Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.
Last week, there were 120 vulnerabilities disclosed in 107 WordPress Plugins and 10 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 55 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 33,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
-
-
- WAF-RULE-892 – Data redacted while we work with the vendor on a patch.
-
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 56 |
| Unpatched | 64 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 86 |
| High Severity | 32 |
| Critical Severity | 2 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 40 |
| Missing Authorization | 37 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 14 |
| Cross-Site Request Forgery (CSRF) | 9 |
| Deserialization of Untrusted Data | 4 |
| Exposure of Sensitive Information to an Unauthorized Actor | 4 |
| Server-Side Request Forgery (SSRF) | 3 |
| Authentication Bypass Using an Alternate Path or Channel | 2 |
| Authorization Bypass Through User-Controlled Key | 2 |
| Improper Access Control | 1 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 1 |
| Incorrect Authorization | 1 |
| Unrestricted Upload of File with Dangerous Type | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| 16 | |
| 9 | |
| 9 | |
| 9 | |
| 6 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Aardvark | aardvark-plugin |
| aDirectory – WP Business Directory Plugin and Classified Ads Listings Directory | adirectory |
| AhaChat Messenger Marketing | ahachat-messenger-marketing |
| AI Engine – The Chatbot and AI Framework for WordPress | ai-engine |
| Ajax Load More – Infinite Scroll, Load More, & Lazy Load | ajax-load-more |
| Allmart | allmart-core |
| Appointment Hour Booking – Booking Calendar | appointment-hour-booking |
| Asynchronous Javascript | asynchronous-javascript |
| Bitcoin Donate Button | bitcoin-donate-button |
| BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library | blockart-blocks |
| Booked – Appointment Booking for WordPress | booked |
| Booking Calendar | booking |
| bSlider – Create Responsive Image, Post, Product, and Video Sliders | b-slider |
| Buy Now Plus — Payments with Stripe | buy-now-plus |
| Change WP URL | change-wp-url |
| CLP Varnish Cache | clp-varnish-cache |
| Crete Core | crete-core |
| Database for Contact Form 7, WPforms, Elementor forms | contact-form-entries |
| DesignThemes Core Features | designthemes-core-features |
| Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings | directorist |
| Document Embedder – Embed PDFs, Word, Excel, and Other Files | document-emberdder |
| Easy Hotel Booking – Powerful Hotel Booking | easy-hotel |
| Easy Replace Image | easy-replace-image |
| eDS Responsive Menu | eds-responsive-menu |
| Educare – Students & Result Management System | educare |
| Electio Core | electio-core |
| ELEX WordPress HelpDesk & Customer Ticketing System | elex-helpdesk-customer-support-ticket-system |
| Email Inquiry & Cart Options for WooCommerce | woocommerce-email-inquiry-cart-options |
| Emerce – Multipurpose WooCommerce WordPress Theme | emerce-core |
| Enter Addons – Ultimate Template Builder for Elementor | enteraddons |
| EventPrime – Events Calendar, Bookings and Tickets | eventprime-event-calendar-management |
| FeedWordPress Advanced Filters | faf |
| FluentCart A New Era of eCommerce – Faster, Lighter, and Simpler | fluent-cart |
| Forms Bridge – Infinite integrations | forms-bridge |
| Frontend File Manager Plugin | nmedia-user-file-uploader |
| Gallery PhotoBlocks | photoblocks-grid-gallery |
| Gyan Elements | gyan-elements |
| HAPPY – Helpdesk Support Ticket System | happy-helpdesk-support-ticket-system |
| ID Arrays | id-arrays |
| imwptip | imwptip |
| Interactions – Create Interactive Experiences in the Block Editor | interactions |
| iSape | isape |
| Ivory Search – WordPress Search Plugin | add-search-to-menu |
| JobBoard Job listing plugin | job-board-light |
| Kama Thumbnail | kama-thumbnail |
| Leadpages | leadpages |
| Link Invoice Payment for WooCommerce | invoice-payment-for-woocommerce |
| Medinik Core | medinik-core |
| Membee Login | membees-member-login-widget |
| ModelTheme Addons for WPBakery and Elementor | modeltheme-addons-for-wpbakery |
| ModelTheme Framework | modeltheme-framework |
| Mopinion Feedback Form | mopinion-feedback-form |
| Nelio Popups | nelio-popups |
| Nestbyte Core | nestbyte-core |
| New User Approve | new-user-approve |
| NEX-Forms – Ultimate Forms Plugin for WordPress | nex-forms-express-wp-form-builder |
| Nexter Gutenberg Blocks – Website Builder & 1000+ Starter Templates | the-plus-addons-for-block-editor |
| NextMove Lite – Thank You Page for WooCommerce | woo-thank-you-page-nextmove-lite |
| Nova Blocks by Pixelgrade | nova-blocks |
| Order Minimum/Maximum Amount Limits for WooCommerce | order-minimum-amount-for-woocommerce |
| Passster – Password Protect Pages and Content | content-protector |
| Popup Box – Create Countdown, Coupon, Video, Contact Form Popups | ays-popup-box |
| Prague | prague-plugins |
| Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages | wplegalpages |
| Quick Restaurant Reservations | quick-restaurant-reservations |
| Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker | quiz-master-next |
| Recipe Card Blocks Lite | recipe-card-blocks-by-wpzoom |
| Recooty – Job Widget (Old Dashboard) | recooty |
| RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login | custom-registration-form-builder-with-submission-manager |
| Rupantorpay | rupantorpay |
| Saasplate Core | saasplate-core |
| Schedula – Smart Appointment Booking | schedula-smart-appointment-booking |
| Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization | metasync |
| Sell BTC – Cryptocurrency Selling Calculator | sell-btc-by-hayyatapps |
| Sendy | sendy |
| SEO Links Interlinking | seo-links-interlinking |
| Shiprocket | shiprocket |
| Simple Archive Generator | simple-archive-generator |
| Simple calendar for Elementor | simple-calendar-for-elementor |
| Simple Folio | simple-folio |
| Simple User Registration | wp-registration |
| SlimStat Analytics | wp-slimstat |
| Snow Monkey Forms | snow-monkey-forms |
| Stop Spammers Classic | stop-spammer-registrations-plugin |
| Sunshine Photo Cart: Free Client Photo Galleries for Photographers | sunshine-photo-cart |
| SupportCandy – Helpdesk & Customer Support Ticket System | supportcandy |
| TableMaster for Elementor – Advanced Responsive Tables for Elementor | tablemaster-for-elementor |
| Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent | tablesome |
| Target Video Easy Publish | brid-video-easy-publish |
| TelSender – Сontact form 7, Events, Wpforms, ninja forms and woocommerce to telegram bot | telsender |
| The Grid | the-grid |
| Translate WordPress Websites Globally with ConveyThis Translate | conveythis-translate |
| Travelpayouts | travelpayouts |
| Uroan Core | uroan-core |
| UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP | userswp |
| VidShop – Shoppable Videos for WooCommerce | vidshop-for-woocommerce |
| Vzaar Media Management | vzaar-media-management |
| WebP Conversion | webp-conversion |
| Widget Logic Visual | widget-logic-visual |
| Woodly Core | woodly-core |
| WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer | adminify |
| WP FullCalendar | wp-fullcalendar |
| WP Google Ad Manager Plugin | wp-google-ad-manager-plugin |
| WP Recipe Maker | wp-recipe-maker |
| WP Subscribe | wp-subscribe |
| WPBITS Addons For Elementor Page Builder | wpbits-addons-for-elementor |
| افزونه پیامک حرفه ای فراز اس ام اس | farazsms |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Aardvark – Community, Membership, BuddyPress Theme | aardvark |
| Capella | Restaurant WordPress | capella |
| Gauge: Multi-Purpose Review Theme | gauge |
| Jobster | wpjobster |
| KindlyCare – Senior Care & Medical WordPress Theme | kindlycare |
| Konte – Minimal & Modern WooCommerce Theme | konte |
| Oxygen | oxygen |
| Oyster – Photography WordPress Theme | oyster |
| PhotoMe | Photography Portfolio WordPress | photome |
| SOHO – Photography WordPress Theme | soho |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
CVE-ID
CVE-2026-22341
CVE-2026-22341
Patch Status
Unpatched
Unpatched
Published
Jan 29, 2026
Jan 29, 2026
Affected Software
Booked – Appointment Booking for WordPress
Booked – Appointment Booking for WordPress
Researcher
CVE-ID
CVE-2026-1056
CVE-2026-1056
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Snow Monkey Forms
Snow Monkey Forms
Researcher
CVE-ID
CVE-2025-14386
CVE-2025-14386
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization
Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization
Researcher
CVE-ID
CVE-2026-0844
CVE-2026-0844
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Simple User Registration
Simple User Registration
Researcher
CVE-ID
CVE-2025-69370
CVE-2025-69370
Patch Status
Unpatched
Unpatched
Published
Jan 29, 2026
Jan 29, 2026
Affected Software
Capella | Restaurant WordPress
Capella | Restaurant WordPress
Researcher
CVE-ID
CVE-2025-69371
CVE-2025-69371
Patch Status
Unpatched
Unpatched
Published
Jan 29, 2026
Jan 29, 2026
Affected Software
KindlyCare – Senior Care & Medical WordPress Theme
KindlyCare – Senior Care & Medical WordPress Theme
Researcher
CVE-ID
CVE-2025-69301
CVE-2025-69301
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
PhotoMe | Photography Portfolio WordPress
PhotoMe | Photography Portfolio WordPress
Researcher
CVE-ID
CVE-2025-69305
CVE-2025-69305
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Crete Core
Crete Core
Researcher
CVE-ID
CVE-2025-69306
CVE-2025-69306
Patch Status
Unpatched
Unpatched
Published
Jan 28, 2026
Jan 28, 2026
Affected Software
Electio Core
Electio Core
Researcher
CVE-ID
CVE-2025-69366
CVE-2025-69366
Patch Status
Unpatched
Unpatched
Published
Jan 28, 2026
Jan 28, 2026
Affected Software
Emerce – Multipurpose WooCommerce WordPress Theme
Emerce – Multipurpose WooCommerce WordPress Theme
Researcher
CVE-ID
CVE-2026-1280
CVE-2026-1280
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Frontend File Manager Plugin
Frontend File Manager Plugin
Researcher
CVE-ID
CVE-2026-23978
CVE-2026-23978
Patch Status
Patched
Patched
Published
Feb 1, 2026
Feb 1, 2026
Affected Software
Gyan Elements
Gyan Elements
Researcher
CVE-ID
CVE-2025-69307
CVE-2025-69307
Patch Status
Unpatched
Unpatched
Published
Jan 28, 2026
Jan 28, 2026
Affected Software
Medinik Core
Medinik Core
Researcher
CVE-ID
CVE-2025-68531
CVE-2025-68531
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
ModelTheme Addons for WPBakery and Elementor
ModelTheme Addons for WPBakery and Elementor
Researcher
CVE-ID
CVE-2025-69308
CVE-2025-69308
Patch Status
Unpatched
Unpatched
Published
Jan 28, 2026
Jan 28, 2026
Affected Software
Nestbyte Core
Nestbyte Core
Researcher
CVE-ID
CVE-2025-69309
CVE-2025-69309
Patch Status
Unpatched
Unpatched
Published
Jan 28, 2026
Jan 28, 2026
Affected Software
Saasplate Core
Saasplate Core
Researcher
CVE-ID
CVE-2025-69365
CVE-2025-69365
Patch Status
Unpatched
Unpatched
Published
Jan 28, 2026
Jan 28, 2026
Affected Software
Uroan Core
Uroan Core
Researcher
CVE-ID
CVE-2026-0702
CVE-2026-0702
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
VidShop – Shoppable Videos for WooCommerce
VidShop – Shoppable Videos for WooCommerce
CVE-ID
CVE-2025-69310
CVE-2025-69310
Patch Status
Unpatched
Unpatched
Published
Jan 28, 2026
Jan 28, 2026
Affected Software
Woodly Core
Woodly Core
Researcher
CVE-ID
CVE-2026-22340
CVE-2026-22340
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Jobster
Jobster
Researcher
CVE-ID
CVE-2026-0832
CVE-2026-0832
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
New User Approve
New User Approve
Researcher
CVE-ID
CVE-2025-14316
CVE-2025-14316
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
AhaChat Messenger Marketing
AhaChat Messenger Marketing
Researcher
CVE-ID
CVE-2026-1400
CVE-2026-1400
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
AI Engine – The Chatbot and AI Framework for WordPress
AI Engine – The Chatbot and AI Framework for WordPress
Researcher
CVE-ID
CVE-2025-67978
CVE-2025-67978
Patch Status
Patched
Patched
Published
Jan 28, 2026
Jan 28, 2026
Affected Software
Educare – Students & Result Management System
Educare – Students & Result Management System
Researcher
CVE-ID
CVE-2025-67971
CVE-2025-67971
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
FluentCart A New Era of eCommerce – Faster, Lighter, and Simpler
FluentCart A New Era of eCommerce – Faster, Lighter, and Simpler
Researcher
CVE-ID
CVE-2025-68844
CVE-2025-68844
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Membee Login
Membee Login
Researcher
CVE-ID
CVE-2025-69299
CVE-2025-69299
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Oxygen
Oxygen
Researcher
CVE-ID
CVE-2025-69367
CVE-2025-69367
Patch Status
Unpatched
Unpatched
Published
Jan 28, 2026
Jan 28, 2026
Affected Software
Oyster – Photography WordPress Theme
Oyster – Photography WordPress Theme
Researcher
CVE-ID
CVE-2025-67972
CVE-2025-67972
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Prague
Prague
Researcher
CVE-ID
CVE-2025-14554
CVE-2025-14554
Patch Status
Patched
Patched
Published
Jan 30, 2026
Jan 30, 2026
Affected Software
Sell BTC – Cryptocurrency Selling Calculator
Sell BTC – Cryptocurrency Selling Calculator
Researcher
CVE-ID
CVE-2025-69368
CVE-2025-69368
Patch Status
Unpatched
Unpatched
Published
Jan 29, 2026
Jan 29, 2026
Affected Software
SOHO – Photography WordPress Theme
SOHO – Photography WordPress Theme
Researcher
CVE-ID
CVE-2025-14610
CVE-2025-14610
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
CVE-ID
Unknown
Unknown
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
TelSender – Сontact form 7, Events, Wpforms, ninja forms and woocommerce to telegram bot
TelSender – Сontact form 7, Events, Wpforms, ninja forms and woocommerce to telegram bot
Researcher
CVE-ID
CVE-2025-67987
CVE-2025-67987
Patch Status
Patched
Patched
Published
Jan 28, 2026
Jan 28, 2026
Affected Software
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Researcher
Recipe Card Blocks for Gutenberg & Elementor < 3.4.13 – Authenticated (Contributor+) SQL Injection
6.5
CVE-ID
CVE-2025-14973
CVE-2025-14973
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Recipe Card Blocks Lite
Recipe Card Blocks Lite
Researcher
CVE-ID
CVE-2026-0683
CVE-2026-0683
Patch Status
Patched
Patched
Published
Jan 30, 2026
Jan 30, 2026
Affected Software
SupportCandy – Helpdesk & Customer Support Ticket System
SupportCandy – Helpdesk & Customer Support Ticket System
Researcher
CVE-ID
CVE-2026-0746
CVE-2026-0746
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
AI Engine – The Chatbot and AI Framework for WordPress
AI Engine – The Chatbot and AI Framework for WordPress
Researcher
CVE-ID
CVE-2026-24383
CVE-2026-24383
Patch Status
Patched
Patched
Published
Jan 29, 2026
Jan 29, 2026
Affected Software
bSlider – Create Responsive Image, Post, Product, and Video Sliders
bSlider – Create Responsive Image, Post, Product, and Video Sliders
Researcher
CVE-ID
CVE-2025-14283
CVE-2025-14283
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library
BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library
Researcher
CVE-ID
CVE-2026-1295
CVE-2026-1295
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Buy Now Plus — Payments with Stripe
Buy Now Plus — Payments with Stripe
Researcher
CVE-ID
CVE-2026-24526
CVE-2026-24526
Patch Status
Unpatched
Unpatched
Published
Jan 26, 2026
Jan 26, 2026
Affected Software
Email Inquiry & Cart Options for WooCommerce
Email Inquiry & Cart Options for WooCommerce
Researcher
CVE-ID
CVE-2026-1244
CVE-2026-1244
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Forms Bridge – Infinite integrations
Forms Bridge – Infinite integrations
Researcher
CVE-ID
CVE-2026-24389
CVE-2026-24389
Patch Status
Patched
Patched
Published
Jan 26, 2026
Jan 26, 2026
Affected Software
Gallery PhotoBlocks
Gallery PhotoBlocks
Researcher
CVE-ID
CVE-2025-12709
CVE-2025-12709
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Interactions – Create Interactive Experiences in the Block Editor
Interactions – Create Interactive Experiences in the Block Editor
CVE-ID
CVE-2026-24528
CVE-2026-24528
Patch Status
Unpatched
Unpatched
Published
Jan 26, 2026
Jan 26, 2026
Affected Software
Nova Blocks by Pixelgrade
Nova Blocks by Pixelgrade
Researcher
CVE-ID
CVE-2025-14865
CVE-2025-14865
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Passster – Password Protect Pages and Content
Passster – Password Protect Pages and Content
Researcher
CVE-ID
CVE-2025-14039
CVE-2025-14039
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Simple Folio
Simple Folio
Researcher
CVE-ID
CVE-2025-8072
CVE-2025-8072
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Target Video Easy Publish
Target Video Easy Publish
Researcher
CVE-ID
CVE-2025-9082
CVE-2025-9082
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
WPBITS Addons For Elementor Page Builder
WPBITS Addons For Elementor Page Builder
Researcher
CVE-ID
CVE-2025-69296
CVE-2025-69296
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Aardvark – Community, Membership, BuddyPress Theme
Aardvark – Community, Membership, BuddyPress Theme
Researcher
CVE-ID
CVE-2025-68846
CVE-2025-68846
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Asynchronous Javascript
Asynchronous Javascript
Researcher
CVE-ID
CVE-2025-69302
CVE-2025-69302
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
DesignThemes Core Features
DesignThemes Core Features
Researcher
CVE-ID
CVE-2025-68845
CVE-2025-68845
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
eDS Responsive Menu
eDS Responsive Menu
Researcher
CVE-ID
CVE-2025-68843
CVE-2025-68843
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
FeedWordPress Advanced Filters
FeedWordPress Advanced Filters
Researcher
CVE-ID
CVE-2025-68856
CVE-2025-68856
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Mopinion Feedback Form
Mopinion Feedback Form
Researcher
CVE-ID
CVE-2025-14063
CVE-2025-14063
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
SEO Links Interlinking
SEO Links Interlinking
Researcher
CVE-ID
CVE-2025-68880
CVE-2025-68880
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Simple Archive Generator
Simple Archive Generator
Researcher
CVE-ID
CVE-2025-69323
CVE-2025-69323
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
SlimStat Analytics
SlimStat Analytics
Researcher
CVE-ID
CVE-2025-68842
CVE-2025-68842
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Widget Logic Visual
Widget Logic Visual
Researcher
CVE-ID
CVE-2026-22339
CVE-2026-22339
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Jobster
Jobster
Researcher
CVE-ID
CVE-2025-68031
CVE-2025-68031
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
افزونه پیامک حرفه ای فراز اس ام اس
افزونه پیامک حرفه ای فراز اس ام اس
Researcher
CVE-ID
CVE-2025-69297
CVE-2025-69297
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Aardvark
Aardvark
Researcher
CVE-ID
CVE-2025-68895
CVE-2025-68895
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
AhaChat Messenger Marketing
AhaChat Messenger Marketing
Researcher
CVE-ID
CVE-2025-15525
CVE-2025-15525
Patch Status
Patched
Patched
Published
Jan 30, 2026
Jan 30, 2026
Affected Software
Ajax Load More – Infinite Scroll, Load More, & Lazy Load
Ajax Load More – Infinite Scroll, Load More, & Lazy Load
Researcher
Booking Calendar <= 10.14.13 – Missing Authorization to Unauthenticated Booking Details Exposure
5.3
CVE-ID
CVE-2026-1431
CVE-2026-1431
Patch Status
Patched
Patched
Published
Jan 30, 2026
Jan 30, 2026
Affected Software
Booking Calendar
Booking Calendar
Researcher
CVE-ID
CVE-2026-24525
CVE-2026-24525
Patch Status
Unpatched
Unpatched
Published
Jan 26, 2026
Jan 26, 2026
Affected Software
CLP Varnish Cache
CLP Varnish Cache
Researcher
CVE-ID
CVE-2025-68021
CVE-2025-68021
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Translate WordPress Websites Globally with ConveyThis Translate
Translate WordPress Websites Globally with ConveyThis Translate
Researcher
CVE-ID
CVE-2026-0825
CVE-2026-0825
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Database for Contact Form 7, WPforms, Elementor forms
Database for Contact Form 7, WPforms, Elementor forms
Researcher
CVE-ID
CVE-2026-1389
CVE-2026-1389
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Document Embedder – Embed PDFs, Word, Excel, and Other Files
Document Embedder – Embed PDFs, Word, Excel, and Other Files
Researcher
CVE-ID
CVE-2026-1298
CVE-2026-1298
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Easy Replace Image
Easy Replace Image
Researcher
CVE-ID
CVE-2026-24380
CVE-2026-24380
Patch Status
Patched
Patched
Published
Jan 28, 2026
Jan 28, 2026
Affected Software
EventPrime – Events Calendar, Bookings and Tickets
EventPrime – Events Calendar, Bookings and Tickets
Researcher
CVE-ID
CVE-2026-24523
CVE-2026-24523
Patch Status
Unpatched
Unpatched
Published
Jan 26, 2026
Jan 26, 2026
Affected Software
WP FullCalendar
WP FullCalendar
Researcher
CVE-ID
CVE-2025-69298
CVE-2025-69298
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Gauge: Multi-Purpose Review Theme
Gauge: Multi-Purpose Review Theme
Researcher
CVE-ID
CVE-2025-67977
CVE-2025-67977
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
HAPPY – Helpdesk Support Ticket System
HAPPY – Helpdesk Support Ticket System
Researcher
CVE-ID
CVE-2025-68855
CVE-2025-68855
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
JobBoard Job listing plugin
JobBoard Job listing plugin
Researcher
CVE-ID
CVE-2025-67547
CVE-2025-67547
Patch Status
Patched
Patched
Published
Jan 29, 2026
Jan 29, 2026
Affected Software
Konte – Minimal & Modern WooCommerce Theme
Konte – Minimal & Modern WooCommerce Theme
Researcher
CVE-ID
CVE-2025-14971
CVE-2025-14971
Patch Status
Patched
Patched
Published
Jan 26, 2026
Jan 26, 2026
Affected Software
Link Invoice Payment for WooCommerce
Link Invoice Payment for WooCommerce
Researcher
CVE-ID
CVE-2025-69303
CVE-2025-69303
Patch Status
Unpatched
Unpatched
Published
Jan 28, 2026
Jan 28, 2026
Affected Software
ModelTheme Framework
ModelTheme Framework
Researcher
CVE-ID
CVE-2025-15510
CVE-2025-15510
Patch Status
Patched
Patched
Published
Jan 30, 2026
Jan 30, 2026
Affected Software
NEX-Forms – Ultimate Forms Plugin for WordPress
NEX-Forms – Ultimate Forms Plugin for WordPress
Researcher
CVE-ID
CVE-2025-68048
CVE-2025-68048
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
NextMove Lite – Thank You Page for WooCommerce
NextMove Lite – Thank You Page for WooCommerce
Researcher
CVE-ID
CVE-2026-24529
CVE-2026-24529
Patch Status
Unpatched
Unpatched
Published
Jan 26, 2026
Jan 26, 2026
Affected Software
Quick Restaurant Reservations
Quick Restaurant Reservations
Researcher
CVE-ID
CVE-2026-1054
CVE-2026-1054
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
CVE-ID
CVE-2025-15511
CVE-2025-15511
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Rupantorpay
Rupantorpay
Researcher
CVE-ID
CVE-2025-67970
CVE-2025-67970
Patch Status
Patched
Patched
Published
Jan 26, 2026
Jan 26, 2026
Affected Software
Schedula – Smart Appointment Booking
Schedula – Smart Appointment Booking
Researcher
CVE-ID
CVE-2025-68564
CVE-2025-68564
Patch Status
Unpatched
Unpatched
Published
Jan 28, 2026
Jan 28, 2026
Affected Software
Sendy
Sendy
Researcher
CVE-ID
CVE-2026-1310
CVE-2026-1310
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Simple calendar for Elementor
Simple calendar for Elementor
Researcher
CVE-ID
CVE-2025-67973
CVE-2025-67973
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Researcher
CVE-ID
CVE-2026-1391
CVE-2026-1391
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Vzaar Media Management
Vzaar Media Management
Researcher
CVE-ID
CVE-2026-24530
CVE-2026-24530
Patch Status
Unpatched
Unpatched
Published
Jan 26, 2026
Jan 26, 2026
Affected Software
WebP Conversion
WebP Conversion
Researcher
CVE-ID
CVE-2026-1060
CVE-2026-1060
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer
WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer
Researcher
CVE-ID
CVE-2025-67974
CVE-2025-67974
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages
Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages
Researcher
CVE-ID
CVE-2026-1083
CVE-2026-1083
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Appointment Hour Booking – Booking Calendar
Appointment Hour Booking – Booking Calendar
Researcher
CVE-ID
CVE-2026-1053
CVE-2026-1053
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Ivory Search – WordPress Search Plugin
Ivory Search – WordPress Search Plugin
Researcher
CVE-ID
CVE-2026-1381
CVE-2026-1381
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Order Minimum/Maximum Amount Limits for WooCommerce
Order Minimum/Maximum Amount Limits for WooCommerce
Researcher
CVE-ID
CVE-2026-1399
CVE-2026-1399
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
WP Google Ad Manager Plugin
WP Google Ad Manager Plugin
Researcher
CVE-ID
CVE-2025-67975
CVE-2025-67975
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Researcher
CVE-ID
CVE-2026-1380
CVE-2026-1380
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Bitcoin Donate Button
Bitcoin Donate Button
Researcher
CVE-ID
CVE-2026-1398
CVE-2026-1398
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Change WP URL
Change WP URL
Researcher
CVE-ID
CVE-2025-68069
CVE-2025-68069
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Researcher
CVE-ID
CVE-2025-68005
CVE-2025-68005
Patch Status
Unpatched
Unpatched
Published
Jan 29, 2026
Jan 29, 2026
Affected Software
Easy Hotel Booking – Powerful Hotel Booking
Easy Hotel Booking – Powerful Hotel Booking
Researcher
CVE-ID
CVE-2025-68837
CVE-2025-68837
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
ELEX WordPress HelpDesk & Customer Ticketing System
ELEX WordPress HelpDesk & Customer Ticketing System
Researcher
CVE-ID
CVE-2026-25014
CVE-2026-25014
Patch Status
Patched
Patched
Published
Jan 28, 2026
Jan 28, 2026
Affected Software
Enter Addons – Ultimate Template Builder for Elementor
Enter Addons – Ultimate Template Builder for Elementor
Researcher
CVE-ID
CVE-2026-24521
CVE-2026-24521
Patch Status
Unpatched
Unpatched
Published
Jan 26, 2026
Jan 26, 2026
Affected Software
Kama Thumbnail
Kama Thumbnail
Researcher
CVE-ID
CVE-2026-25016
CVE-2026-25016
Patch Status
Patched
Patched
Published
Jan 29, 2026
Jan 29, 2026
Affected Software
Nelio Popups
Nelio Popups
Researcher
CVE-ID
CVE-2026-24377
CVE-2026-24377
Patch Status
Patched
Patched
Published
Jan 26, 2026
Jan 26, 2026
Affected Software
Nexter Gutenberg Blocks – Website Builder & 1000+ Starter Templates
Nexter Gutenberg Blocks – Website Builder & 1000+ Starter Templates
Researcher
CVE-ID
CVE-2026-1165
CVE-2026-1165
Patch Status
Patched
Patched
Published
Jan 30, 2026
Jan 30, 2026
Affected Software
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
Researcher
CVE-ID
CVE-2026-24357
CVE-2026-24357
Patch Status
Patched
Patched
Published
Jan 28, 2026
Jan 28, 2026
Affected Software
WP Recipe Maker
WP Recipe Maker
Researcher
CVE-ID
CVE-2025-14616
CVE-2025-14616
Patch Status
Unpatched
Unpatched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Recooty – Job Widget (Old Dashboard)
Recooty – Job Widget (Old Dashboard)
Researcher
CVE-ID
CVE-2025-68051
CVE-2025-68051
Patch Status
Unpatched
Unpatched
Published
Jan 29, 2026
Jan 29, 2026
Affected Software
Shiprocket
Shiprocket
Researcher
CVE-ID
CVE-2025-14795
CVE-2025-14795
Patch Status
Patched
Patched
Published
Jan 27, 2026
Jan 27, 2026
Affected Software
Stop Spammers Classic
Stop Spammers Classic
Researcher
CVE-ID
CVE-2026-24522
CVE-2026-24522
Patch Status
Unpatched
Unpatched
Published
Jan 26, 2026
Jan 26, 2026
Affected Software
WP Subscribe
WP Subscribe
Researcher
CVE-ID
CVE-2026-24524
CVE-2026-24524
Patch Status
Unpatched
Unpatched
Published
Jan 26, 2026
Jan 26, 2026
Researcher
CVE-ID
CVE-2025-68042
CVE-2025-68042
Patch Status
Unpatched
Unpatched
Published
Jan 29, 2026
Jan 29, 2026
Affected Software
Travelpayouts
Travelpayouts
Researcher
CVE-ID
CVE-2026-25015
CVE-2026-25015
Patch Status
Patched
Patched
Published
Jan 28, 2026
Jan 28, 2026
Affected Software
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Researcher
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 26, 2026 to February 1, 2026) appeared first on Wordfence.
