Last week, there were 277 vulnerabilities disclosed in 184 WordPress Plugins and 70 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 94 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 35,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WP Maps Pro <= 6.1.0 – Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action
- Woocommerce Custom Product Addons Pro <= 5.4.1 – Unauthenticated Remote Code Execution via Custom Pricing Formula
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 131 |
| Unpatched | 146 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 2 |
| Medium Severity | 159 |
| High Severity | 106 |
| Critical Severity | 10 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 77 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 58 |
| Missing Authorization | 56 |
| Cross-Site Request Forgery (CSRF) | 19 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 16 |
| Deserialization of Untrusted Data | 9 |
| Authorization Bypass Through User-Controlled Key | 6 |
| Exposure of Sensitive Information to an Unauthorized Actor | 6 |
| Improper Privilege Management | 5 |
| Improper Control of Generation of Code (‘Code Injection’) | 4 |
| Incorrect Privilege Assignment | 4 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 3 |
| Unrestricted Upload of File with Dangerous Type | 3 |
| Improper Authentication | 2 |
| Authentication Bypass by Alternate Name | 1 |
| External Control of File Name or Path | 1 |
| Improper Restriction of Excessive Authentication Attempts | 1 |
| Insufficient Verification of Data Authenticity | 1 |
| Missing Authentication for Critical Function | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
| Uncontrolled Resource Consumption | 1 |
| URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
| Weak Password Recovery Mechanism for Forgotten Password | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| 35 | |
| 28 | |
| 16 | |
| 10 | |
| 9 | |
| 9 | |
| 9 | |
| 7 | |
| 7 | |
| 7 | |
| 6 | |
| 6 | |
| 6 | |
| 6 | |
| 4 | |
| 4 | |
| 4 | |
| 4 | |
| 4 | |
| 4 | |
| 4 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On | ar-vr-3d-model-try-on |
| a3 Lazy Load | a3-lazy-load |
| Accept Stripe Payments | stripe-payments |
| Admin Chat Management | admin-chat-box |
| Adminimize | adminimize |
| Advanced Custom Fields (ACF®) | advanced-custom-fields |
| Advanced Custom Fields: Extended | acf-extended |
| Advanced Custom Fields: Font Awesome Field | advanced-custom-fields-font-awesome |
| Advanced IP Blocker | advanced-ip-blocker |
| Affiliate Super Assistent | amazonsimpleadmin |
| affiliate-toolkit – Multi-Network Affiliate & Amazon Product Display | affiliate-toolkit-starter |
| AI Engine – The Chatbot, AI Framework & MCP for WordPress | ai-engine |
| Animate Your Content | animate-your-content |
| Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates | animation-addons-for-elementor |
| Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin | simply-schedule-appointments |
| Appointment Booking Plugin for WooCommerce – WpBookingly | All-in-One Service Manager | service-booking-manager |
| Auto Affiliate Links | wp-auto-affiliate-links |
| auto making JSON-LD | auto-making-json-ld |
| Auto Thumbnails | automatic-thumbnail |
| Autoship Cloud for WooCommerce Subscription Products | autoship-cloud |
| B2BKing — Ultimate WooCommerce B2B and Wholesale Plugin — Wholesale Prices, Bulk Order Form & More | b2bking-wholesale-for-woocommerce |
| Better Messages – Chat Rooms, Group Chat, Private Messages & AI Chat Bots | bp-better-messages |
| BitForm – Data management solution for WordPress | bitform |
| Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar | booking-manager |
| Breeze Cache | breeze |
| Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP | videowhisper-live-streaming-integration |
| CDN Linker lite | ossdl-cdn-off-linker |
| cformsII | cforms2 |
| CloudSecure WP Security | cloudsecure-wp-security |
| CM Ad Changer – A simple tool to control and optimize your site’s banners | cm-ad-changer |
| Contact Form 7 – PayPal & Stripe Add-on | contact-form-7-paypal-add-on |
| Content Slideshow | content-slideshow |
| Crawlomatic Multipage Scraper Post Generator | crawlomatic-multipage-scraper-post-generator |
| Cryptocurrency Prijsvergelijking Widget | cryptocurrency-prijsvergelijking-widget |
| DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer | 3d-flipbook-dflip-lite |
| Dideo | wp-dideo |
| Disable Comments & Delete All Comments | comments-plus |
| Duplicate Page and Post | duplicate-wp-page-post |
| E-cab Taxi Booking Manager for Woocommerce | ecab-taxi-booking-manager |
| Easy Digital Downloads – eCommerce Payments and Subscriptions made easy | easy-digital-downloads |
| Easy Form Builder by WhiteStudio — Drag & Drop Form Builder | easy-form-builder |
| Easy Prism Syntax Highlighter | easy-prism-syntax-highlighter |
| Easy Updates Manager | stops-core-theme-and-plugin-updates |
| ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor | elementskit-lite |
| Enable jQuery Migrate Helper | enable-jquery-migrate-helper |
| Endless Scroll | endless-scroll |
| EnvíaloSimple: Email Marketing y Newsletters | envialosimple-email-marketing-y-newsletters-gratis |
| Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance | accessibility-checker |
| Event Booking Manager for WooCommerce | mage-eventpress |
| EventPrime – Events Calendar, Bookings and Tickets | eventprime-event-calendar-management |
| Events In City | events-in-city |
| Events Schedule – WordPress Events Calendar Plugin | weekly-class |
| Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | everest-forms |
| Export WordPress Pages to Static HTML & PDF — Static Site Export | export-wp-page-to-static-html |
| faq shortocde | faq-shortcode |
| Favicon by RealFaviconGenerator | favicon-by-realfavicongenerator |
| Feeds for TikTok – Display Video Feeds in Grid Layouts | b-tiktok-feed |
| Felan Framework | felan-framework |
| FlexTable – Data Table Sync with Google Sheets | sheets-to-wp-table-live-sync |
| Formidable Kinetic | formidable-kinetic |
| FOX – Currency Switcher Professional for WooCommerce | woocommerce-currency-switcher |
| Frontend Admin by DynamiApps | acf-frontend-form-element |
| GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress | gamipress |
| GBI To Print | gbi-to-print |
| GenerateBlocks | generateblocks |
| Genzel breadcrumbs | genzel-breadcrumbs |
| Geo Mashup | geo-mashup |
| GEO my WP | geo-my-wp |
| Github Shortcode | github-shortcode |
| GNTT Post Title Ticker | gntt-post-title-ticker |
| Google+ Link Name | google-plus-name-link-popup-badge |
| GoStats for WordPress | gostats-for-wordpress |
| GutenBee – Gutenberg Blocks | gutenbee |
| Gutenverse – WordPress Blocks, Page Builder & Site Editor | gutenverse |
| hk_shortcode | hk-shortcode |
| HT Contact Form – Drag & Drop Form Builder for WordPress | ht-contactform |
| Independent Analytics – WordPress Analytics Plugin | independent-analytics |
| Instant-Quote.co Quotation Page | iq-quotation-page |
| Islamic Database | islamic-database |
| iWR Tooltip | iwr-tooltip |
| jQuery googleslides | jquery-googleslides |
| KiviCare – Clinic & Patient Management System (EHR) | kivicare-clinic-management-system |
| Link Whisper Free | link-whisper |
| Listen Shortcode | listen-shortcode |
| LiteSpeed Cache | litespeed-cache |
| Livemesh Addons for Beaver Builder | addons-for-beaver-builder |
| Livemesh SiteOrigin Widgets | livemesh-siteorigin-widgets |
| LiveSmart Video Chat Live Video Chat | new-dev-livesmart-video-chat |
| Login No Captcha reCAPTCHA | login-recaptcha |
| Login with NEAR | near-login |
| Login with OTP | otp-login |
| Master Slider – Responsive Touch Slider | master-slider |
| Masteriyo LMS – LMS Course Builder, Quizzes & Certificates | learning-management-system |
| Mayosis Core | mayosis-core |
| Media Library Assistant | media-library-assistant |
| Meta Field Block – Display custom fields in the Block Editor without coding | display-a-meta-field-as-block |
| Meta for WooCommerce | facebook-for-woocommerce |
| MetaMagic SEO Plugin | metamagic |
| MinhNhut Link Gateway | minhnhut-link-gateway |
| Modula Image Gallery – Photo Grid & Video Gallery | modula-best-grid-gallery |
| Mutual Funds Data | mutual-funds-data |
| My Email Shortcode | my-email-shortcode |
| myLinksDump | mylinksdump |
| Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend | views-for-ninja-forms |
| NS Product icon badge | product-icon-badge |
| Old Posts Highlighter | old-posts-highlighter |
| Organization chart | organization-chart |
| OTP Login With Phone Number, OTP Verification | login-with-phone-number |
| Paid Videochat Turnkey Site – HTML5 PPV Live Webcams | ppv-live-webcams |
| PDF Embedder | pdf-embedder |
| PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) | peachpay-for-woocommerce |
| Photo Gallery by 10Web – Mobile-Friendly Image Gallery | photo-gallery |
| Poll Maker by AYS – Versus Polls, Anonymous Polls, Image Polls | poll-maker |
| Post Categories Gallery | post-category-gallery |
| Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App | post-smtp |
| Post Snippets – Custom WordPress Code Snippets Customizer | post-snippets |
| Product Import Export for WooCommerce – Import Export Product CSV Suite | product-import-export-for-woo |
| QR Redirector | qr-redirector |
| Quads Ads Manager for Google AdSense | quick-adsense-reloaded |
| Query Shortcode | query-shortcode |
| Rank Math SEO – AI SEO Tools to Dominate SEO Rankings | seo-by-rank-math |
| Realtyna Organic IDX plugin + WPL Real Estate | real-estate-listing-realtyna-wpl |
| RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress | computer-repair-shop |
| Responsive Check | responsive-checker-real-time |
| Responsive Video Embedder | responsive-video-embedder |
| rexCrawler | rexcrawler |
| RSVP and Event Management | rsvp |
| Search Analytics for WP | search-analytics |
| Search Simple Fields | search-simple-fields |
| SeedProd Pro | seedprod-coming-soon-pro-5 |
| SePay Gateway | sepay-gateway |
| Shariff Wrapper | shariff |
| ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin | woolentor-addons |
| Shortcode Buddy | shortcode-buddy |
| Simple Divi Shortcode | simple-divi-shortcode |
| Simple History – Track, Log, and Audit WordPress Changes | simple-history |
| Single Mailchimp | single-mailchimp |
| SlimStat Analytics | wp-slimstat |
| Smart Online Order for Clover | clover-online-orders |
| SMTP2GO for WordPress – Email Made Easy | smtp2go |
| Spectra Gutenberg Blocks – Website Builder for the Block Editor | ultimate-addons-for-gutenberg |
| Splide Carousel Block | splide-carousel |
| StatCounter – Free Real Time Visitor Stats | official-statcounter-plugin-for-wordpress |
| Style Kits for Elementor | analogwp-templates |
| Subscription & Recurring Payment for WooCommerce | subscription |
| Sunshine Photo Cart – Client Photo Gallery & Photo Proofing for Photographers | sunshine-photo-cart |
| Support Ticket Management System for WordPress | support_ticket |
| SVG Support | svg-support |
| sw_core | sw_core |
| Sweet Date Core | sweetdate-core |
| TableOn – WordPress Posts Table Filterable | posts-table-filterable |
| Tainacan | tainacan |
| Team Master – A Modern WordPress Team Showcase | team-master |
| Team Showcase | team |
| The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce | the-plus-addons-for-elementor-page-builder |
| The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid | the-post-grid |
| Timetable and Event Schedule by MotoPress | mp-timetable |
| Travelly – Tour & Travel Booking Manager for WooCommerce | Tour & Hotel Booking Solution | tour-booking-manager |
| Tuxquote | tuxquote |
| Two-factor authentication (formerly IP Vault) | ip-vault-wp-firewall |
| Unlimited Elements For Elementor | unlimited-elements-for-elementor |
| User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | user-registration |
| Views for WPForms – Display & Edit WPForms Entries on your site frontend | views-for-wpforms-lite |
| VikBooking Hotel Booking Engine & PMS | vikbooking |
| Visualizer: Tables and Charts Manager for WordPress | visualizer |
| WCFM Membership – WooCommerce Memberships for Multivendor Marketplace | wc-multivendor-membership |
| WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce | webinar-ignition |
| Woocommerce Envato Affiliates | wooenvato |
| WooCommerce Infinite Scroll and Ajax Pagination | sb-woocommerce-infinite-scrol |
| WP AutoBuzz | wp-autobuzz |
| WP Contact Form 7 DB Handler | wp-contact-form-7-db-handler |
| WP Iframe Geo Style for Amazon affiliates | wp-iframe-geo-style-for-amazon-affiliates |
| WP Maps Pro | wp-google-map-gold |
| WP Meta and Date Remover | wp-meta-and-date-remover |
| WP Promoter | wp-promoter |
| WP Travel Pro | wp-travel-pro |
| WPBakery Page Builder Addons by Livemesh | addons-for-visual-composer |
| WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager | insert-headers-and-footers |
| WPComplete | wpcomplete |
| WPCS – WordPress Currency Switcher Professional | currency-switcher |
| WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More | wpforms-lite |
| WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce | wpify-woo |
| Xpro Elementor Addons – Pro | xpro-elementor-addons-pro |
| Yoast SEO – Advanced SEO with real-time guidance and built-in AI | wordpress-seo |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Abelle | abelle |
| AirSupply | Conditioning Company and Heating Services WordPress Theme + RTL | air-supply |
| Automotive Car Dealership Business WordPress Theme | automotive |
| Brikk – Directory & Listing WordPress Theme | brikk |
| CarZone – A Complete Car Dealer HTML Wire-Frame | carzone |
| Choreo | choreo |
| Confidant – Startup & Consulting Services WordPress Theme | confidant |
| CopyPress | copypress |
| Corbesier | corbesier |
| Crafti – Handmade Store WordPress Theme | crafti |
| Dazzle – Manufacturing & Factory Elementor Pro template Kit | dazzle |
| Deliciosa | deliciosa |
| Dom | dom |
| Entrepreneur – Booking for Small Businesses WordPress Theme | entrepreneurx |
| Eros | eros |
| Especio – Food Blog Elementor Pro Template Kit | especio |
| Etude – Design Agency & Branding Agency WordPress Theme | etude |
| Eventicity | eventicity |
| Fermentio — Brewery and Winemaking Restaurant WordPress Theme | fermentio |
| Food Drop | Meal Ordering & Delivery Mobile App WordPress Theme | food-drop |
| Fortius | fortius |
| Gamic – Gaming Metaverse Game & Crypto WordPress Theme | gamic |
| Gat | gat |
| Genemy – Creative Minimal Landing Page Builder for Digital Startup Design Studio Agency in Marketing | genemy |
| Geya – Renewable Energy & Ecology WordPress Theme | geya |
| Gita | gita |
| Grand Car Rental | Limousine HTML Template | grandcarrental |
| Granola – SEO & Marketing Agency WordPress Theme | granola |
| Grecko | Business WordPress Theme | grecko |
| Gunslinger | gunslinger |
| Home Health Care, Medical Care WordPress Theme – NanoCare | nanocare |
| Hot Coffee | Coffee Shop & Cafe WordPress Theme | hot-coffee |
| Imba | imba |
| Ingenioso | ingenioso |
| Iona – Handmade & Crafts Shop WordPress Theme | iona |
| ITactics – IT Solutions & Digital Startup WordPress Theme + AI | itactics |
| JobCareer | jobcareer |
| Kelly Young | kelly-young |
| Line Agency | Interior Design & Architecture WordPress Theme | lineagency |
| LuxMed | Medicine & Healthcare Doctor WordPress Theme | luxmed |
| MaxiNet – Internet & IPTV Provider Elementor Template Kit | maxinet |
| Medeus | medeus |
| Mission | mission |
| Modernee | modernee |
| Newses | newses |
| Nexio | nexio |
| Nyla – A Fresh & Modern WooCommerce Theme | nyla |
| Orpheus | orpheus |
| Planty | planty |
| Plumbing – Plumber and Handyman WordPress Theme | plumbing-parts |
| Preservation | preservation |
| Printo | printo |
| Putter | putter |
| Qreatix – Interactive Portfolio WordPress Theme | qreatix |
| quirky | quirky |
| Reisen | Auto Store & Car Repair WordPress Theme | reisen |
| Resurs – Physiotherapy & Psychology Rehabilitation WordPress Theme | resurs |
| Roneous – Creative Multi-Purpose WordPress Theme | roneous |
| Rosaleen | rosaleen |
| SeaFood Company – Fish Restaurant WordPress Theme | seafood-company |
| Skyward | skyward |
| Snow Club | Ski Resort and Snowboard Classes WordPress Theme | snow-club |
| snowy | snowy |
| Spike – Volleyball Sports WordPress Theme | spike |
| Spin – Cricket Team Sports WordPress Theme + AI | spin |
| tipsy | tipsy |
| Top Dog | top-dog |
| Truemag | truemag |
| Wanium – A Elegant Multi-Concept Theme | wanium |
| WineShop – Food & Wine Store WordPress Theme | wineshop |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Affected Software
Advanced Custom Fields: Extended [acf-extended]
Researcher
Affected Software
Login with OTP [otp-login]
Researcher
Affected Software
OTP Login With Phone Number, OTP Verification [login-with-phone-number]
Researcher
Affected Software
Support Ticket Management System for WordPress [support_ticket]
Researcher
Affected Software
Researcher
Affected Software
WP Maps Pro [wp-google-map-gold]
Researcher
CarZone – A Complete Car Dealer HTML Wire-Frame <= 3.7 – Unauthenticated Arbitrary File Deletion
9.1
Affected Software
Researcher
Affected Software
VikBooking Hotel Booking Engine & PMS [vikbooking]
Researcher
Affected Software
WP Travel Pro [wp-travel-pro]
Researcher
Affected Software
Crawlomatic Multipage Scraper Post Generator [crawlomatic-multipage-scraper-post-generator]
Researcher
Affected Software
Admin Chat Management [admin-chat-box]
Researcher
Affected Software
Frontend Admin by DynamiApps [acf-frontend-form-element]
Researcher
Affected Software
Frontend Admin by DynamiApps [acf-frontend-form-element]
Researcher
Affected Software
Researcher
Affected Software
GutenBee – Gutenberg Blocks [gutenbee]
Researcher
Affected Software
Spectra Gutenberg Blocks – Website Builder for the Block Editor [ultimate-addons-for-gutenberg]
Researcher
Affected Software
WooCommerce Infinite Scroll and Ajax Pagination [sb-woocommerce-infinite-scrol]
Researcher
Affected Software
WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager [insert-headers-and-footers]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP [videowhisper-live-streaming-integration]
Researcher
Affected Software
Researcher
Affected Software
CopyPress [copypress]
Researcher
Affected Software
Corbesier [corbesier]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Deliciosa [deliciosa]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Eventicity [eventicity]
Researcher
EventPrime – Events Calendar, Bookings and Tickets <= 4.3.2.1 – Unauthenticated PHP Object Injection
8.1
Affected Software
EventPrime – Events Calendar, Bookings and Tickets [eventprime-event-calendar-management]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Fortius [fortius]
Researcher
Affected Software
Researcher
Geya – Renewable Energy & Ecology WordPress Theme <= 1.15 – Unauthenticated Local File Inclusion
8.1
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Grecko | Business WordPress Theme [grecko]
Researcher
Affected Software
Gunslinger [gunslinger]
Researcher
Affected Software
Hot Coffee | Coffee Shop & Cafe WordPress Theme [hot-coffee]
Researcher
Affected Software
Imba [imba]
Researcher
Affected Software
Ingenioso [ingenioso]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Kelly Young [kelly-young]
Researcher
Affected Software
Researcher
Affected Software
Login with NEAR [near-login]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Media Library Assistant [media-library-assistant]
Researcher
Affected Software
Modernee [modernee]
Researcher
Affected Software
Nexio [nexio]
Researcher
Affected Software
Paid Videochat Turnkey Site – HTML5 PPV Live Webcams [ppv-live-webcams]
Researcher
Affected Software
Planty [planty]
Researcher
Affected Software
Plumbing – Plumber and Handyman WordPress Theme [plumbing-parts]
Researcher
Affected Software
Preservation [preservation]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Roneous – Creative Multi-Purpose WordPress Theme <= 2.1.5 – Unauthenticated Local File Inclusion
8.1
Affected Software
Researcher
Affected Software
Rosaleen [rosaleen]
Researcher
Affected Software
SeaFood Company – Fish Restaurant WordPress Theme [seafood-company]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Truemag [truemag]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
WineShop – Food & Wine Store WordPress Theme [wineshop]
Researcher
Affected Software
WP Contact Form 7 DB Handler [wp-contact-form-7-db-handler]
Researchers
Affected Software
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments]
Researcher
Easy Form Builder by WhiteStudio — Drag & Drop Form Builder <= 4.0.6 – Unauthenticated SQL Injection
7.5
Affected Software
Easy Form Builder by WhiteStudio — Drag & Drop Form Builder [easy-form-builder]
Researcher
Affected Software
Entrepreneur – Booking for Small Businesses WordPress Theme [entrepreneurx]
Researcher
Affected Software
GEO my WP [geo-my-wp]
Researcher
Affected Software
Query Shortcode [query-shortcode]
Researcher
Affected Software
Realtyna Organic IDX plugin + WPL Real Estate [real-estate-listing-realtyna-wpl]
Researcher
Affected Software
SeedProd Pro [seedprod-coming-soon-pro-5]
Researcher
Affected Software
Simple History – Track, Log, and Audit WordPress Changes [simple-history]
Researcher
Affected Software
sw_core [sw_core]
Researcher
Affected Software
TableOn – WordPress Posts Table Filterable [posts-table-filterable]
Researcher
Affected Software
Advanced IP Blocker [advanced-ip-blocker]
Researcher
Affected Software
Affiliate Super Assistent [amazonsimpleadmin]
Researcher
Affected Software
affiliate-toolkit – Multi-Network Affiliate & Amazon Product Display [affiliate-toolkit-starter]
Researcher
Affected Software
Researcher
Affected Software
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments]
Researcher
Affected Software
Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP [videowhisper-live-streaming-integration]
Researcher
Affected Software
Favicon by RealFaviconGenerator [favicon-by-realfavicongenerator]
Researcher
Affected Software
Geo Mashup [geo-mashup]
Researcher
Affected Software
Grand Car Rental | Limousine HTML Template [grandcarrental]
Researcher
Affected Software
HT Contact Form – Drag & Drop Form Builder for WordPress [ht-contactform]
Researcher
Affected Software
Link Whisper Free [link-whisper]
Researcher
Affected Software
LiteSpeed Cache [litespeed-cache]
Researcher
Affected Software
Login No Captcha reCAPTCHA [login-recaptcha]
Researcher
Affected Software
Researcher
Affected Software
Researcher
SlimStat Analytics <= 5.4.11 – Unauthenticated Stored Cross-Site Scripting via User-Agent Header
7.2
Affected Software
SlimStat Analytics [wp-slimstat]
Researcher
Affected Software
Smart Online Order for Clover [clover-online-orders]
Researcher
Affected Software
WPCS – WordPress Currency Switcher Professional [currency-switcher]
Researcher
Affected Software
Duplicate Page and Post [duplicate-wp-page-post]
Researcher
Affected Software
Enable jQuery Migrate Helper [enable-jquery-migrate-helper]
Researcher
Events Schedule – WordPress Events Calendar <= 2.7.2 – Authenticated (Subscriber+) SQL Injection
6.5
Affected Software
Events Schedule – WordPress Events Calendar Plugin [weekly-class]
Researcher
Independent Analytics <= 2.14.9 – Unauthenticated Server-Side Request Forgery via Tracking Route
6.5
Affected Software
Independent Analytics – WordPress Analytics Plugin [independent-analytics]
Researcher
Affected Software
Meta Field Block – Display custom fields in the Block Editor without coding [display-a-meta-field-as-block]
Researcher
Affected Software
Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend [views-for-ninja-forms]
Researcher
Affected Software
Researcher
Affected Software
Photo Gallery by 10Web – Mobile-Friendly Image Gallery [photo-gallery]
Researcher
Affected Software
Unlimited Elements For Elementor [unlimited-elements-for-elementor]
Researcher
Affected Software
Views for WPForms – Display & Edit WPForms Entries on your site frontend [views-for-wpforms-lite]
Researcher
Xpro Elementor Addons – Pro <= 1.4.7 – Authenticated (Contributor+) Arbitrary File Read via Draw SVG
6.5
Affected Software
Xpro Elementor Addons – Pro [xpro-elementor-addons-pro]
Researcher
a3 Lazy Load <= 2.7.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Video Element
6.4
Affected Software
a3 Lazy Load [a3-lazy-load]
Researcher
Affected Software
Advanced Custom Fields: Font Awesome Field [advanced-custom-fields-font-awesome]
Researcher
Affected Software
Animate Your Content [animate-your-content]
Researcher
Patch Status
Patched
Patched
Published
May 26, 2026
May 26, 2026
Affected Software
Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates [animation-addons-for-elementor]
Patch Status
Patched
Patched
Published
May 26, 2026
May 26, 2026
Affected Software
Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates [animation-addons-for-elementor]
Patch Status
Patched
Patched
Published
May 26, 2026
May 26, 2026
Affected Software
Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates [animation-addons-for-elementor]
Researcher
Affected Software
Auto Thumbnails [automatic-thumbnail]
Researcher
Affected Software
Automotive Car Dealership Business WordPress Theme [automotive]
Researcher
BitForm <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
6.4
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Content Slideshow [content-slideshow]
Researcher
Affected Software
Cryptocurrency Prijsvergelijking Widget [cryptocurrency-prijsvergelijking-widget]
Researcher
Dideo <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
6.4
Affected Software
Easy Prism Syntax Highlighter [easy-prism-syntax-highlighter]
Researcher
Affected Software
Endless Scroll [endless-scroll]
Researcher
Affected Software
Events In City [events-in-city]
Researcher
Affected Software
faq shortocde [faq-shortcode]
Researcher
Affected Software
Formidable Kinetic [formidable-kinetic]
Researcher
Affected Software
GBI To Print [gbi-to-print]
Researcher
Affected Software
Geo Mashup [geo-mashup]
Researcher
Affected Software
Github Shortcode [github-shortcode]
Researcher
Affected Software
GNTT Post Title Ticker [gntt-post-title-ticker]
Researcher
Affected Software
Google+ Link Name [google-plus-name-link-popup-badge]
Researcher
Affected Software
hk_shortcode [hk-shortcode]
Researcher
Affected Software
Instant-Quote.co Quotation Page [iq-quotation-page]
Researcher
Affected Software
Islamic Database [islamic-database]
Researcher
Affected Software
iWR Tooltip [iwr-tooltip]
Researcher
Affected Software
jQuery googleslides [jquery-googleslides]
Researcher
Affected Software
Listen Shortcode [listen-shortcode]
Researcher
Affected Software
Livemesh Addons for Beaver Builder [addons-for-beaver-builder]
Researcher
Affected Software
Livemesh SiteOrigin Widgets [livemesh-siteorigin-widgets]
Researcher
Affected Software
LiveSmart Video Chat Live Video Chat [new-dev-livesmart-video-chat]
Researcher
Affected Software
Master Slider – Responsive Touch Slider [master-slider]
Researcher
Affected Software
Modula Image Gallery – Photo Grid & Video Gallery [modula-best-grid-gallery]
Researcher
Affected Software
Mutual Funds Data [mutual-funds-data]
Researcher
Affected Software
My Email Shortcode [my-email-shortcode]
Researcher
Affected Software
Post Categories Gallery [post-category-gallery]
Researcher
Affected Software
Responsive Check [responsive-checker-real-time]
Researcher
Affected Software
Responsive Video Embedder [responsive-video-embedder]
Researcher
Affected Software
Shariff Wrapper [shariff]
Researcher
Affected Software
Shortcode Buddy [shortcode-buddy]
Researcher
Affected Software
Simple Divi Shortcode [simple-divi-shortcode]
Researcher
Affected Software
Single Mailchimp [single-mailchimp]
Researcher
Affected Software
Splide Carousel Block [splide-carousel]
Researcher
Affected Software
StatCounter – Free Real Time Visitor Stats [official-statcounter-plugin-for-wordpress]
Researcher
Affected Software
Style Kits for Elementor [analogwp-templates]
Affected Software
Team Master – A Modern WordPress Team Showcase [team-master]
Researcher
Affected Software
Team Showcase [team]
Researcher
Affected Software
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce [the-plus-addons-for-elementor-page-builder]
Researcher
Tuxquote <= 1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
6.4
Affected Software
WP Iframe Geo Style for Amazon affiliates [wp-iframe-geo-style-for-amazon-affiliates]
Researcher
Affected Software
WPBakery Page Builder Addons by Livemesh [addons-for-visual-composer]
Researcher
Affected Software
WPBakery Page Builder Addons by Livemesh [addons-for-visual-composer]
Researcher
Affected Software
WPComplete [wpcomplete]
Researcher
Affected Software
Easy Updates Manager [stops-core-theme-and-plugin-updates]
Researcher
Affected Software
Felan Framework [felan-framework]
Researcher
Affected Software
Researcher
Affected Software
MinhNhut Link Gateway [minhnhut-link-gateway]
Researcher
Affected Software
NS Product icon badge [product-icon-badge]
Researcher
Affected Software
Sweet Date Core [sweetdate-core]
Researcher
Affected Software
WP AutoBuzz [wp-autobuzz]
Researcher
Affected Software
WP Promoter [wp-promoter]
Researcher
Affected Software
ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin [woolentor-addons]
Researcher
Affected Software
Accept Stripe Payments [stripe-payments]
Researcher
Patch Status
Patched
Patched
Published
May 27, 2026
May 27, 2026
Affected Software
Advanced Custom Fields (ACF®) [advanced-custom-fields]
Researcher
Affected Software
Advanced Custom Fields (ACF®) [advanced-custom-fields]
Researcher
Affected Software
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments]
Researcher
Affected Software
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments]
Researcher
Affected Software
Auto Affiliate Links [wp-auto-affiliate-links]
Researcher
Affected Software
Better Messages – Chat Rooms, Group Chat, Private Messages & AI Chat Bots [bp-better-messages]
Researcher
Affected Software
Breeze Cache [breeze]
Researcher
Affected Software
CloudSecure WP Security [cloudsecure-wp-security]
Researcher
Affected Software
Contact Form 7 – PayPal & Stripe Add-on [contact-form-7-paypal-add-on]
Researcher
Affected Software
E-cab Taxi Booking Manager for Woocommerce [ecab-taxi-booking-manager]
Researcher
Affected Software
Researcher
Affected Software
Event Booking Manager for WooCommerce [mage-eventpress]
Researcher
Affected Software
Researcher
Affected Software
Geo Mashup [geo-mashup]
Researcher
Affected Software
KiviCare – Clinic & Patient Management System (EHR) [kivicare-clinic-management-system]
Researcher
Affected Software
Masteriyo LMS – LMS Course Builder, Quizzes & Certificates [learning-management-system]
Researcher
Affected Software
Mayosis Core [mayosis-core]
Researcher
Affected Software
Paid Videochat Turnkey Site – HTML5 PPV Live Webcams [ppv-live-webcams]
Researcher
Affected Software
Quads Ads Manager for Google AdSense [quick-adsense-reloaded]
Researcher
Affected Software
Rank Math SEO – AI SEO Tools to Dominate SEO Rankings [seo-by-rank-math]
Affected Software
RSVP and Event Management [rsvp]
Researcher
Affected Software
Search Analytics for WP [search-analytics]
Researcher
Affected Software
SePay Gateway [sepay-gateway]
Researcher
Affected Software
Smart Online Order for Clover [clover-online-orders]
Researcher
Affected Software
Smart Online Order for Clover [clover-online-orders]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
WCFM Membership – WooCommerce Memberships for Multivendor Marketplace [wc-multivendor-membership]
Researcher
Affected Software
WP Promoter [wp-promoter]
Researcher
Affected Software
Researcher
Affected Software
EnvíaloSimple: Email Marketing y Newsletters [envialosimple-email-marketing-y-newsletters-gratis]
Researcher
Affected Software
Frontend Admin by DynamiApps [acf-frontend-form-element]
Researchers
Affected Software
myLinksDump [mylinksdump]
Researcher
Affected Software
rexCrawler [rexcrawler]
Researcher
Affected Software
Meta for WooCommerce [facebook-for-woocommerce]
Researcher
Affected Software
MinhNhut Link Gateway [minhnhut-link-gateway]
Researcher
Affected Software
Post Snippets – Custom WordPress Code Snippets Customizer [post-snippets]
Researcher
Affected Software
3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On [ar-vr-3d-model-try-on]
Researcher
Affected Software
Adminimize [adminimize]
Researcher
Affected Software
Appointment Booking Plugin for WooCommerce – WpBookingly | All-in-One Service Manager [service-booking-manager]
Researcher
Affected Software
auto making JSON-LD [auto-making-json-ld]
Researcher
Affected Software
Autoship Cloud for WooCommerce Subscription Products [autoship-cloud]
Researcher
Brikk <= 3.0.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion
4.3
Affected Software
Researcher
Affected Software
CDN Linker lite [ossdl-cdn-off-linker]
Researcher
Affected Software
cformsII [cforms2]
Researcher
CM Ad Changer <= 2.0.7 – Cross-Site Request Forgery to Campaign Deletion via Campaign Management
4.3
Affected Software
Researcher
Affected Software
DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer [3d-flipbook-dflip-lite]
Researcher
Affected Software
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy [easy-digital-downloads]
Researcher
Affected Software
Researcher
Affected Software
Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance [accessibility-checker]
Researcher
Affected Software
Researcher
Affected Software
Export WordPress Pages to Static HTML & PDF — Static Site Export [export-wp-page-to-static-html]
Researcher
Affected Software
Feeds for TikTok – Display Video Feeds in Grid Layouts [b-tiktok-feed]
Researcher
Affected Software
FlexTable – Data Table Sync with Google Sheets [sheets-to-wp-table-live-sync]
Researcher
Affected Software
FOX – Currency Switcher Professional for WooCommerce [woocommerce-currency-switcher]
Researcher
Affected Software
Researcher
Affected Software
GenerateBlocks [generateblocks]
Researcher
Genzel breadcrumbs <= 1.2 – Cross-Site Request Forgery to Settings Update via Plugin Settings Page
4.3
Affected Software
Genzel breadcrumbs [genzel-breadcrumbs]
Researcher
Affected Software
GoStats for WordPress [gostats-for-wordpress]
Researcher
Affected Software
JobCareer [jobcareer]
Researcher
MetaMagic SEO Plugin <= 1.6 – Cross-Site Request Forgery to Plugin Settings Update via Settings Page
4.3
Affected Software
MetaMagic SEO Plugin [metamagic]
Researcher
Affected Software
Researcher
Affected Software
Old Posts Highlighter [old-posts-highlighter]
Researcher
Affected Software
Organization chart [organization-chart]
Researcher
Affected Software
PDF Embedder [pdf-embedder]
Researcher
Affected Software
PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) [peachpay-for-woocommerce]
Researcher
Affected Software
Researcher
Affected Software
Product Import Export for WooCommerce – Import Export Product CSV Suite [product-import-export-for-woo]
Researcher
Affected Software
QR Redirector [qr-redirector]
Researcher
Affected Software
RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress [computer-repair-shop]
Researcher
Affected Software
Search Simple Fields [search-simple-fields]
Researcher
Affected Software
SMTP2GO for WordPress – Email Made Easy [smtp2go]
Researcher
Affected Software
Subscription & Recurring Payment for WooCommerce [subscription]
Researcher
Affected Software
Sunshine Photo Cart – Client Photo Gallery & Photo Proofing for Photographers [sunshine-photo-cart]
Researcher
Affected Software
SVG Support [svg-support]
Researcher
Affected Software
Researcher
Affected Software
Timetable and Event Schedule by MotoPress [mp-timetable]
Researcher
Affected Software
Travelly – Tour & Travel Booking Manager for WooCommerce | Tour & Hotel Booking Solution [tour-booking-manager]
Researcher
Two-factor authentication (formerly IP Vault) <= 2.1 – Cross-Site Request Forgery to Settings Update
4.3
Affected Software
Two-factor authentication (formerly IP Vault) [ip-vault-wp-firewall]
Researcher
Affected Software
Visualizer: Tables and Charts Manager for WordPress [visualizer]
Researcher
Affected Software
Woocommerce Envato Affiliates [wooenvato]
Researcher
Affected Software
WP Meta and Date Remover [wp-meta-and-date-remover]
Researcher
Affected Software
Yoast SEO – Advanced SEO with real-time guidance and built-in AI [wordpress-seo]
Researcher
Affected Software
Disable Comments & Delete All Comments [comments-plus]
Researcher
Affected Software
B2BKing — Ultimate WooCommerce B2B and Wholesale Plugin — Wholesale Prices, Bulk Order Form & More [b2bking-wholesale-for-woocommerce]
Researcher
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026) appeared first on Wordfence.
