During the reporting period (May 17 – May 24, 2026), 81 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.
Summary
81
Total
8
Critical
20
High
53
Medium
0
Low
2
Patched
Table of Contents 86 plugins & components
WordPress Plugin Vulnerabilities (80)
Piotnet Addons for Elementor Pro
critical
Vulnerability
Piotnet Addons for Elementor Pro — Arbitrary file upload
Severity
critical Critical risk
Affected Versions
<=7.1.70
CVE Reference
Patch Status
No patch
Source
NVD
Piotnet Forms
critical
Vulnerability
Piotnet Forms — Arbitrary file upload
Severity
critical Critical risk
Affected Versions
<=2.1.40
CVE Reference
Patch Status
No patch
Source
NVD
ProSolution WP Client
critical
Vulnerability
ProSolution WP Client — Arbitrary File Upload
Severity
critical Critical risk
Affected Versions
<=2.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Easy Elements for Elementor – Addons & Website Templates
critical
Vulnerability
Easy Elements for Elementor – Addons & Website Templates — Privilege escalation
Severity
critical Critical risk
Affected Versions
<=1.4.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Boost
critical
Vulnerability
Boost — PHP Object Injection
Severity
critical Critical risk
Affected Versions
<=2.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Avada Builder (fusion-builder)
critical
Vulnerability
Avada Builder (fusion-builder) — Unauthenticated Remote Code Execution
Severity
critical Critical risk
Affected Versions
<=3.15.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Divi Form Builder
critical
Vulnerability
Divi Form Builder — Privilege escalation
Severity
critical Critical risk
Affected Versions
<=5.1.2
CVE Reference
Patch Status
No patch
Source
NVD
BookingPress Pro
critical
Vulnerability
BookingPress Pro — Arbitrary file uploads
Severity
critical Critical risk
Affected Versions
<=5.6
CVE Reference
Patch Status
No patch
Source
NVD
Wishlist Member
high
Vulnerability
WishList Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Generate API Secret Key via 'wlm3_generate_api_key' AJAX action
Severity
high High risk
Affected Versions
<=3.30.1
CVE Reference
Patch Status
3.31.0
Source
Wordfence
Plugin Page
AI Engine – The Chatbot, AI Framework & MCP for WordPress
high
Vulnerability
AI Engine – The Chatbot, AI Framework & MCP for WordPress — Privilege Escalation
Severity
high High risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Autoptimize
high
Vulnerability
Autoptimize — Unauthenticated Stored Cross-Site Scripting (XSS)
Severity
high High risk
Affected Versions
<=3.1.15
CVE Reference
Patch Status
No patch
Source
NVD
WP Photo Album Plus
high
Vulnerability
WP Photo Album Plus — Properly sanitize and escape a parameter before using it in a SQL query
Severity
high High risk
Affected Versions
<=9.1.11.001
CVE Reference
Patch Status
No patch
Source
NVD
WP Maps
high
Vulnerability
WP Maps — Properly sanitize a parameter before using it in a file path
Severity
high High risk
Affected Versions
<=4.9.3
CVE Reference
Patch Status
No patch
Source
NVD
Ajax Load More
high
Vulnerability
Ajax Load More — Sanitise and escape a parameter before outputting it back in the page
Severity
high High risk
Affected Versions
<=7.8.4
CVE Reference
Patch Status
No patch
Source
NVD
Fortis for WooCommerce
high
Vulnerability
Fortis for WooCommerce — CVE-2025-15609
Severity
high High risk
Affected Versions
<=1.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Contest Gallery
high
Vulnerability
Contest Gallery — SQL Injection
Severity
high High risk
Affected Versions
<=28.1.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Kirki – Freeform Page Builder, Website Builder & Customizer
high
Vulnerability
Kirki – Freeform Page Builder, Website Builder & Customizer — Arbitrary file deletion
Severity
high High risk
Affected Versions
<=6.0.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Creative Mail – Easier WordPress & WooCommerce Email Marketing
high
Vulnerability
Creative Mail – Easier WordPress & WooCommerce Email Marketing — SQL Injection
Severity
high High risk
Affected Versions
<=1.6.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Account Switcher
high
Vulnerability
Account Switcher — Privilege Escalation
Severity
high High risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Read More & Accordion
high
Vulnerability
Read More & Accordion — Privilege Escalation
Severity
high High risk
Affected Versions
<=3.5.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Boost
high
Vulnerability
Boost — Time-based SQL Injection
Severity
high High risk
Affected Versions
<=2.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Advanced Database Cleaner – Premium
high
Vulnerability
Advanced Database Cleaner – Premium — Local File Inclusion
Severity
high High risk
Affected Versions
<=4.1.0
CVE Reference
Patch Status
No patch
Source
NVD
AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
high
Vulnerability
AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress — Missing Authorization
Severity
high High risk
Affected Versions
<=10.8.2
CVE Reference
Patch Status
No patch
Source
NVD
Cost of Goods by PixelYourSite
high
Vulnerability
Cost of Goods by PixelYourSite — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.2.12
CVE Reference
Patch Status
No patch
Source
NVD
WP ERP Pro
high
Vulnerability
WP ERP Pro — SQL Injection
Severity
high High risk
Affected Versions
<=1.5.1
CVE Reference
Patch Status
No patch
Source
NVD
Easy Elements for Elementor – Addons & Website Templates
high
Vulnerability
Easy Elements for Elementor – Addons & Website Templates — Privilege Escalation
Severity
high High risk
Affected Versions
<=1.4.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AudioIgniter
high
Vulnerability
AudioIgniter — Insecure Direct Object Reference
Severity
high High risk
Affected Versions
<=2.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Ditty – Responsive News Tickers, Sliders, and Lists
high
Vulnerability
Ditty – Responsive News Tickers, Sliders, and Lists — Authorization bypass
Severity
high High risk
Affected Versions
<=3.1.65
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
medium
Vulnerability
The Plus Addons for Elementor <= 6.4.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget Custom Attributes
Severity
medium Medium risk
Affected Versions
<=6.4.11
CVE Reference
N/A
Patch Status
6.4.12
Source
Wordfence
Plugin Page
Simple Fields 0.2 through 0.3.5
medium
Vulnerability
Simple Fields 0.2 through 0.3.5 — Unauthenticated attackers to read arbitrary files by injecting null bytes into the wp_abspath parame
Severity
medium Medium risk
Affected Versions
<=0.3.5
CVE Reference
Patch Status
No patch
Source
NVD
Feeds for YouTube (YouTube video, channel, and gallery plugin)
medium
Vulnerability
Feeds for YouTube (YouTube video, channel, and gallery plugin) — Unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) Word
Severity
medium Medium risk
Affected Versions
<=2.6.4
CVE Reference
Patch Status
No patch
Source
NVD
Kirki – Freeform Page Builder, Website Builder & Customizer
medium
Vulnerability
Kirki – Freeform Page Builder, Website Builder & Customizer — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=6.0.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
診断ジェネレータ作成プラグイン (Diagnosis Generator)
medium
Vulnerability
診断ジェネレータ作成プラグイン (Diagnosis Generator) — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.4.16
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Oliver POS – A WooCommerce Point of Sale (POS)
medium
Vulnerability
Oliver POS – A WooCommerce Point of Sale (POS) — Authorization Bypass
Severity
medium Medium risk
Affected Versions
<=2.4.2.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Sentence To SEO (keywords, description and tags)
medium
Vulnerability
Sentence To SEO (keywords, description and tags) — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
medium
Vulnerability
Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE — Server-Side Request Forgery (SSRF)
Severity
medium Medium risk
Affected Versions
<=1.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Word 2 Cash
medium
Vulnerability
Word 2 Cash — Cross-Site Request Forgery leading to Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.9.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Sticky
medium
Vulnerability
Sticky — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.5.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
General Options
medium
Vulnerability
General Options — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Child Height Predictor by Ostheimer
medium
Vulnerability
Child Height Predictor by Ostheimer — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Bottom Bar
medium
Vulnerability
Bottom Bar — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=0.1.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Anomify AI – Anomaly Detection and Alerting
medium
Vulnerability
Anomify AI – Anomaly Detection and Alerting — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.3.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Bigfishgames Syndicate
medium
Vulnerability
Bigfishgames Syndicate — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Logo Manager For Enamad
medium
Vulnerability
Logo Manager For Enamad — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.7.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
VatanSMS WP SMS
medium
Vulnerability
VatanSMS WP SMS — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.01
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Read More & Accordion
medium
Vulnerability
Read More & Accordion — Time-based blind SQL Injection
Severity
medium Medium risk
Affected Versions
<=3.5.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Faces of Users
medium
Vulnerability
Faces of Users — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Games Catalog
medium
Vulnerability
Games Catalog — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Amazon Scraper
medium
Vulnerability
Amazon Scraper — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
BLOGCHAT Chat System
medium
Vulnerability
BLOGCHAT Chat System — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.3.6.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
JaviBola Custom Theme Test
medium
Vulnerability
JaviBola Custom Theme Test — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=2.0.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Remove Yellow BGBOX
medium
Vulnerability
Remove Yellow BGBOX — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
TypeSquare Webfonts for ConoHa
medium
Vulnerability
TypeSquare Webfonts for ConoHa — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=2.0.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
LJ comments import: reloaded
medium
Vulnerability
LJ comments import: reloaded — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.97.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
SponsorMe
medium
Vulnerability
SponsorMe — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.5.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Correct Prices
medium
Vulnerability
Correct Prices — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Infility Global
medium
Vulnerability
Infility Global — SQL Injection
Severity
medium Medium risk
Affected Versions
<=2.15.16
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Xpro Addons — 140+ Widgets for Elementor
medium
Vulnerability
Xpro Addons — 140+ Widgets for Elementor — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
All in One SEO
medium
Vulnerability
All in One SEO — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=4.9.7
CVE Reference
Patch Status
No patch
Source
NVD
AI Chatbot & Workflow Automation by AIWU
medium
Vulnerability
AI Chatbot & Workflow Automation by AIWU — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.4.14
CVE Reference
Patch Status
No patch
Source
NVD
Email Encoder
medium
Vulnerability
Email Encoder — Escape email addresses retrieved via user input
Severity
medium Medium risk
Affected Versions
<=2.4.7
CVE Reference
Patch Status
No patch
Source
NVD
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
medium
Vulnerability
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=4.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Decent Comments
medium
Vulnerability
Decent Comments — Restrict access to comment author email addresses and post author email addresses via its REST API e
Severity
medium Medium risk
Affected Versions
<=3.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Anomify AI – Anomaly Detection and Alerting
medium
Vulnerability
Anomify AI – Anomaly Detection and Alerting — Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS)
Severity
medium Medium risk
Affected Versions
<=0.3.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Slider Revolution
medium
Vulnerability
Slider Revolution — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=7.0.9
CVE Reference
Patch Status
No patch
Source
NVD
Broadstreet
medium
Vulnerability
Broadstreet — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=1.52.2
CVE Reference
Patch Status
No patch
Source
NVD
WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons
medium
Vulnerability
WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Avada (Fusion) Builder
medium
Vulnerability
Avada (Fusion) Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.15.2
CVE Reference
Patch Status
No patch
Source
NVD
GSheet For Woo Importer
medium
Vulnerability
GSheet For Woo Importer — Unauthorized loss of data
Severity
medium Medium risk
Affected Versions
<=2.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Blockade
medium
Vulnerability
WP Blockade — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.9.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Alfie – Feed Plugin
medium
Vulnerability
Alfie – Feed Plugin — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
CBX 5 Star Rating & Review
medium
Vulnerability
CBX 5 Star Rating & Review — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Location Weather
medium
Vulnerability
Location Weather — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=3.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
KIA Subtitle
medium
Vulnerability
KIA Subtitle — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Draft List
medium
Vulnerability
Draft List — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.6.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Widget Context
medium
Vulnerability
Widget Context — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.3.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Slider by Soliloquy – Responsive Image Slider for WordPress
medium
Vulnerability
Slider by Soliloquy – Responsive Image Slider for WordPress — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=2.8.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution
medium
Vulnerability
FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution — Blind Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=2.9.87
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MotoPress Hotel Booking
medium
Vulnerability
MotoPress Hotel Booking — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=6.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder
medium
Vulnerability
Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=1.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WordPress Theme Vulnerabilities (1)
FastX
medium
Vulnerability
FastX — Unauthorized limited plugin installation and activation
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
WordPress Core Vulnerabilities (0)
No vulnerabilities reported in this category this week.
Recommendations
1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.
Set up uptime monitoring and periodic security scans to catch issues early.
Methodology
This report is compiled automatically from multiple trusted sources:
NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans
Tags
Related Posts
Vulnerability Report
WordPress Vulnerability Report: May 9 – May 16, 2026
104 WordPress vulnerabilities disclosed between May 9 – May 16, 2026. 6 critical, 23 high severity. 1 patched, 103 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 1 – May 8, 2026
96 WordPress vulnerabilities disclosed between May 1 – May 8, 2026. 6 critical, 35 high severity. 1 patched, 95 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: April 15 – April 16, 2026
24 WordPress vulnerabilities disclosed between April 15 – April 16, 2026. 2 critical, 4 high severity. 0 patched, 24 unpatched.
WPSentry·Apr 15, 2026