus

medium
Vulnerability
WP Photo Album Plus — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=9.1.13.005
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Insert Pages

medium
Vulnerability
Insert Pages — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.11.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter

medium
Vulnerability
Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=5.9.27
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Envo's Templates & Widgets for Elementor and WooCommerce

medium
Vulnerability
Envo's Templates & Widgets for Elementor and WooCommerce — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=1.4.26
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

User Registration & Membership

medium
Vulnerability
User Registration & Membership — Enforce payment completion before activating a paid membership subscription
Severity
medium Medium risk
Affected Versions
<=5.2.0
CVE Reference
Patch Status
No patch
Source
NVD

Houzez Property Feed

medium
Vulnerability
Houzez Property Feed — SQL Injection
Severity
medium Medium risk
Affected Versions
<=2.5.46
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

GiveWP – Donation Plugin and Fundraising Platform

medium
Vulnerability
GiveWP – Donation Plugin and Fundraising Platform — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.16.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

medium
Vulnerability
Academy LMS – WordPress LMS Plugin for Complete eLearning Solution — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=3.8.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Product Video Gallery for Woocommerce

medium
Vulnerability
Product Video Gallery for Woocommerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.5.1.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

My Calendar – Accessible Event Manager

medium
Vulnerability
My Calendar – Accessible Event Manager — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=3.7.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Kirki – Freeform Page Builder, Website Builder & Customizer

medium
Vulnerability
Kirki – Freeform Page Builder, Website Builder & Customizer — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=6.0.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

JoomSport – for Sports: Team & League, Football, Hockey & more

medium
Vulnerability
JoomSport – for Sports: Team & League, Football, Hockey & more — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=5.7.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Kirki – Freeform Page Builder, Website Builder & Customizer

medium
Vulnerability
Kirki – Freeform Page Builder, Website Builder & Customizer — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=6.0.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

LatePoint – Calendar Booking Plugin for Appointments and Events

medium
Vulnerability
LatePoint – Calendar Booking Plugin for Appointments and Events — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=5.6.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator

medium
Vulnerability
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

JetFormBuilder — Dynamic Blocks Form Builder

medium
Vulnerability
JetFormBuilder — Dynamic Blocks Form Builder — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=3.6.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Groundhogg — CRM, Newsletters, and Marketing Automation

medium
Vulnerability
Groundhogg — CRM, Newsletters, and Marketing Automation — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=4.5.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Database for Contact Form 7, WPforms, Elementor forms

medium
Vulnerability
Database for Contact Form 7, WPforms, Elementor forms — Arbitrary File Copy
Severity
medium Medium risk
Affected Versions
<=1.5.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Appointment Bookings for Zoom GoogleMeet and more – Wappointment

medium
Vulnerability
Appointment Bookings for Zoom GoogleMeet and more – Wappointment — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=2.7.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot

medium
Vulnerability
weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=2.3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot

medium
Vulnerability
weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot

medium
Vulnerability
weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Cookie Banner for GDPR / CCPA – WPLP Cookie Consent

medium
Vulnerability
Cookie Banner for GDPR / CCPA – WPLP Cookie Consent — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=4.3.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Import Export Lite

medium
Vulnerability
WP Import Export Lite — Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=3.9.30
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Ninja Forms - File Uploads

medium
Vulnerability
Ninja Forms - File Uploads — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=3.3.29
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

medium
Vulnerability
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.11.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

CM Business Directory – Optimise and showcase local business

medium
Vulnerability
CM Business Directory – Optimise and showcase local business — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.5.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

MotoPress Appointment Booking

medium
Vulnerability
MotoPress Appointment Booking — Authorization Bypass
Severity
medium Medium risk
Affected Versions
<=2.4.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

JSON API User

medium
Vulnerability
JSON API User — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

RTMKit

medium
Vulnerability
RTMKit — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.0.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

medium
Vulnerability
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=11.1.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

LatePoint – Calendar Booking Plugin for Appointments and Events

medium
Vulnerability
LatePoint – Calendar Booking Plugin for Appointments and Events — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=5.6.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x

medium
Vulnerability
The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x — Arbitrary shortcode execution
Severity
medium Medium risk
Affected Versions
<=2.2.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Ad Inserter – Ad Manager & AdSense Ads

medium
Vulnerability
Ad Inserter – Ad Manager & AdSense Ads — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=2.8.16
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

GenerateBlocks

medium
Vulnerability
GenerateBlocks — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

RTMKit (rometheme-for-elementor)

medium
Vulnerability
RTMKit (rometheme-for-elementor) — Local File Inclusion
Severity
medium Medium risk
Affected Versions
<=2.0.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Fluent Forms

low
Vulnerability
Fluent Forms — Properly verify ownership before processing a subscription cancellation request
Severity
low Low risk
Affected Versions
<=6.2.1
CVE Reference
Patch Status
No patch
Source
NVD

Fluent Forms

low
Vulnerability
Fluent Forms — Properly restrict the deletion of form submission entries to the forms a restricted Manager is autho
Severity
low Low risk
Affected Versions
<=6.2.5
CVE Reference
Patch Status
No patch
Source
NVD

Adminify

low
Vulnerability
Adminify — Perform per-user read-capability checks on the results returned by one of its administration search
Severity
low Low risk
Affected Versions
<=4.2.10
CVE Reference
Patch Status
No patch
Source
NVD

WordPress Theme Vulnerabilities (8)

Contributor Local File Inclusion in Splash - Sport Club

high
Vulnerability
Contributor Local File Inclusion in Splash - Sport Club — CVE-2025-68063
Severity
high High risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD

Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon

high
Vulnerability
Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon — CVE-2025-69154
Severity
high High risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD

Unauthenticated Cross Site Scripting (XSS) in Fitness Zone

high
Vulnerability
Unauthenticated Cross Site Scripting (XSS) in Fitness Zone — CVE-2025-69155
Severity
high High risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD

Unauthenticated Cross Site Scripting (XSS) in Kids Zone - Children

high
Vulnerability
Unauthenticated Cross Site Scripting (XSS) in Kids Zone - Children — CVE-2025-69156
Severity
high High risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD

Spexo

medium
Vulnerability
Spexo — Unauthorized access
Severity
medium Medium risk
Affected Versions
<=2.0.11
CVE Reference
Patch Status
No patch
Source
NVD

yootheme

medium
Vulnerability
yootheme — Prevent its bundled front-end framework from treating certain HTML attributes
Severity
medium Medium risk
Affected Versions
<=5.0.35
CVE Reference
Patch Status
No patch
Source
NVD

Subscriber Broken Access Control in Martfury - WooCommerce Marketplace

medium
Vulnerability
Subscriber Broken Access Control in Martfury - WooCommerce Marketplace — CVE-2026-57685
Severity
medium Medium risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD

Zakra

medium
Vulnerability
Zakra — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.2.0
CVE Reference
Patch Status
No patch
Source
NVD

WordPress Core Vulnerabilities (0)

No vulnerabilities reported in this category this week.

Recommendations

1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.

Methodology

This report is compiled automatically from multiple trusted sources:

NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans

Tags

Related Posts