Triple Threat Bug Bounty Challenge
Hunt High Threat vulnerabilities and earn triple the incentives!
Now through April 6, 2026, earn three stacked bonuses on all valid submissions from our ‘High Threat Vulnerabilities’ list:
2x all high threat vulnerability bounties (excluding 5,000,000+ installs)
+30% bonus for high threat vulnerabilities in software with 30,000+ active installs (excluding 5,000,000+ installs)
$300 extra for every 3 High Threat vulnerabilities submitted (minimum of 1,000 installs)
Use the Bounty Estimator to see what rewards are possible through the promotion.
Submit through our Bug Bounty Program today to maximize your impact and your payout.
Last week, there were 201 vulnerabilities disclosed in 84 WordPress Plugins and 107 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 60 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the worldās leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 33,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to ourĀ Premium,Ā Care, andĀ Response customers last week:
-
-
- WAF-RULE-902 ā Data redacted while we work with the vendor on a patch.
- WAF-RULE-903 ā Data redacted while we work with the vendor on a patch.
-
WordfenceĀ Premium,Ā Care, andĀ ResponseĀ customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 72 |
| Unpatched | 129 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 70 |
| High Severity | 124 |
| Critical Severity | 7 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 81 |
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 38 |
| Deserialization of Untrusted Data | 21 |
| Missing Authorization | 16 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 10 |
| Exposure of Sensitive Information to an Unauthorized Actor | 6 |
| Unrestricted Upload of File with Dangerous Type | 6 |
| Cross-Site Request Forgery (CSRF) | 5 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 5 |
| Improper Control of Generation of Code (‘Code Injection’) | 4 |
| Improper Privilege Management | 4 |
| Server-Side Request Forgery (SSRF) | 2 |
| Authentication Bypass Using an Alternate Path or Channel | 1 |
| Authorization Bypass Through User-Controlled Key | 1 |
| Incorrect Privilege Assignment | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| 79 | |
| 25 | |
| 7 | |
| 6 | |
| 6 | |
| 5 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| AI ChatBot with ChatGPT and Content Generator by AYS | ays-chatgpt-assistant |
| All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login | login-with-azure |
| All-in-One Video Gallery | all-in-one-video-gallery |
| Apocalypse Meow | apocalypse-meow |
| Booking for Appointments and Events Calendar ā Amelia | ameliabooking |
| Bus Ticket Booking with Seat Reservation | bus-ticket-booking-with-seat-reservation |
| Carta Online | carta-online |
| CM Custom Reports ā Flexible reporting to track what matters most | cm-custom-reports |
| Community Events | community-events |
| Consensus Embed | consensus-embed |
| Contest Gallery ā Upload & Vote Photos, Media, Sell with PayPal & Stripe | contest-gallery |
| DA Media GigList | damedia-giglist |
| Database for Contact Form 7, WPforms, Elementor forms | contact-form-entries |
| Drag and Drop Multiple File Upload for Contact Form 7 | drag-and-drop-multiple-file-upload-contact-form-7 |
| Easy PHP Settings | easy-php-settings |
| Easy Post Submission ā Frontend Posting, Guest Publishing & Submit Content for WordPress | easy-post-submission |
| Email Subscribers & Newsletters ā Email Marketing, Post Notifications & Newsletter Plugin for WordPress | email-subscribers |
| Enable Media Replace | enable-media-replace |
| Envira Gallery ā Image Photo Gallery, Albums, Video Gallery, Slideshows & More | envira-gallery-lite |
| EventON (Pro) – WordPress Virtual Event Calendar Plugin | eventON |
| Fast Page & Post Duplicator | page-or-post-clone |
| Fluent Forms Pro Add On Pack | fluentformpro |
| Font Pairing Preview For Landing Pages | wp-font-pairing-preview |
| FormGent ā Next-Gen AI Form Builder for WordPress with Multi-Step, Quizzes, Payments & More | formgent |
| Greenshift ā animation and page builder blocks | greenshift-animation-and-page-builder-blocks |
| Gutena Forms ā Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder | gutena-forms |
| Hammas Calendar | hammas-calendar |
| HUMN-1 AI Website Scanner & Human Certification by Winston AI | winston-ai-wp |
| Infomaniak Connect for OpenID | infomaniak-connect-openid |
| ionCube Tester Plus | ioncube-tester-plus |
| JS Archive List | jquery-archive-list-widget |
| JS Help Desk ā AI-Powered Support & Ticketing System | js-support-ticket |
| LatePoint ā Calendar Booking Plugin for Appointments and Events | latepoint |
| Lisfinity Core – Lisfinity Core plugin used for pebasĀ® Lisfinity WordPress theme | lisfinity-core |
| LMS Elementor Pro | lms-elementor-pro |
| LotekMedia Popup Form | ltm-popup-form |
| Mail Mint ā Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more | mail-mint |
| MailArchiver | mailarchiver |
| Master Addons for Elementor Premium | master-addons-pro |
| MDJM Event Management | mobile-dj-manager |
| Media Library Alt Text Editor | media-library-alt-text-editor |
| Media Library Assistant | media-library-assistant |
| Membership Plugin ā Restrict Content | restrict-content |
| Meta Box | meta-box |
| Morkva UA Shipping | morkva-ua-shipping |
| My Album Gallery | my-album-gallery |
| My auctions allegro | my-auctions-allegro-free-edition |
| My Calendar ā Accessible Event Manager | my-calendar |
| MyQtip ā easy qTip2 | myqtip-easy-qtip2 |
| OoohBoi Steroids for Elementor | ooohboi-steroids-for-elementor |
| Page Builder by SiteOrigin | siteorigin-panels |
| Paid Videochat Turnkey Site ā HTML5 PPV Live Webcams | ppv-live-webcams |
| Pixfort Core | pixfort-core |
| Podlove Web Player | podlove-web-player |
| Post Grid Gutenberg Blocks for News, Magazines, Blog Websites ā PostX | ultimate-post |
| ProfileGrid ā User Profiles, Groups and Communities | profilegrid-user-profiles-groups-and-communities |
| Purchase Button For Affiliate Link | purchase-button |
| RSS Aggregator ā RSS Import, News Feeds, Feed to Post, and Autoblogging | wp-rss-aggregator |
| Secudeal Payments for Ecommerce | secudeal-payments-for-ecommerce |
| Seraphinite Accelerator | seraphinite-accelerator |
| Show YouTube video | show-youtube-video |
| Stock Ticker | stock-ticker |
| Subscription for WooCommerce ā WordPress Recurring Payments Plugin | subscription |
| Super Stage WP | super-stage-wp |
| Taskbuilder ā Project Management & Task Management Tool With Kanban Board | taskbuilder |
| True Ranker | seo-local-rank |
| Ultimate Addons for WPBakery | Ultimate_VC_Addons |
| Uncanny Automator ā Easy Automation, Integration, Webhooks & Workflow Builder Plugin | uncanny-automator |
| User Registration & Membership ā Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | user-registration |
| WebToffee WooCommerce Product Feeds ā Google Shopping, Pinterest, TikTok Ads, & More | webtoffee-product-feed |
| Widget Options ā Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets | widget-options |
| WowOptin: Next-Gen Popup Maker ā Create Stunning Popups and Optins for Lead Generation | optin |
| WP All Import ā Drag & Drop Import for CSV, XML, Excel & Google Sheets | wp-all-import |
| WP App Bar | wp-app-bar |
| WP Booking System ā Booking Calendar | wp-booking-system |
| WP CTA ā Sticky CTA Builder, Generate Leads, Promote Sales | easy-sticky-sidebar |
| Wp EMember | wp-eMember |
| WP Frontend Profile | wp-front-end-profile |
| WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms | cf7-zendesk |
| WP-Members Membership Plugin | wp-members |
| WPBookit | wpbookit |
| wpDataTables ā WordPress Data Table, Dynamic Tables & Table Charts Plugin | wpdatatables |
| Wueen | wueen |
| ZIP Code Based Content Protection | zip-code-based-content-protection |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme | window-ac-services |
| Agrofood – Elementor WooCommerce WordPress Theme | agrofood |
| Aldo | aldo |
| Amoli – Fashion Photography WordPress Theme | amoli |
| Askka – Candle Shop WordPress Theme | askka |
| Au Pair Agency – Babysitting & Nanny Theme | au-pair-agency |
| Avventure | avventure |
| Berger – WordPress Creative Agency Portfolio Theme | berger |
| Blocksy | blocksy |
| Bonbon | bonbon |
| BuddyApp – Mobile First Community WordPress theme | buddyapp |
| CarZone – A Complete Car Dealer HTML Wire-Frame | carzone |
| CasaMia | Property Rental Real Estate WordPress Theme | casamia |
| Charety – Charity & Donation WordPress Theme | charety |
| Chroma | chroma |
| Classter | Multi-Purpose HTML Theme | classter |
| Coinpress | coinpress |
| ConFix – Expo & Events WordPress Theme | confix |
| Cookiteer | cookiteer |
| Craftis – Handcraft & Artisan Elementor Template Kit | craftis |
| DeepDigital ā Web Design Agency WordPress Theme | deepdigital |
| Dental Clinic | dental |
| Dentalux | Dentist & Healthcare Site Template | dentalux |
| Don Peppe – Pizza and Fast Food WordPress Theme | donpeppe |
| DroneX | dronex |
| Edifice | edifice |
| EmojiNation | emojination |
| Equadio | equadio |
| Equestrian Centre – Horse-riding School Theme | equestrian-centre |
| Estate | estate |
| Etchy – Print Shop WordPress Theme | etchy |
| Felizia | Fertility Center & Medical WordPress Theme | felizia |
| FindAll – Business Directory WordPress Theme | findall |
| Foodie | foodie |
| Gaspard – Restaurant and Coffee Shop WordPress Theme | gaspard |
| Gioia – Modern Fashion Shop WordPress Theme | gioia |
| Global Logistics | globallogistics |
| Good Homes – Real Estate WordPress Theme | good-homes |
| Grand Wedding WordPress | grandwedding |
| Green Thumb | Gardening & Landscaping Services WP | greenthumb |
| Greenville | Private School & University Education WordPress Theme | greenville |
| Gridiron | American Football & NFL Team WordPress | gridiron |
| Grit – Life Coach & Business Coaching WordPress Theme | grit |
| Handyman – Home Services Booking App, Website & Admin Panel | handyman-services |
| Healer WordPress Themes, Plugins & Template Kits. | healer |
| Helion | Personal Portfolio & Agency WordPress Theme | helion |
| Hoverex | Cryptocurrency & ICO Elementor Template Kit | hoverex |
| Humanum | humanum |
| Hypnotherapy – Psychologist Theme | hypnotherapy |
| Invetex | invetex |
| Jardi | Winery, Vineyard & Wine Shop WordPress Theme | jardi |
| Justitia | Lawyer & Legal Adviser WordPress Theme | justitia |
| Kayon | kayon |
| Keenarch – Building & Construction WordPress Theme | keenarch |
| Kratz | kratz |
| Laurent – Elegant Restaurant WordPress Theme | laurent |
| Law Office | law-office |
| Lella – Hairdresser and Beauty Salon WordPress Theme | lella |
| Lendiz – Loan & Funding Agency WordPress Theme | lendiz |
| Lingvico | Language Center & Training Courses WordPress Theme | lingvico |
| Listify | listify |
| luxury-wine | luxury-wine |
| m2 | Construction and Tools Store WordPress Theme | m2-ce |
| Manoir | manoir |
| Maxify | maxify |
| Meals & Wheels | meals-wheels |
| MoneyFlow | moneyflow |
| Morning Records – Music Sound Studio WordPress Theme | morning-records |
| Motorix | motorix |
| Mounthood | Ski and Snowboarding HTML Template | mounthood |
| Mr. Cobbler | Custom Shoemaking & Footwear Repairs WordPress Theme | mr-cobbler |
| N7 | n7-golf-club |
| nelson | nelson |
| NeoBeat – Music WordPress Theme | neobeat |
| Nutrie – Health Coach and Nutrition WordPress Theme | nutrie |
| Nuts | nuts |
| OsTende | ostende |
| Pets Club – Pet Care WordPress Theme + Shop | petclub |
| Printy | printy |
| progress | progress |
| ProLingua | Translation Bureau & Interpreting Services WordPress Theme | prolingua |
| Prowess – Fitness and Gym WordPress Theme | prowess |
| Quanzo – Creative Portfolio Template Kit | quanzo |
| Remons – Car Rental Elementor Template Kit | remons |
| Restaurant WordPress Theme | Ratatouille | ratatouille |
| Roisin – Flower Shop and Florist WordPress Theme | roisin |
| Scientia | Public Library & Book Store Education WordPress Theme | scientia |
| ShiftCV – Blog Resume Portfolio WordPress Theme | shift-cv |
| Solaris | solaris |
| Stargaze | stargaze |
| Tediss | Play Area & Child Care Center WordPress Theme | tediss |
| The Qlean | the-qlean |
| Thebe – Portfolio WordPress Theme | thebe |
| TheBi – Photography WordPress Theme | thebi |
| Thecs – Portfolio WordPress Theme | thecs |
| Tour Booking WordPress Theme – Tripgo | tripgo |
| Translogic | Logistics & Shipment Transportation | translogic |
| Triompher | Golf Course & Sports Club WordPress Theme | triompher |
| Tuning | tuning |
| Unica – Event Planning & Wedding WordPress Theme | unica |
| VegaDays – Vegetarian Food Festival & Eco Event WordPress Theme | vegadays |
| Victo – Ultimate Responsive Magento 2 Theme | victo |
| Vixus – Business Startup Elementor Template Kit | vixus |
| Wanderland – Travel Blog | wanderland |
| Wizor’s | Investments, Economics & Bankin WordPress Theme | wizors-investments |
| Yottis | yottis |
| Yungen | yungen |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you shouldāve already been notified if your site was affected by any of these vulnerabilities. If youād like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Affected Software
All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login [login-with-azure]
Researcher
Affected Software
Au Pair Agency – Babysitting & Nanny Theme [au-pair-agency]
Researcher
Affected Software
Database for Contact Form 7, WPforms, Elementor forms [contact-form-entries]
Researcher
Affected Software
LMS Elementor Pro [lms-elementor-pro]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
ionCube Tester Plus [ioncube-tester-plus]
Researcher
Affected Software
Booking for Appointments and Events Calendar ā Amelia [ameliabooking]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Master Addons for Elementor Premium [master-addons-pro]
Researcher
Affected Software
Researcher
Affected Software
Page Builder by SiteOrigin [siteorigin-panels]
Researcher
Affected Software
Paid Videochat Turnkey Site ā HTML5 PPV Live Webcams [ppv-live-webcams]
Researcher
Affected Software
Researcher
Affected Software
Researchers
Affected Software
AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme [window-ac-services]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Bonbon [bonbon]
Researcher
Affected Software
Bus Ticket Booking with Seat Reservation [bus-ticket-booking-with-seat-reservation]
Researcher
Affected Software
Researcher
Affected Software
Chroma [chroma]
Researcher
Affected Software
Classter | Multi-Purpose HTML Theme [classter]
Researcher
Affected Software
Researcher
Craftis – Handcraft & Artisan Elementor Template Kit <= 1.2.8 – Unauthenticated Local File Inclusion
8.1
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Drag and Drop Multiple File Upload for Contact Form 7 [drag-and-drop-multiple-file-upload-contact-form-7]
Researcher
Affected Software
Edifice [edifice]
Researcher
Affected Software
EmojiNation [emojination]
Researcher
Affected Software
Equestrian Centre – Horse-riding School Theme [equestrian-centre]
Researcher
Affected Software
Estate [estate]
Researcher
Affected Software
Researcher
Felizia | Fertility Center & Medical WordPress Theme <= 1.3.4 – Unauthenticated Local File Inclusion
8.1
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Foodie [foodie]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Global Logistics [globallogistics]
Researcher
Affected Software
Good Homes – Real Estate WordPress Theme [good-homes]
Researcher
Affected Software
Grand Wedding WordPress [grandwedding]
Researcher
Affected Software
Green Thumb | Gardening & Landscaping Services WP [greenthumb]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Handyman – Home Services Booking App, Website & Admin Panel [handyman-services]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Hypnotherapy – Psychologist Theme [hypnotherapy]
Researcher
Affected Software
Invetex [invetex]
Researcher
Jardi | Winery, Vineyard & Wine Shop WordPress Theme <= 1.7.2 – Unauthenticated PHP Object Injection
8.1
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Kayon [kayon]
Researcher
Affected Software
Researcher
Affected Software
Law Office [law-office]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
luxury-wine [luxury-wine]
Researcher
Affected Software
Researcher
Affected Software
Manoir [manoir]
Researcher
Affected Software
Meals & Wheels [meals-wheels]
Researcher
Affected Software
Membership Plugin ā Restrict Content [restrict-content]
Researcher
Affected Software
MoneyFlow [moneyflow]
Researcher
Morning Records – Music Sound Studio WordPress Theme <= 1.2 – Unauthenticated PHP Object Injection
8.1
Affected Software
Morning Records – Music Sound Studio WordPress Theme [morning-records]
Researcher
Affected Software
Motorix [motorix]
Researcher
Affected Software
Mounthood | Ski and Snowboarding HTML Template [mounthood]
Researcher
Affected Software
Researcher
Affected Software
My Album Gallery [my-album-gallery]
Researcher
Affected Software
N7 [n7-golf-club]
Researcher
Affected Software
nelson [nelson]
Researcher
Affected Software
NeoBeat – Music WordPress Theme [neobeat]
Researcher
Affected Software
Nuts [nuts]
Researcher
Affected Software
Researcher
Affected Software
Printy [printy]
Researcher
Affected Software
progress [progress]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Secudeal Payments for Ecommerce [secudeal-payments-for-ecommerce]
Researcher
ShiftCV – Blog Resume Portfolio WordPress Theme <= 3.0.14 – Unauthenticated Local File Inclusion
8.1
Affected Software
Researcher
Affected Software
Solaris [solaris]
Researcher
Affected Software
Stargaze [stargaze]
Researcher
Affected Software
Super Stage WP [super-stage-wp]
Researcher
Affected Software
Researcher
Affected Software
Translogic | Logistics & Shipment Transportation [translogic]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Tuning [tuning]
Researcher
Unica – Event Planning & Wedding WordPress Theme <= 1.4.1 – Unauthenticated Local File Inclusion
8.1
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Vixus – Business Startup Elementor Template Kit <= 1.0.16 – Unauthenticated Local File Inclusion
8.1
Affected Software
Researcher
Affected Software
Wanderland – Travel Blog [wanderland]
Researcher
Affected Software
Wizor’s | Investments, Economics & Bankin WordPress Theme [wizors-investments]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Cookiteer [cookiteer]
Researcher
Affected Software
Dental Clinic [dental]
Researcher
Affected Software
JS Archive List [jquery-archive-list-widget]
Affected Software
Researcher
Affected Software
Podlove Web Player [podlove-web-player]
Researcher
ZIP Code Based Content Protection <= 1.0.2 – Unauthenticated SQL Injection via ‘zipcode’ Parameter
7.5
Affected Software
ZIP Code Based Content Protection [zip-code-based-content-protection]
Researcher
Affected Software
Easy PHP Settings [easy-php-settings]
Researcher
Fluent Forms Pro <= 6.1.17 – Unauthenticated Stored Cross-Site Scripting via Draft Form Submission
7.2
Affected Software
Fluent Forms Pro Add On Pack [fluentformpro]
Researcher
Affected Software
Meta Box [meta-box]
Researcher
PostX <= 5.0.8 – Authenticated (Administrator+) Server-Side Request Forgery via REST API Endpoints
7.2
Affected Software
Affected Software
Researcher
WP App Bar <= 1.5 – Unauthenticated Stored Cross-Site Scripting via ‘app-bar-features’ Parameter
7.2
Affected Software
WP App Bar [wp-app-bar]
Researcher
Affected Software
Researcher
Affected Software
WPBookit [wpbookit]
Researcher
Affected Software
WebToffee WooCommerce Product Feeds ā Google Shopping, Pinterest, TikTok Ads, & More [webtoffee-product-feed]
Researcher
Affected Software
Researcher
Affected Software
Fluent Forms Pro Add On Pack [fluentformpro]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Page and Post Clone <= 6.3 – Authenticated (Contributor+) SQL Injection via ‘meta_key’ Parameter
6.5
Affected Software
Fast Page & Post Duplicator [page-or-post-clone]
Researcher
Affected Software
WP-Members Membership Plugin [wp-members]
Researcher
Affected Software
Blocksy [blocksy]
Researcher
Affected Software
Consensus Embed [consensus-embed]
Researcher
Affected Software
DA Media GigList [damedia-giglist]
Researcher
Affected Software
Envira Gallery ā Image Photo Gallery, Albums, Video Gallery, Slideshows & More [envira-gallery-lite]
Affected Software
Greenshift ā animation and page builder blocks [greenshift-animation-and-page-builder-blocks]
Affected Software
Hammas Calendar [hammas-calendar]
Researcher
Affected Software
Infomaniak Connect for OpenID [infomaniak-connect-openid]
Researcher
Affected Software
Media Library Alt Text Editor [media-library-alt-text-editor]
Researcher
Affected Software
My Calendar ā Accessible Event Manager [my-calendar]
Researcher
Affected Software
MyQtip ā easy qTip2 [myqtip-easy-qtip2]
Researcher
Affected Software
OoohBoi Steroids for Elementor [ooohboi-steroids-for-elementor]
Researcher
Affected Software
Restaurant WordPress Theme | Ratatouille [ratatouille]
Researcher
Affected Software
Show YouTube video [show-youtube-video]
Researcher
Wueen <= 0.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin’s Shortcode
6.4
Affected Software
Researcher
Affected Software
All-in-One Video Gallery [all-in-one-video-gallery]
Researcher
Affected Software
Researcher
CM Custom Reports <= 1.2.7 – Reflected Cross-Site Scripting via ‘date_from’ and ‘date_to’ Parameters
6.1
Affected Software
CM Custom Reports ā Flexible reporting to track what matters most [cm-custom-reports]
Researcher
Affected Software
DeepDigital ā Web Design Agency WordPress Theme [deepdigital]
Researcher
Affected Software
Researcher
Affected Software
Listify [listify]
Researcher
Affected Software
My auctions allegro [my-auctions-allegro-free-edition]
Researcher
Affected Software
Pixfort Core [pixfort-core]
Researcher
Affected Software
RSS Aggregator ā RSS Import, News Feeds, Feed to Post, and Autoblogging [wp-rss-aggregator]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Wp EMember [wp-eMember]
Researcher
Affected Software
Enable Media Replace [enable-media-replace]
Researcher
Affected Software
AI ChatBot with ChatGPT and Content Generator by AYS [ays-chatgpt-assistant]
Researcher
Affected Software
Easy Post Submission ā Frontend Posting, Guest Publishing & Submit Content for WordPress [easy-post-submission]
Researcher
Affected Software
Greenshift ā animation and page builder blocks [greenshift-animation-and-page-builder-blocks]
Researcher
Affected Software
Greenshift ā animation and page builder blocks [greenshift-animation-and-page-builder-blocks]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
MDJM Event Management [mobile-dj-manager]
Researcher
Affected Software
WP Booking System ā Booking Calendar [wp-booking-system]
Researcher
Affected Software
WP CTA ā Sticky CTA Builder, Generate Leads, Promote Sales [easy-sticky-sidebar]
Researcher
Affected Software
WPBookit [wpbookit]
Researcher
Affected Software
Apocalypse Meow [apocalypse-meow]
Researcher
Affected Software
Community Events [community-events]
Researcher
Affected Software
MailArchiver [mailarchiver]
Researcher
Stock Ticker <= 3.26.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via Template
4.8
Affected Software
Stock Ticker [stock-ticker]
Affected Software
Carta Online [carta-online]
Researcher
Affected Software
LotekMedia Popup Form [ltm-popup-form]
Researcher
Affected Software
Morkva UA Shipping [morkva-ua-shipping]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Font Pairing Preview For Landing Pages [wp-font-pairing-preview]
Researcher
Affected Software
Media Library Assistant [media-library-assistant]
Researcher
Affected Software
Pixfort Core [pixfort-core]
Researcher
Affected Software
ProfileGrid ā User Profiles, Groups and Communities [profilegrid-user-profiles-groups-and-communities]
Researchers
Affected Software
ProfileGrid ā User Profiles, Groups and Communities [profilegrid-user-profiles-groups-and-communities]
Researchers
Affected Software
Purchase Button For Affiliate Link [purchase-button]
Researcher
Affected Software
Seraphinite Accelerator [seraphinite-accelerator]
Researcher
Affected Software
Seraphinite Accelerator [seraphinite-accelerator]
Researcher
Affected Software
Researcher
Affected Software
True Ranker [seo-local-rank]
Researcher
Affected Software
Ultimate Addons for WPBakery [Ultimate_VC_Addons]
Researcher
Affected Software
HUMN-1 AI Website Scanner & Human Certification by Winston AI [winston-ai-wp]
Researcher
Affected Software
WP Frontend Profile [wp-front-end-profile]
Researcher
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfenceās highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Ā
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (March 2, 2026 to March 8, 2026) appeared first on Wordfence.
