During the reporting period (May 1 – May 8, 2026), 96 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.
Summary
96
Total
6
Critical
35
High
55
Medium
0
Low
1
Patched
Table of Contents 101 plugins & components
WordPress Plugin Vulnerabilities (92)
Temporary Login
critical
Vulnerability
Temporary Login — Authentication Bypass
Severity
critical Critical risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
User Registration Advanced Fields
critical
Vulnerability
User Registration Advanced Fields — Arbitrary file uploads
Severity
critical Critical risk
Affected Versions
<=1.6.20
CVE Reference
Patch Status
No patch
Source
NVD
User Verification by PickPlugins
critical
Vulnerability
User Verification by PickPlugins — Authentication bypass
Severity
critical Critical risk
Affected Versions
<=2.0.46
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MoreConvert Pro
critical
Vulnerability
MoreConvert Pro — Authentication Bypass
Severity
critical Critical risk
Affected Versions
<=1.9.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Mentoring
critical
Vulnerability
Mentoring — Privilege escalation
Severity
critical Critical risk
Affected Versions
<=1.2.8
CVE Reference
Patch Status
No patch
Source
NVD
Geeky Bot
critical
Vulnerability
Geeky Bot — Missing Authorization
Severity
critical Critical risk
Affected Versions
<=1.2.2
CVE Reference
Patch Status
No patch
Source
NVD
WP Business Intelligence Lite
high
Vulnerability
WP Business Intelligence Lite <= 3.2.0 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via Arbitrary SQL Modification
Severity
high High risk
Affected Versions
<=3.2.0
CVE Reference
N/A
Patch Status
No patch
Source
Wordfence
Plugin Page
WP Editor
high
Vulnerability
WP Editor — Cross-Site Request Forgery
Severity
high High risk
Affected Versions
<=1.2.9.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Mail Gateway
high
Vulnerability
WP Mail Gateway — Unauthorized access
Severity
high High risk
Affected Versions
<=1.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Import and export users and customers
high
Vulnerability
Import and export users and customers — Privilege Escalation
Severity
high High risk
Affected Versions
<=2.0.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Gravity Forms
high
Vulnerability
Gravity Forms — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=2.10.0
CVE Reference
Patch Status
No patch
Source
NVD
Gravity Forms
high
Vulnerability
Gravity Forms — Unauthenticated Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=2.10.0
CVE Reference
Patch Status
No patch
Source
NVD
Gravity Forms
high
Vulnerability
Gravity Forms — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=2.10.0
CVE Reference
Patch Status
No patch
Source
NVD
Gravity Forms
high
Vulnerability
Gravity Forms — Unauthenticated Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=2.10.0
CVE Reference
Patch Status
No patch
Source
NVD
Gravity Forms
high
Vulnerability
Gravity Forms — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=2.10.0
CVE Reference
Patch Status
No patch
Source
NVD
PixelYourSite Pro – Your smart PIXEL (TAG) Manager
high
Vulnerability
PixelYourSite Pro – Your smart PIXEL (TAG) Manager — Server-Side Request Forgery
Severity
high High risk
Affected Versions
<=12.5.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Profile Builder Pro
high
Vulnerability
Profile Builder Pro — PHP Object Injection
Severity
high High risk
Affected Versions
<=3.14.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets
high
Vulnerability
Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets — Remote Code Execution
Severity
high High risk
Affected Versions
<=4.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Royal Elementor Addons
high
Vulnerability
Royal Elementor Addons — Server-Side Request Forgery
Severity
high High risk
Affected Versions
<=1.7.1057
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
high
Vulnerability
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup — Time-based blind SQL Injection
Severity
high High risk
Affected Versions
<=4.0.60
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Brizy – Page Builder
high
Vulnerability
Brizy – Page Builder — Unauthenticated Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=2.8.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Geo Mashup
high
Vulnerability
Geo Mashup — Time-Based SQL Injection
Severity
high High risk
Affected Versions
<=1.13.18
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Geo Mashup
high
Vulnerability
Geo Mashup — Time-Based SQL Injection
Severity
high High risk
Affected Versions
<=1.13.18
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Geo Mashup
high
Vulnerability
Geo Mashup — Time-Based SQL Injection
Severity
high High risk
Affected Versions
<=1.13.18
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Paid Memberships Pro
high
Vulnerability
Paid Memberships Pro — Unauthorized modification and disruption of Stripe webhook configuration
Severity
high High risk
Affected Versions
<=3.6.5
CVE Reference
Patch Status
No patch
Source
NVD
Salon Booking System – Free Version
high
Vulnerability
Salon Booking System – Free Version — Arbitrary File Read
Severity
high High risk
Affected Versions
<=10.30.25
CVE Reference
Patch Status
No patch
Source
NVD
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
high
Vulnerability
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible — Insecure Direct Object Reference
Severity
high High risk
Affected Versions
<=6.7.25
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
NEX-Forms – Ultimate Forms
high
Vulnerability
NEX-Forms – Ultimate Forms — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=9.1.11
CVE Reference
Patch Status
No patch
Source
NVD
Conditional Fields for Contact Form 7
high
Vulnerability
Conditional Fields for Contact Form 7 — CVE-2026-25863
Severity
high High risk
Affected Versions
<=2.6.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AWP Classifieds
high
Vulnerability
AWP Classifieds — SQL Injection
Severity
high High risk
Affected Versions
<=4.4.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation
high
Vulnerability
GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation — SQL Injection
Severity
high High risk
Affected Versions
<=1.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Royal Elementor Addons
high
Vulnerability
Royal Elementor Addons — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.7.1056
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
high
Vulnerability
Forminator Forms – Contact Form, Payment Form & Custom Form Builder — Path Traversal
Severity
high High risk
Affected Versions
<=1.52.1
CVE Reference
Patch Status
No patch
Source
NVD
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
high
Vulnerability
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder — SQL Injection
Severity
high High risk
Affected Versions
<=1.15.42
CVE Reference
Patch Status
No patch
Source
NVD
WeePie Cookie Allow
high
Vulnerability
WeePie Cookie Allow — SQL Injection
Severity
high High risk
Affected Versions
<=3.4.11
CVE Reference
Patch Status
No patch
Source
NVD
LatePoint – Calendar Booking Plugin for Appointments and Events
high
Vulnerability
LatePoint – Calendar Booking Plugin for Appointments and Events — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=5.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Gravity Bookings Premium
high
Vulnerability
Gravity Bookings Premium — SQL Injection
Severity
high High risk
Affected Versions
<=2.5.9
CVE Reference
Patch Status
No patch
Source
NVD
BetterDocs Pro
high
Vulnerability
BetterDocs Pro — SQL Injection
Severity
high High risk
Affected Versions
<=3.7.0
CVE Reference
Patch Status
No patch
Source
NVD
Slider Revolution
high
Vulnerability
Slider Revolution — Arbitrary File Upload
Severity
high High risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
high
Vulnerability
WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance — Arbitrary file deletion
Severity
high High risk
Affected Versions
<=4.5.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
medium
Vulnerability
Fluent Forms <= 6.2.1 - Authenticated (Administrator+) Arbitrary File Read via Path Traversal in Email Attachment
Severity
medium Medium risk
Affected Versions
<=6.2.1
CVE Reference
Patch Status
6.2.2
Source
Wordfence
Plugin Page
WP Business Intelligence Lite
medium
Vulnerability
WP Business Intelligence Lite <= 3.2.0 - Missing Authorization
Severity
medium Medium risk
Affected Versions
<=3.2.0
CVE Reference
N/A
Patch Status
No patch
Source
Wordfence
Plugin Page
Elementor Website Builder
medium
Vulnerability
Elementor Website Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Ultimate Dashboard
medium
Vulnerability
Ultimate Dashboard — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=3.8.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
medium
Vulnerability
Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.17.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Maxi Blocks
medium
Vulnerability
Maxi Blocks — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.1.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Simple Link Directory
medium
Vulnerability
Simple Link Directory — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=8.9.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
App Builder – Create Native Android & iOS Apps On The Flight
medium
Vulnerability
App Builder – Create Native Android & iOS Apps On The Flight — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=5.6.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Widgets for Social Photo Feed
medium
Vulnerability
Widgets for Social Photo Feed — Unauthorized access of data and modification of data
Severity
medium Medium risk
Affected Versions
<=1.8
CVE Reference
Patch Status
No patch
Source
NVD
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
medium
Vulnerability
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=6.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
My Social Feeds – Social Feeds Embedder
medium
Vulnerability
My Social Feeds – Social Feeds Embedder — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=1.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Call for Price for WooCommerce
medium
Vulnerability
Call for Price for WooCommerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress
medium
Vulnerability
Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
FundPress – WordPress Donation
medium
Vulnerability
FundPress – WordPress Donation — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=2.0.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Booking for Appointments and Events Calendar – Amelia
medium
Vulnerability
Booking for Appointments and Events Calendar – Amelia — Improper Authorization
Severity
medium Medium risk
Affected Versions
<=2.1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Geo Mashup
medium
Vulnerability
Geo Mashup — Time-based blind SQL Injection
Severity
medium Medium risk
Affected Versions
<=1.13.19
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Royal Addons for Elementor
medium
Vulnerability
Royal Addons for Elementor — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.7.1056
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Premium Addons for Elementor – Powerful Elementor Templates & Widgets
medium
Vulnerability
Premium Addons for Elementor – Powerful Elementor Templates & Widgets — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.11.70
CVE Reference
Patch Status
No patch
Source
NVD
Quiz Maker by AYS
medium
Vulnerability
Quiz Maker by AYS — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=6.7.1.29
CVE Reference
Patch Status
No patch
Source
NVD
NextMove Lite – Thank You Page for WooCommerce
medium
Vulnerability
NextMove Lite – Thank You Page for WooCommerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.23.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Dokan: AI Powered WooCommerce Multivendor Marketplace Solution
medium
Vulnerability
Dokan: AI Powered WooCommerce Multivendor Marketplace Solution — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=4.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
During the analysis, it was identified that authenticated attackers with Subscriber-level access or higher are able to perform an Insecure Direct Object Reference (IDOR) attack. This vulnerability exists because the Frontend File Manager Plugin
medium
Vulnerability
During the analysis, it was identified that authenticated attackers with Subscriber-level access or higher are able to perform an Insecure Direct Object Reference (IDOR) attack. This vulnerability exists because the Frontend File Manager Plugin — Properly validate user authorization for the requested uploaded file when processing download reques
Severity
medium Medium risk
Affected Versions
<=23.6
CVE Reference
Patch Status
No patch
Source
NVD
Magic Export & Import
medium
Vulnerability
Magic Export & Import — CVE-2026-5335
Severity
medium Medium risk
Affected Versions
<=1.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Loco Translate
medium
Vulnerability
Loco Translate — Path Traversal
Severity
medium Medium risk
Affected Versions
<=2.8.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem
medium
Vulnerability
Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.5.3
CVE Reference
Patch Status
No patch
Source
NVD
Subscribe To Comments Reloaded
medium
Vulnerability
Subscribe To Comments Reloaded — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=240119
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website
medium
Vulnerability
Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Schedule Post Changes With PublishPress Future
medium
Vulnerability
Schedule Post Changes With PublishPress Future — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.10.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP-Clippy
medium
Vulnerability
WP-Clippy — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Simple Owl Shortcodes
medium
Vulnerability
Simple Owl Shortcodes — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Zingaya Click-to-Call
medium
Vulnerability
Zingaya Click-to-Call — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
DX Sources
medium
Vulnerability
DX Sources — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=2.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
addfreespace
medium
Vulnerability
addfreespace — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=0.1.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Publish 2 Ping.fm
medium
Vulnerability
Publish 2 Ping.fm — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Blog Settings
medium
Vulnerability
Blog Settings — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem
medium
Vulnerability
Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem — Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=3.5.3
CVE Reference
Patch Status
No patch
Source
NVD
WP Carousel Free
medium
Vulnerability
WP Carousel Free — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.7.10
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Royal Addons for Elementor
medium
Vulnerability
Royal Addons for Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.7.1056
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
EmailKit
medium
Vulnerability
EmailKit — Arbitrary File Read
Severity
medium Medium risk
Affected Versions
<=1.6.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ElementsKit Elementor Addons
medium
Vulnerability
ElementsKit Elementor Addons — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=3.8.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Forminator
medium
Vulnerability
Forminator — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=1.52.0
CVE Reference
Patch Status
No patch
Source
NVD
GenerateBlocks
medium
Vulnerability
GenerateBlocks — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=2.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
User Registration & Membership
medium
Vulnerability
User Registration & Membership — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=5.1.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Mercado Pago payments for WooCommerce
medium
Vulnerability
Mercado Pago payments for WooCommerce — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=8.7.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
All-in-One WP Migration Unlimited Extension
medium
Vulnerability
All-in-One WP Migration Unlimited Extension — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=2.83
CVE Reference
Patch Status
No patch
Source
NVD
Ninja Tables – Easy Data Table Builder
medium
Vulnerability
Ninja Tables – Easy Data Table Builder — Unauthorized database table creation
Severity
medium Medium risk
Affected Versions
<=5.2.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Fluent Forms
medium
Vulnerability
Fluent Forms — Arbitrary File Read
Severity
medium Medium risk
Affected Versions
<=6.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Affiliate Program Suite — SliceWP Affiliates
medium
Vulnerability
Affiliate Program Suite — SliceWP Affiliates — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2.7
CVE Reference
Patch Status
No patch
Source
NVD
LatePoint
medium
Vulnerability
LatePoint — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Forminator Forms
medium
Vulnerability
Forminator Forms — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=1.51.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Appointment Booking Calendar
medium
Vulnerability
Appointment Booking Calendar — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=1.6.10.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Forminator Forms
medium
Vulnerability
Forminator Forms — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=1.53.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WordPress Theme Vulnerabilities (4)
Betheme
high
Vulnerability
Betheme — Arbitrary File Upload
Severity
high High risk
Affected Versions
<=28.4
CVE Reference
Patch Status
No patch
Source
NVD
Ona
medium
Vulnerability
Ona — Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.26
CVE Reference
Patch Status
No patch
Source
NVD
Total
medium
Vulnerability
Total — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Betheme
medium
Vulnerability
Betheme — Arbitrary File Deletion
Severity
medium Medium risk
Affected Versions
<=28.4
CVE Reference
Patch Status
No patch
Source
NVD
WordPress Core Vulnerabilities (0)
No vulnerabilities reported in this category this week.
Recommendations
1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.
Set up uptime monitoring and periodic security scans to catch issues early.
Methodology
This report is compiled automatically from multiple trusted sources:
NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans
Tags
Related Posts
Vulnerability Report
WordPress Vulnerability Report: May 17 – May 24, 2026
81 WordPress vulnerabilities disclosed between May 17 – May 24, 2026. 8 critical, 20 high severity. 2 patched, 79 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 9 – May 16, 2026
104 WordPress vulnerabilities disclosed between May 9 – May 16, 2026. 6 critical, 23 high severity. 1 patched, 103 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: April 15 – April 16, 2026
24 WordPress vulnerabilities disclosed between April 15 – April 16, 2026. 2 critical, 4 high severity. 0 patched, 24 unpatched.
WPSentry·Apr 15, 2026