During the reporting period (May 9 – May 16, 2026), 104 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.
Summary
104
Total
6
Critical
23
High
75
Medium
0
Low
1
Patched
Table of Contents 109 plugins & components
WordPress Plugin Vulnerabilities (103)
Career Section
critical
Vulnerability
Career Section <= 1.7 - Unauthenticated Arbitrary File Upload
Severity
critical Critical risk
Affected Versions
<=1.7
CVE Reference
Patch Status
1.8
Source
Wordfence
Plugin Page
Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)
critical
Vulnerability
Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) — Authentication Bypass
Severity
critical Critical risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Career Section
critical
Vulnerability
Career Section — Arbitrary File Upload
Severity
critical Critical risk
Affected Versions
<=1.7
CVE Reference
Patch Status
No patch
Source
NVD
InfusedWoo Pro
critical
Vulnerability
InfusedWoo Pro — Privilege escalation
Severity
critical Critical risk
Affected Versions
<=5.1.2
CVE Reference
Patch Status
No patch
Source
NVD
InfusedWoo Pro
critical
Vulnerability
InfusedWoo Pro — Authorization bypass
Severity
critical Critical risk
Affected Versions
<=5.1.2
CVE Reference
Patch Status
No patch
Source
NVD
Form Notify
critical
Vulnerability
Form Notify — Authentication Bypass
Severity
critical Critical risk
Affected Versions
<=1.1.10
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Custom css-js-php
high
Vulnerability
Custom css-js-php — Properly sanitize user input before using it in a SQL query
Severity
high High risk
Affected Versions
<=2.0.7
CVE Reference
Patch Status
No patch
Source
NVD
AI Chatbot & Workflow Automation by AIWU
high
Vulnerability
AI Chatbot & Workflow Automation by AIWU — SQL Injection
Severity
high High risk
Affected Versions
<=1.4.17
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
LifePress
high
Vulnerability
LifePress — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=2.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Court Reservation – Manage Your Court Bookings Online
high
Vulnerability
Court Reservation – Manage Your Court Bookings Online — Generic SQL Injection
Severity
high High risk
Affected Versions
<=1.10.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)
high
Vulnerability
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) — Unauthorized access and modification of data
Severity
high High risk
Affected Versions
<=10.1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
coreActivity: Activity Logging for WordPress
high
Vulnerability
coreActivity: Activity Logging for WordPress — PHP Object Injection
Severity
high High risk
Affected Versions
<=3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
JoomSport – for Sports: Team & League, Football, Hockey & more
high
Vulnerability
JoomSport – for Sports: Team & League, Football, Hockey & more — Time-based blind SQL Injection
Severity
high High risk
Affected Versions
<=5.7.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Avada Builder
high
Vulnerability
Avada Builder — Time-based SQL Injection
Severity
high High risk
Affected Versions
<=3.15.1
CVE Reference
Patch Status
No patch
Source
NVD
RTMKit Addons for Elementor
high
Vulnerability
RTMKit Addons for Elementor — Local File Inclusion
Severity
high High risk
Affected Versions
<=2.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Custom Twitter Feeds
high
Vulnerability
Custom Twitter Feeds — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=2.5.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ProfileGrid – User Profiles, Groups and Communities
high
Vulnerability
ProfileGrid – User Profiles, Groups and Communities — Unauthorized access
Severity
high High risk
Affected Versions
<=5.9.8.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Fluent Forms
high
Vulnerability
Fluent Forms — Authorization Bypass
Severity
high High risk
Affected Versions
<=6.1.21
CVE Reference
Patch Status
No patch
Source
NVD
ManageWP Worker
high
Vulnerability
ManageWP Worker — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=4.9.31
CVE Reference
Patch Status
No patch
Source
NVD
Motors – Car Dealership & Classified Listings Plugin
high
Vulnerability
Motors – Car Dealership & Classified Listings Plugin — Arbitrary file deletion
Severity
high High risk
Affected Versions
<=1.4.107
CVE Reference
Patch Status
No patch
Source
NVD
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
high
Vulnerability
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder — Insecure Direct Object Reference
Severity
high High risk
Affected Versions
<=6.2.0
CVE Reference
Patch Status
No patch
Source
NVD
InfusedWoo Pro
high
Vulnerability
InfusedWoo Pro — Privilege escalation
Severity
high High risk
Affected Versions
<=5.1.2
CVE Reference
Patch Status
No patch
Source
NVD
InfusedWoo Pro
high
Vulnerability
InfusedWoo Pro — Arbitrary File Read
Severity
high High risk
Affected Versions
<=5.1.2
CVE Reference
Patch Status
No patch
Source
NVD
Database Backup for WordPress
high
Vulnerability
Database Backup for WordPress — Unauthorized database export
Severity
high High risk
Affected Versions
<=2.5.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Database Backup for WordPress
high
Vulnerability
Database Backup for WordPress — Unauthorized arbitrary file read and deletion
Severity
high High risk
Affected Versions
<=2.5.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Database Backup for WordPress
high
Vulnerability
Database Backup for WordPress — Authorization bypass
Severity
high High risk
Affected Versions
<=2.5.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
FOX – Currency Switcher Professional for WooCommerce
high
Vulnerability
FOX – Currency Switcher Professional for WooCommerce — Unauthorized data loss
Severity
high High risk
Affected Versions
<=1.4.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Frontend Admin by DynamiApps
high
Vulnerability
Frontend Admin by DynamiApps — Privilege Escalation
Severity
high High risk
Affected Versions
<=3.28.36
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Quick Playground
high
Vulnerability
Quick Playground — Path Traversal
Severity
high High risk
Affected Versions
<=1.3.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
LatePoint
medium
Vulnerability
LatePoint — Account Takeover
Severity
medium Medium risk
Affected Versions
<=5.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity
medium
Vulnerability
Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity — Authentication Bypass to Information Disclosure
Severity
medium Medium risk
Affected Versions
<=3.3.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
BJ Lazy Load
medium
Vulnerability
BJ Lazy Load — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP SEO Structured Data Schema
medium
Vulnerability
WP SEO Structured Data Schema — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.8.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings
medium
Vulnerability
Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=1.6.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
SP Blog Designer
medium
Vulnerability
SP Blog Designer — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Next Date
medium
Vulnerability
Next Date — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Eight Day Week Print Workflow
medium
Vulnerability
Eight Day Week Print Workflow — Time-based blind SQL Injection
Severity
medium Medium risk
Affected Versions
<=1.2.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Fancy Image Show
medium
Vulnerability
Fancy Image Show — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=9.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Smart Appointment & Booking
medium
Vulnerability
Smart Appointment & Booking — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.0.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Voyage Plus
medium
Vulnerability
Voyage Plus — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Quick Table
medium
Vulnerability
Quick Table — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
scratchblocks for WP
medium
Vulnerability
scratchblocks for WP — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Credits Shortcode
medium
Vulnerability
Credits Shortcode — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
GWD Connect
medium
Vulnerability
GWD Connect — Missing authorization to limited code execution
Severity
medium Medium risk
Affected Versions
<=2.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
HEL Online Classroom: AI-powered Online Classrooms
medium
Vulnerability
HEL Online Classroom: AI-powered Online Classrooms — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=1.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Coinbase Commerce for Contact Form 7
medium
Vulnerability
Coinbase Commerce for Contact Form 7 — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=1.1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Skysa Text Ticker App
medium
Vulnerability
Skysa Text Ticker App — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Pricing Tables for WP
medium
Vulnerability
Pricing Tables for WP — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Shortcodely
medium
Vulnerability
Shortcodely — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Woo Commerce Minimum Weight
medium
Vulnerability
Woo Commerce Minimum Weight — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=3.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Forms Rb
medium
Vulnerability
Forms Rb — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=1.1.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
AzonPost
medium
Vulnerability
AzonPost — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP Google Maps Integration
medium
Vulnerability
WP Google Maps Integration — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Tm – WordPress Redirection
medium
Vulnerability
Tm – WordPress Redirection — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WP-Redirection
medium
Vulnerability
WP-Redirection — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Zawgyi Embed
medium
Vulnerability
Zawgyi Embed — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=2.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Slek Gateway for WooCommerce
medium
Vulnerability
Slek Gateway for WooCommerce — Information Exposure
Severity
medium Medium risk
Affected Versions
all
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Advanced Social Media Icons
medium
Vulnerability
Advanced Social Media Icons — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Bootstrap Shortcode
medium
Vulnerability
Bootstrap Shortcode — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Motors – Car Dealership & Classified Listings
medium
Vulnerability
Motors – Car Dealership & Classified Listings — Payment Bypass
Severity
medium Medium risk
Affected Versions
<=1.4.103
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
FastBots
medium
Vulnerability
FastBots — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.12
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Continually
medium
Vulnerability
Continually — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
The Advanced Custom Fields: Extended
medium
Vulnerability
The Advanced Custom Fields: Extended — Arbitrary shortcode execution
Severity
medium Medium risk
Affected Versions
<=0.9.2.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Cost Calculator Builder
medium
Vulnerability
Cost Calculator Builder — Unauthenticated Price Manipulation and Insecure Direct Object Reference (IDOR)
Severity
medium Medium risk
Affected Versions
<=4.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Broadstreet
medium
Vulnerability
Broadstreet — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=1.53.1
CVE Reference
Patch Status
No patch
Source
NVD
Broadstreet
medium
Vulnerability
Broadstreet — Unauthorized access
Severity
medium Medium risk
Affected Versions
<=1.53.1
CVE Reference
Patch Status
No patch
Source
NVD
Broadstreet
medium
Vulnerability
Broadstreet — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.53.1
CVE Reference
Patch Status
No patch
Source
NVD
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
medium
Vulnerability
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=6.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Cost of Goods: Product Cost & Profit Calculator for WooCommerce
medium
Vulnerability
Cost of Goods: Product Cost & Profit Calculator for WooCommerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Blog2Social: Social Media Auto Post & Scheduler
medium
Vulnerability
Blog2Social: Social Media Auto Post & Scheduler — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=8.9.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Charitable – Donation
medium
Vulnerability
Charitable – Donation — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=1.8.10.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ilGhera Support System for WooCommerce
medium
Vulnerability
ilGhera Support System for WooCommerce — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=1.3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Tutor LMS – eLearning and online course solution
medium
Vulnerability
Tutor LMS – eLearning and online course solution — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=3.9.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WPC Badge Management for WooCommerce
medium
Vulnerability
WPC Badge Management for WooCommerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.1.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Snow Monkey Blocks
medium
Vulnerability
Snow Monkey Blocks — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=24.1.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Hostinger Reach – AI-Powered Email Marketing for WordPress
medium
Vulnerability
Hostinger Reach – AI-Powered Email Marketing for WordPress — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.3.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Avada Builder
medium
Vulnerability
Avada Builder — Arbitrary File Read
Severity
medium Medium risk
Affected Versions
<=3.15.2
CVE Reference
Patch Status
No patch
Source
NVD
RTMKit Addons for Elementor
medium
Vulnerability
RTMKit Addons for Elementor — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=2.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ProfileGrid – User Profiles, Groups and Communities
medium
Vulnerability
ProfileGrid – User Profiles, Groups and Communities — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=5.9.8.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
ProfileGrid – User Profiles, Groups and Communities
medium
Vulnerability
ProfileGrid – User Profiles, Groups and Communities — Blind SQL Injection
Severity
medium Medium risk
Affected Versions
<=5.9.8.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Unlimited Elements for Elementor
medium
Vulnerability
Unlimited Elements for Elementor — SQL Injection
Severity
medium Medium risk
Affected Versions
<=2.0.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Envira Gallery Lite
medium
Vulnerability
Envira Gallery Lite — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.12.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
My Calendar – Accessible Event Manager
medium
Vulnerability
My Calendar – Accessible Event Manager — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=3.7.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
medium
Vulnerability
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses — Payment bypass
Severity
medium Medium risk
Affected Versions
<=4.3.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
MapGeo – Interactive Geo Maps
medium
Vulnerability
MapGeo – Interactive Geo Maps — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.6.27
CVE Reference
Patch Status
No patch
Source
NVD
WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan
medium
Vulnerability
WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=7.8.5.10
CVE Reference
Patch Status
No patch
Source
NVD
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
medium
Vulnerability
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce — Stored cross-site scripting
Severity
medium Medium risk
Affected Versions
<=6.4.11
CVE Reference
Patch Status
No patch
Source
NVD
GLS Shipping for WooCommerce
medium
Vulnerability
GLS Shipping for WooCommerce — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.4.0
CVE Reference
Patch Status
No patch
Source
NVD
Bold Page Builder
medium
Vulnerability
Bold Page Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.6.8
CVE Reference
Patch Status
No patch
Source
NVD
Essential Addons for Elementor – Popular Elementor Templates & Widgets
medium
Vulnerability
Essential Addons for Elementor – Popular Elementor Templates & Widgets — Privilege escalation
Severity
medium Medium risk
Affected Versions
<=6.5.13
CVE Reference
Patch Status
No patch
Source
NVD
LatePoint
medium
Vulnerability
LatePoint — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=5.3.2
CVE Reference
Patch Status
No patch
Source
NVD
Taskbuilder – Project Management & Task Management Tool With Kanban Board
medium
Vulnerability
Taskbuilder – Project Management & Task Management Tool With Kanban Board — Time-based blind SQL Injection
Severity
medium Medium risk
Affected Versions
<=5.0.6
CVE Reference
Patch Status
No patch
Source
NVD
Meta Field Block
medium
Vulnerability
Meta Field Block — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.5.2
CVE Reference
Patch Status
No patch
Source
NVD
Media Sync
medium
Vulnerability
Media Sync — Path Traversal
Severity
medium Medium risk
Affected Versions
<=1.4.9
CVE Reference
Patch Status
No patch
Source
NVD
User Registration & Membership
medium
Vulnerability
User Registration & Membership — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=5.1.5
CVE Reference
Patch Status
No patch
Source
NVD
CC Child Pages
medium
Vulnerability
CC Child Pages — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.1.1
CVE Reference
Patch Status
No patch
Source
NVD
MW WP Form
medium
Vulnerability
MW WP Form — Information Exposure
Severity
medium Medium risk
Affected Versions
<=5.1.2
CVE Reference
Patch Status
No patch
Source
NVD
Royal Elementor Addons and Templates
medium
Vulnerability
Royal Elementor Addons and Templates — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.7.1058
CVE Reference
Patch Status
No patch
Source
NVD
Smartcat Translator for WPML
medium
Vulnerability
Smartcat Translator for WPML — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=3.1.77
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Advanced Custom Fields: Font Awesome
medium
Vulnerability
Advanced Custom Fields: Font Awesome — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
NEX-Forms – Ultimate Forms
medium
Vulnerability
NEX-Forms – Ultimate Forms — Time-based blind SQL Injection
Severity
medium Medium risk
Affected Versions
<=9.1.12
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Classified Listing – AI-Powered Classified ads & Business Directory Plugin
medium
Vulnerability
Classified Listing – AI-Powered Classified ads & Business Directory Plugin — Unauthorized access
Severity
medium Medium risk
Affected Versions
<=5.3.10
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
Notify Odoo
medium
Vulnerability
Notify Odoo — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page
WordPress Theme Vulnerabilities (1)
The7
medium
Vulnerability
The7 — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=14.3.2
CVE Reference
Patch Status
No patch
Source
NVD
WordPress Core Vulnerabilities (0)
No vulnerabilities reported in this category this week.
Recommendations
1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.
Set up uptime monitoring and periodic security scans to catch issues early.
Methodology
This report is compiled automatically from multiple trusted sources:
NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans
Tags
Related Posts
Vulnerability Report
WordPress Vulnerability Report: May 17 – May 24, 2026
81 WordPress vulnerabilities disclosed between May 17 – May 24, 2026. 8 critical, 20 high severity. 2 patched, 79 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: May 1 – May 8, 2026
96 WordPress vulnerabilities disclosed between May 1 – May 8, 2026. 6 critical, 35 high severity. 1 patched, 95 unpatched.
WPSentry·May 24, 2026
Vulnerability Report
WordPress Vulnerability Report: April 15 – April 16, 2026
24 WordPress vulnerabilities disclosed between April 15 – April 16, 2026. 2 critical, 4 high severity. 0 patched, 24 unpatched.
WPSentry·Apr 15, 2026