BlogVulnerability Report
Vulnerability Report

WordPress Vulnerability Report: March 5 – March 8, 2026

61 WordPress vulnerabilities disclosed between March 5 – March 8, 2026. 4 critical, 13 high severity. 1 patched, 60 unpatched.

WPSentryMarch 8, 202615 min read

During the reporting period (March 5 – March 8, 2026), 61 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.

Summary

61
Total
4
Critical
13
High
44
Medium
0
Low
1
Patched
Table of Contents 66 plugins & components

WordPress Plugin Vulnerabilities (52)

Login with Salesforce

critical
Vulnerability
Login with Salesforce — Validate that users are allowed to login through Salesforce
Severity
critical Critical risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD

Database for Contact Form 7, WPforms, Elementor forms

critical
Vulnerability
Database for Contact Form 7, WPforms, Elementor forms — PHP Object Injection
Severity
critical Critical risk
Affected Versions
<=1.4.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

PowerPack for LearnDash

critical
Vulnerability
PowerPack for LearnDash — Have authorization and CRSF checks in an AJAX action
Severity
critical Critical risk
Affected Versions
<=1.3.0
CVE Reference
Patch Status
No patch
Source
NVD

Meta Box

high
Vulnerability
Meta Box <= 5.11.1 - Authenticated (Contributor+) Arbitrary File Deletion
Severity
high High risk
Affected Versions
<=5.11.1
CVE Reference
Patch Status
5.11.2
Source
Wordfence
Plugin Page

Fluent Forms Pro

high
Vulnerability
Fluent Forms Pro — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=6.1.17
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Membership Plugin – Restrict Content

high
Vulnerability
Membership Plugin – Restrict Content — Privilege Escalation
Severity
high High risk
Affected Versions
<=3.2.20
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation

high
Vulnerability
WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation — Unauthorized arbitrary plugin installation
Severity
high High risk
Affected Versions
<=1.4.24
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Drag and Drop Multiple File Upload - Contact Form 7

high
Vulnerability
Drag and Drop Multiple File Upload - Contact Form 7 — Arbitrary file uploads
Severity
high High risk
Affected Versions
<=1.3.7.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WooCommerce

high
Vulnerability
WooCommerce — Properly handle batch requests
Severity
high High risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD

ZIP Code Based Content Protection

high
Vulnerability
ZIP Code Based Content Protection — SQL Injection
Severity
high High risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

JS Archive List

high
Vulnerability
JS Archive List — PHP Object Injection
Severity
high High risk
Affected Versions
<=6.1.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Easy PHP Settings

high
Vulnerability
Easy PHP Settings — PHP Code Injection
Severity
high High risk
Affected Versions
<=1.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Paid Videochat Turnkey Site – HTML5 PPV Live Webcams

high
Vulnerability
Paid Videochat Turnkey Site – HTML5 PPV Live Webcams — Privilege Escalation
Severity
high High risk
Affected Versions
<=7.3.20
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Meta Box

high
Vulnerability
Meta Box — Arbitrary file deletion
Severity
high High risk
Affected Versions
<=5.11.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP App Bar

high
Vulnerability
WP App Bar — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Fluent Forms Pro Add On Pack

medium
Vulnerability
Fluent Forms Pro Add On Pack — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=6.1.17
CVE Reference
Patch Status
No patch
Source
NVD

OoohBoi Steroids for Elementor

medium
Vulnerability
OoohBoi Steroids for Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.1.24
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Apocalypse Meow

medium
Vulnerability
Apocalypse Meow — SQL Injection
Severity
medium Medium risk
Affected Versions
<=22.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Theater

medium
Vulnerability
Theater — Stored XSS
Severity
medium Medium risk
Affected Versions
<=0.19
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Builderall Builder

medium
Vulnerability
Builderall Builder — Code Injection
Severity
medium Medium risk
Affected Versions
<=3.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WordPress CTA

medium
Vulnerability
WordPress CTA — Exploiting Incorrectly Configured Access Control Security Levels
Severity
medium Medium risk
Affected Versions
<=1.7.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Media Library Assistant

medium
Vulnerability
Media Library Assistant — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=3.33
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Page and Post Clone

medium
Vulnerability
Page and Post Clone — SQL Injection
Severity
medium Medium risk
Affected Versions
<=6.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Greenshift – animation and page builder blocks

medium
Vulnerability
Greenshift – animation and page builder blocks — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=12.8.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Greenshift – animation and page builder blocks

medium
Vulnerability
Greenshift – animation and page builder blocks — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=12.8.3
CVE Reference
Patch Status
No patch
Source
NVD

WP eCommerce

medium
Vulnerability
WP eCommerce — Have CSRF check in place when deleting coupons
Severity
medium Medium risk
Affected Versions
<=3.15.1
CVE Reference
Patch Status
No patch
Source
NVD

WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets

medium
Vulnerability
WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Frontend Profile

medium
Vulnerability
WP Frontend Profile — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.3.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

HUMN-1 AI Website Scanner & Human Certification by Winston AI

medium
Vulnerability
HUMN-1 AI Website Scanner & Human Certification by Winston AI — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=0.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Greenshift – animation and page builder blocks

medium
Vulnerability
Greenshift – animation and page builder blocks — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=12.8.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

MDJM Event Management

medium
Vulnerability
MDJM Event Management — Unauthorized data modification
Severity
medium Medium risk
Affected Versions
<=1.7.8.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Hammas Calendar

medium
Vulnerability
Hammas Calendar — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.5.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Community Events

medium
Vulnerability
Community Events — SQL Injection
Severity
medium Medium risk
Affected Versions
<=1.5.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

CM Custom Reports

medium
Vulnerability
CM Custom Reports — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

ProfileGrid – User Profiles, Groups and Communities

medium
Vulnerability
ProfileGrid – User Profiles, Groups and Communities — Unauthorized message deletion
Severity
medium Medium risk
Affected Versions
<=5.9.8.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

ProfileGrid – User Profiles, Groups and Communities

medium
Vulnerability
ProfileGrid – User Profiles, Groups and Communities — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=5.9.8.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

MailArchiver

medium
Vulnerability
MailArchiver — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.4.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Stock Ticker

medium
Vulnerability
Stock Ticker — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.26.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Carta Online

medium
Vulnerability
Carta Online — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.13.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Purchase Button For Affiliate Link

medium
Vulnerability
Purchase Button For Affiliate Link — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

True Ranker

medium
Vulnerability
True Ranker — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=2.2.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Font Pairing Preview For Landing Pages

medium
Vulnerability
Font Pairing Preview For Landing Pages — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Guardian News Feed

medium
Vulnerability
Guardian News Feed — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Wueen

medium
Vulnerability
Wueen — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

MyQtip – easy qTip2

medium
Vulnerability
MyQtip – easy qTip2 — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.0.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

DA Media GigList

medium
Vulnerability
DA Media GigList — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.9.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Media Library Alt Text Editor

medium
Vulnerability
Media Library Alt Text Editor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Consensus Embed

medium
Vulnerability
Consensus Embed — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Infomaniak Connect for OpenID

medium
Vulnerability
Infomaniak Connect for OpenID — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Show YouTube video

medium
Vulnerability
Show YouTube video — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

LotekMedia Popup Form

medium
Vulnerability
LotekMedia Popup Form — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging

medium
Vulnerability
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging — DOM-Based Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.0.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WordPress Theme Vulnerabilities (9)

Healer - Doctor, Clinic & Medical

critical
Vulnerability
Healer - Doctor, Clinic & Medical — PHP Local File Inclusion
Severity
critical Critical risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD

TopScorer - Sports

high
Vulnerability
TopScorer - Sports — PHP Local File Inclusion
Severity
high High risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD

CasaMia | Property Rental Real Estate

medium
Vulnerability
CasaMia | Property Rental Real Estate — PHP Local File Inclusion
Severity
medium Medium risk
Affected Versions
<=1.1.2
CVE Reference
Patch Status
No patch
Source
NVD

AC Services | HVAC, Air Conditioning & Heating Company

medium
Vulnerability
AC Services | HVAC, Air Conditioning & Heating Company — PHP Local File Inclusion
Severity
medium Medium risk
Affected Versions
<=1.2.5
CVE Reference
Patch Status
No patch
Source
NVD

Consultor | Consulting, Accounting & Legal Counsel

medium
Vulnerability
Consultor | Consulting, Accounting & Legal Counsel — PHP Local File Inclusion
Severity
medium Medium risk
Affected Versions
<=1.2.4
CVE Reference
Patch Status
No patch
Source
NVD

Chronicle - Lifestyle Magazine & Blog

medium
Vulnerability
Chronicle - Lifestyle Magazine & Blog — PHP Local File Inclusion
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD

Buzz Stone | Magazine & Viral Blog

medium
Vulnerability
Buzz Stone | Magazine & Viral Blog — PHP Local File Inclusion
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD

Apollo | Night Club, DJ Event

medium
Vulnerability
Apollo | Night Club, DJ Event — PHP Local File Inclusion
Severity
medium Medium risk
Affected Versions
<=1.3.1
CVE Reference
Patch Status
No patch
Source
NVD

TopFit - Fitness and Gym

medium
Vulnerability
TopFit - Fitness and Gym — PHP Local File Inclusion
Severity
medium Medium risk
Affected Versions
<=1.9
CVE Reference
Patch Status
No patch
Source
NVD

WordPress Core Vulnerabilities (0)

No vulnerabilities reported in this category this week.

Recommendations

1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.

Methodology

This report is compiled automatically from multiple trusted sources:

NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans

Vulnerabilities are deduplicated by CVE ID. Severity ratings follow the CVSS v3.x scoring system. This report is generated automatically and may not capture every vulnerability disclosed during the period.

Tags

vulnerabilitieswordpress-securityweekly-reportcve

Related Posts

Vulnerability Report

WordPress Vulnerability Report: May 17 – May 24, 2026

81 WordPress vulnerabilities disclosed between May 17 – May 24, 2026. 8 critical, 20 high severity. 2 patched, 79 unpatched.

WPSentry·May 24, 2026
Vulnerability Report

WordPress Vulnerability Report: May 9 – May 16, 2026

104 WordPress vulnerabilities disclosed between May 9 – May 16, 2026. 6 critical, 23 high severity. 1 patched, 103 unpatched.

WPSentry·May 24, 2026
Vulnerability Report

WordPress Vulnerability Report: May 1 – May 8, 2026

96 WordPress vulnerabilities disclosed between May 1 – May 8, 2026. 6 critical, 35 high severity. 1 patched, 95 unpatched.

WPSentry·May 24, 2026
Back to Blog