Triple Threat Bug Bounty Challenge
Hunt High Threat vulnerabilities and earn triple the incentives!
Now through April 6, 2026, earn three stacked bonuses on all valid submissions from our ‘High Threat Vulnerabilities’ list:
2x all high threat vulnerability bounties (excluding 5,000,000+ installs)
+30% bonus for high threat vulnerabilities in software with 30,000+ active installs (excluding 5,000,000+ installs)
$300 extra for every 3 High Threat vulnerabilities submitted (minimum of 1,000 installs)
Use the Bounty Estimator to see what rewards are possible through the promotion.
Submit through our Bug Bounty Program today to maximize your impact and your payout.
Last week, there were 258 vulnerabilities disclosed in 212 WordPress Plugins and 30 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 91 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 33,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 138 |
| Unpatched | 120 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 3 |
| Medium Severity | 173 |
| High Severity | 76 |
| Critical Severity | 6 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 98 |
| Missing Authorization | 58 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 18 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 15 |
| Deserialization of Untrusted Data | 14 |
| Cross-Site Request Forgery (CSRF) | 11 |
| Unrestricted Upload of File with Dangerous Type | 7 |
| Improper Control of Generation of Code (‘Code Injection’) | 6 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 6 |
| Server-Side Request Forgery (SSRF) | 5 |
| Exposure of Sensitive Information to an Unauthorized Actor | 3 |
| Improper Authorization | 3 |
| Improper Privilege Management | 3 |
| Improper Input Validation | 2 |
| Incorrect Privilege Assignment | 2 |
| Absolute Path Traversal | 1 |
| Authorization Bypass Through User-Controlled Key | 1 |
| Exposure of Sensitive Information Through Data Queries | 1 |
| External Control of File Name or Path | 1 |
| Improper Authentication | 1 |
| Insecure Storage of Sensitive Information | 1 |
| Weak Password Recovery Mechanism for Forgotten Password | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| 24 | |
| 17 | |
| 14 | |
| 13 | |
| 11 | |
| 9 | |
| 9 | |
| 8 | |
| 8 | |
| 7 | |
| 7 | |
| 6 | |
| 5 | |
| 5 | |
| 5 | |
| 5 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 4 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| [CR]Paid Link Manager | crpaid-link-manager |
| Abandoned Cart Recovery for WooCommerce | woo-abandoned-cart-recovery |
| Activity Log for WordPress | winterlock |
| Ad Short | ad-short |
| Add Custom Fields to Media | add-custom-fields-to-media |
| Add Google Social Profiles to Knowledge Graph Box | add-google-social-profiles-to-knowledge-graph-box |
| Admin Safety Guard — Login Security & 2FA | admin-safety-guard |
| Advanced Reporting & Statistics for WooCommerce – Orders, Products & Customers Reporting | webd-woocommerce-advanced-reporting-statistics |
| advanced-custom-post-type | advanced-custom-post-type |
| Aimogen Pro – All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit | aimogen-pro |
| Alfie – Feed Plugin | alfie-the-productfeedtool-wp-plugin |
| Any Post Slider | any-post-slider |
| App Builder – Create Native Android & iOS Apps On The Flight | app-builder |
| Appmax | appmax |
| Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin | simply-schedule-appointments |
| Automated FedEx live/manual rates with shipping labels – HPOS supported | a2z-fedex-shipping |
| Autoptimize | autoptimize |
| Avada (Fusion) Builder | fusion-builder |
| avalex – Automatisch sichere Rechtstexte | avalex |
| Ave Core | ave-core |
| Bit SMTP – Easy SMTP Solution with Email Logs | bit-smtp |
| Booking calendar, Appointment Booking System | booking-calendar |
| Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools | woocommerce-jetpack |
| Build App Online | build-app-online |
| Canto | canto |
| CM Custom Reports – Flexible reporting to track what matters most | cm-custom-reports |
| CMS Commander – Manage Multiple Sites | cms-commander-client |
| Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors | publishpress-authors |
| Code Embed | simple-embed-code |
| Comment Genius | comment-genius |
| Comment SPAM Wiper | comment-spam-wiper |
| Comments Import & Export | comments-import-export-woocommerce |
| Company Posts for LinkedIn | company-posts-for-linkedin |
| Contact Form, Survey, Quiz & Popup Form Builder – ARForms | arforms-form-builder |
| Contact List – Online Staff Directory & Address Book | contact-list |
| Content Syndication Toolkit | content-syndication-toolkit |
| Contextual Related Posts | contextual-related-posts |
| CP Multi View Events Calendar | cp-multi-view-calendar |
| Creator LMS – Online Courses and eLearning Plugin | creatorlms |
| Curly Core | curly-core |
| Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy | dokan-lite |
| Download Manager | download-manager |
| Draft List | simple-draft-list |
| e-shot | e-shot-form-builder |
| Easy Image Gallery | easy-image-gallery |
| Ecover Builder For Dummies | ecover-builder-for-dummies |
| Ed’s Font Awesome | eds-font-awesome |
| Ed’s Social Share | eds-social-share |
| ElementCamp | element-camp |
| EmailKit – Email Customizer for WooCommerce & WP | emailkit |
| Event Booking Manager for WooCommerce | mage-eventpress |
| EventPrime – Events Calendar, Bookings and Tickets | eventprime-event-calendar-management |
| Expire Users | expire-users |
| FAQ Builder AYS | faq-builder-ays |
| Flexmls® IDX Plugin | flexmls-idx |
| Fonts Manager | Custom Fonts | fonts-manager-custom-fonts |
| Fraud Prevention For WooCommerce and EDD | woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers |
| FuseDesk | fusedesk |
| fyyd podcast shortcodes | fyyd-podcast-shortcodes |
| Get Use APIs – JSON Content Importer | json-content-importer |
| Go Night Pro | WordPress Dark Mode Plugin | go-night-pro |
| Green Downloads | halfdata-paypal-green-downloads |
| Group Chat & Video Chat by AtomChat | atomchat |
| Gutenberg Blocks – Unlimited blocks For Gutenberg | unlimited-blocks |
| GZSEO | gzseo |
| Hr Press Lite | hr-press-lite |
| ilGhera Carta Docente for WooCommerce | wc-carta-docente |
| Image Alt Text Manager – Bulk & Dynamic Alt Tags For image SEO Optimization + AI | alt-manager |
| Image Slider by Ays- Responsive Slider and Carousel | ays-slider |
| Import and export users and customers | import-users-from-csv-with-meta |
| Info Cards – Add Text and Media in Card Layouts | info-cards |
| Injection Guard | injection-guard |
| Instant Popup Builder – Powerful Popup Maker for Opt-ins, Email Newsletters & Lead Generation | instant-popup-builder |
| Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms | cf7-mailchimp |
| Integration with Hubspot Forms | integration-with-hubspot-forms |
| Invelity Product Feeds | invelity-products-feeds |
| iTracker360 | itracker360 |
| itsukaita | itsukaita |
| iVysilani Shortcode | ivysilani-shortcode |
| JetFormBuilder — Dynamic Blocks Form Builder | jetformbuilder |
| Jobica Core | jobica-core |
| JS Archive List | jquery-archive-list-widget |
| JS Help Desk – AI-Powered Support & Ticketing System | js-support-ticket |
| Kali Forms — Contact Form & Drag-and-Drop Builder | kali-forms |
| Kargo Takip | kargo-takip-turkiye |
| Keep Backup Daily | keep-backup-daily |
| King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder | king-addons |
| KiviCare – Clinic & Patient Management System (EHR) | kivicare-clinic-management-system |
| LearnPress – Sepay Payment | learnpress-sepay-payment |
| Linksy Search and Replace | linksy-search-and-replace |
| Listeo-Core – Directory Plugin by Purethemes | listeo-core |
| Lobot Slider Administrator | lobot-slider-administrator |
| Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin | logo-slider-wp |
| Mandatory Field | mandatory-fields |
| Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits | master-addons |
| Membership Plugin – Restrict Content | restrict-content |
| MimeTypes Link Icons | mimetypes-link-icons |
| MinhNhut Link Gateway | minhnhut-link-gateway |
| Miraculous Core | miraculouscore |
| Modern Events Calendar | modern-events-calendar |
| Motta Addons | motta-addons |
| Multi Functional Flexi Lightbox | multi-functional-flexi-lightbox |
| Multi Post Carousel by Category | multi-post-carousel |
| My Tickets – Accessible Event Ticketing | my-tickets |
| myLinksDump | mylinksdump |
| Neos Connector for Fakturama | neos-connector-for-fakturama |
| New User Approve | new-user-approve |
| Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE | nexa-blocks |
| Online Scheduling and Appointment Booking System – Bookly | bookly-responsive-appointment-booking-tool |
| Organici Library | noo-organici-library |
| Outgrow | outgrow |
| Paypal Shortcodes | paypal-shortcodes |
| Performance Monitor | performance-monitor |
| Photo Engine (Media Organizer & Lightroom) | wplr-sync |
| Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery | nextgen-gallery |
| Phox – Hosting WordPress & WHMCS Theme | phox-host |
| Plugin Name: login_register | login-register |
| Post Affiliate Pro | postaffiliatepro |
| Post Flagger | post-flagger |
| Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App | post-smtp |
| Post Snippets – Custom WordPress Code Snippets Customizer | post-snippets |
| Post Snippits | post-snippits |
| PQ Addons – Creative Elementor Widgets | peacefulqode-elementzplus-widgets |
| Pre* Party Resource Hints | pre-party-browser-hints |
| Premmerce Redirect Manager | premmerce-redirect-manager |
| Print Invoice & Delivery Notes for WooCommerce | woocommerce-delivery-notes |
| Product Designer for WooCommerce WordPress | Lumise | lumise |
| Product Rearrange for WooCommerce | products-rearrange-woocommerce |
| Product Slider, Product Grid, Product Masonry | woocommerce-products-slider |
| PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes | revisionary |
| Punnel – Landing Page Builder | punnel-landing-page-builder |
| Quentn WP | quentn-wp |
| Redirect countdown | redirect-countdown |
| RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login | custom-registration-form-builder-with-submission-manager |
| Remoji – Post/Comment Reaction and Enhancement | remoji |
| RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress | computer-repair-shop |
| REST API TO MiniProgram | rest-api-to-miniprogram |
| Review Map by RevuKangaroo | review-map-by-revukangaroo |
| ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema | reviewx |
| Reward Video Ad for WordPress | applixir |
| RewardsWP – Loyalty Points & Referral Program for WooCommerce | rewardswp |
| rexCrawler | rexcrawler |
| Ricerca – advanced search | ricerca-smart-search |
| RockPress | ft-rockpress |
| Royal Addons for Elementor – Addons and Templates Kit for Elementor | royal-elementor-addons |
| sb-woocommerce-infinite-scroll | sb-woocommerce-infinite-scroll |
| Schema Shortcode | schema-shortcode |
| Scoreboard for HTML5 Games Lite | scoreboard-for-html5-game-lite |
| Sheets2Table | sheets2table |
| Sherk Custom Post Type Displays | sherk-custom-post-type-displays |
| Show Posts list – Easy designs, filters and more | show-posts-shortcodes |
| Simple Football Scoreboard | simple-football-score-board |
| Sina Extension for Elementor | sina-extension-for-elementor |
| SlimStat Analytics | wp-slimstat |
| Smarter Analytics | smarter-analytics |
| SMTP Mailer | smtp-mailer |
| Spam Protect for Contact Form 7 | wp-contact-form-7-spam-blocker |
| Speedup Optimization | speedup-optimization |
| SR WP Minify HTML | sr-wp-minify-html |
| StoreCustomizer – A plugin to Customize all WooCommerce Pages | woocustomizer |
| Subscriptions for WooCommerce | subscriptions-for-woocommerce |
| SUMO Affiliates Pro | affs |
| Survey | survey |
| SurveyJS: Drag & Drop Form Builder | surveyjs |
| Taboola Pixel | taboola-pixel |
| tagDiv Opt-In Builder | td-subscription |
| Task Manager | task-manager |
| Text Toggle | text-toggle |
| The Aisle Core | theaisle-core |
| The Ultimate WordPress Toolkit – WP Extended | wpextended |
| TotalPoll for Polls and Contests | totalpoll-lite |
| Tour & Activity Operator Plugin for TourCMS | tour-operator-plugin |
| Tutor LMS – eLearning and online course solution | tutor |
| Twitter Feeds | twitter-feeds |
| UiPress lite | Effortless custom dashboards, admin themes and pages | uipress-lite |
| Ultimate Post Kit Addons for Elementor | ultimate-post-kit |
| Unlimited Elements for Elementor (Premium) | unlimited-elements-for-elementor-premium |
| UpSolution Core | us-core |
| Vagaro Booking Widget | vagaro-booking-widget |
| ViaBill – WooCommerce | viabill-woocommerce |
| Visionary Core | noo-visionary-core |
| Visual Portfolio, Photo Gallery & Post Grid | visual-portfolio |
| Weaver Show Posts | show-posts |
| Widget Wrangler | widget-wrangler |
| Wikilookup | wikilookup |
| Wishlist Member | wishlist-member-x |
| WooCommerce Amazon Affiliates – WordPress Plugin | woozone |
| WooCommerce Support Ticket System | woocommerce-support-ticket-system |
| WordPress PayPal Donation | wordpress-paypal-donation |
| WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation | optin |
| WowStore – Store Builder & Product Blocks for WooCommerce | product-blocks |
| WP Custom Admin Interface | wp-custom-admin-interface |
| WP Easy Pay – Payment and Donation form Builder for Square | wp-easy-pay |
| WP Games Embed | wp-games-embed |
| WP Go Maps (formerly WP Google Maps) | wp-google-maps |
| WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms | cf7-insightly |
| WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters | wp-google-map-plugin |
| WP NG Weather | wp-ng-weather |
| WP Posts Re-order | wp-posts-re-order |
| WP Random Button | wp-random-button |
| WP Terms Popup – Terms and Conditions and Privacy Policy WordPress Popups | wp-terms-popup |
| WP-Chatbot for Messenger | wp-chatbot |
| WP-WebAuthn | wp-webauthn |
| WPBot – AI ChatBot for Live Support, Lead Generation, AI Services | chatbot |
| WPFAQBlock– FAQ & Accordion Plugin For Gutenberg | wpfaqblock |
| WPJAM Basic | wpjam-basic |
| WPVulnerability | wpvulnerability |
| Writeprint Stylometry | writeprint-stylometry |
| Xhanch – My Advanced Settings | xhanch-my-advanced-settings |
| XStore Core | et-core-plugin |
| Yoast Duplicate Post | duplicate-post |
| Yoast SEO – Advanced SEO with real-time guidance and built-in AI | wordpress-seo |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Education Zone | education-zone |
| Feedy – Healthy Fast Food Delivery & Diet Nutrition WordPress Theme | feedy |
| IdealAuto – Car Dealer & Services WordPress Theme | idealauto |
| Jannah – Newspaper Magazine News BuddyPress AMP | jannah |
| Jaroti – Elementor Accessories WooCommerce Theme | jaroti |
| Kentha – Music WordPress Theme | kentha |
| Kunco – Charity & Fundraising WordPress Theme | kunco |
| Loobek – Elementor Multipurpose WooCommerce Theme | loobek |
| LoveDate – Social Dating Network WordPress Theme | lovedate |
| MetaMax | metamax |
| Miraculous – Multi Vendor Online Music Store Elementor WordPress Theme | miraculous |
| Miti – Elementor Fashion WooCommerce Theme | miti |
| Mixtape | mixtape |
| Molla – eCommerce HTML5 Template | molla |
| moments | moments |
| mydecor | mydecor |
| MyMedi – Responsive WooCommerce WordPress Theme | mymedi |
| nooni | nooni |
| Pelicula – Video Production and Movie WordPress Theme | pelicula-video-production-and-movie-theme |
| Pendulum – Beat Producers, DJs & Events Theme for WordPress | pendulum |
| photography | photography |
| Riode | Multi-Purpose WooCommerce | riode |
| Scape – Multipurpose WordPress theme | scape |
| StreamVid – Movie Video Streaming WordPress Theme | streamvid |
| Support for CitiLights – Real Estate WordPress Theme | noo-citilights |
| The League – Sports News & Magazine WordPress Theme | the-league |
| Travel Booking WordPress Theme | traveler |
| Trendustry – Industrial & Manufacturing WordPress | trendustry |
| Vex | vex |
| VintWood – Vintage, Retro WordPress Theme | vintwood |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Affected Software
advanced-custom-post-type [advanced-custom-post-type]
Researcher
Affected Software
Researcher
Affected Software
Kali Forms — Contact Form & Drag-and-Drop Builder [kali-forms]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
WooCommerce Support Ticket System [woocommerce-support-ticket-system]
Researcher
Affected Software
CMS Commander – Manage Multiple Sites [cms-commander-client]
Affected Software
Creator LMS – Online Courses and eLearning Plugin [creatorlms]
Researcher
Affected Software
Expire Users [expire-users]
Researcher
Affected Software
Green Downloads [halfdata-paypal-green-downloads]
Researcher
Affected Software
Linksy Search and Replace [linksy-search-and-replace]
Researcher
Photo Engine (Media Organizer & Lightroom) <= 6.4.9 – Authenticated (Author+) Arbitrary File Upload
8.8
Affected Software
Photo Engine (Media Organizer & Lightroom) [wplr-sync]
Researcher
Affected Software
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery [nextgen-gallery]
Affected Software
Post Snippets – Custom WordPress Code Snippets Customizer [post-snippets]
Researcher
Affected Software
The Ultimate WordPress Toolkit – WP Extended [wpextended]
Researcher
Affected Software
TotalPoll for Polls and Contests [totalpoll-lite]
Researcher
Affected Software
Unlimited Elements for Elementor (Premium) [unlimited-elements-for-elementor-premium]
Researcher
Affected Software
Widget Wrangler [widget-wrangler]
Researcher
Affected Software
Wishlist Member [wishlist-member-x]
Researcher
Affected Software
WPJAM Basic [wpjam-basic]
Researcher
Affected Software
MimeTypes Link Icons [mimetypes-link-icons]
Researcher
KiviCare <= 4.1.2 – Missing Authorization to Unauthenticated Privilege Escalation via Setup Wizard
8.2
Affected Software
KiviCare – Clinic & Patient Management System (EHR) [kivicare-clinic-management-system]
Affected Software
Curly Core [curly-core]
Researcher
EventPrime – Events Calendar, Bookings and Tickets <= 4.2.8.0 – Unauthenticated PHP Object Injection
8.1
Affected Software
EventPrime – Events Calendar, Bookings and Tickets [eventprime-event-calendar-management]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Import and export users and customers [import-users-from-csv-with-meta]
Researcher
Affected Software
Invelity Product Feeds [invelity-products-feeds]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Mixtape [mixtape]
Researcher
Affected Software
moments [moments]
Researcher
Affected Software
Researcher
Affected Software
Pelicula – Video Production and Movie WordPress Theme [pelicula-video-production-and-movie-theme]
Researcher
Affected Software
Researcher
Affected Software
SUMO Affiliates Pro [affs]
Researcher
Affected Software
The Aisle Core [theaisle-core]
Researcher
Affected Software
Travel Booking WordPress Theme [traveler]
Researcher
Affected Software
Trendustry – Industrial & Manufacturing WordPress [trendustry]
Researcher
Affected Software
VintWood – Vintage, Retro WordPress Theme [vintwood]
Researcher
Affected Software
Advanced Reporting & Statistics for WooCommerce – Orders, Products & Customers Reporting [webd-woocommerce-advanced-reporting-statistics]
Researcher
Affected Software
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments]
Researcher
Fonts Manager | Custom Fonts <= 1.2 – Unauthenticated SQL Injection via fmcfIdSelectedFnt parameter
7.5
Affected Software
Fonts Manager | Custom Fonts [fonts-manager-custom-fonts]
Researcher
Affected Software
Fraud Prevention For WooCommerce and EDD [woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers]
Researcher
Affected Software
JetFormBuilder — Dynamic Blocks Form Builder [jetformbuilder]
Researcher
Affected Software
Jobica Core [jobica-core]
Researcher
Affected Software
JS Archive List [jquery-archive-list-widget]
Researcher
Affected Software
Researcher
Affected Software
Organici Library [noo-organici-library]
Researcher
Affected Software
Researcher
Affected Software
Product Rearrange for WooCommerce [products-rearrange-woocommerce]
Researcher
Affected Software
Researcher
Affected Software
Quentn WP [quentn-wp]
Researcher
Affected Software
SMTP Mailer [smtp-mailer]
Researcher
Affected Software
Support for CitiLights – Real Estate WordPress Theme [noo-citilights]
Researcher
Affected Software
Vex [vex]
Researcher
Affected Software
Visionary Core [noo-visionary-core]
Researcher
Affected Software
Visual Portfolio, Photo Gallery & Post Grid [visual-portfolio]
Researcher
Affected Software
Wishlist Member [wishlist-member-x]
Researcher
Affected Software
sb-woocommerce-infinite-scroll [sb-woocommerce-infinite-scroll]
Researcher
Affected Software
WowStore – Store Builder & Product Blocks for WooCommerce [product-blocks]
Affected Software
WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters [wp-google-map-plugin]
Researcher
Affected Software
Researcher
Affected Software
KiviCare – Clinic & Patient Management System (EHR) [kivicare-clinic-management-system]
Researcher
Affected Software
Researcher
Affected Software
Abandoned Cart Recovery for WooCommerce [woo-abandoned-cart-recovery]
Researcher
Booking calendar, Appointment Booking System <= 3.2.36 – Unauthenticated Stored Cross-Site Scripting
7.2
Affected Software
Booking calendar, Appointment Booking System [booking-calendar]
Researcher
Content Syndication Toolkit <= 1.3 – Unauthenticated Server-Side Request Forgery via ‘url’ Parameter
7.2
Affected Software
Content Syndication Toolkit [content-syndication-toolkit]
Researcher
Affected Software
FAQ Builder AYS [faq-builder-ays]
Researcher
Affected Software
Image Slider by Ays- Responsive Slider and Carousel [ays-slider]
Researcher
Affected Software
Injection Guard [injection-guard]
Researcher
Affected Software
myLinksDump [mylinksdump]
Researcher
Affected Software
Performance Monitor [performance-monitor]
Researcher
Affected Software
photography [photography]
Researcher
Affected Software
Researcher
Remoji – Post/Comment Reaction and Enhancement <= 2.2 – Unauthenticated Stored Cross-Site Scripting
7.2
Affected Software
Researcher
Affected Software
SlimStat Analytics [wp-slimstat]
Researcher
Affected Software
SurveyJS: Drag & Drop Form Builder [surveyjs]
Researcher
Affected Software
Vagaro Booking Widget [vagaro-booking-widget]
Researcher
Affected Software
Researcher
Affected Software
Researcher
ElementCamp <= 2.3.6 – Authenticated (Author+) SQL Injection via ‘meta_query[compare]’ Parameter
6.5
Affected Software
ElementCamp [element-camp]
Researcher
Affected Software
Hr Press Lite [hr-press-lite]
Researchers
Affected Software
ilGhera Carta Docente for WooCommerce [wc-carta-docente]
Researcher
Affected Software
JS Help Desk – AI-Powered Support & Ticketing System [js-support-ticket]
Researcher
Affected Software
Miraculous Core [miraculouscore]
Researcher
Affected Software
Organici Library [noo-organici-library]
Researcher
Affected Software
Pre* Party Resource Hints [pre-party-browser-hints]
Researcher
Affected Software
Researcher
Affected Software
Spam Protect for Contact Form 7 [wp-contact-form-7-spam-blocker]
Researcher
Affected Software
Task Manager [task-manager]
Researcher
Affected Software
Task Manager [task-manager]
Researcher
Affected Software
Researcher
Affected Software
Any Post Slider [any-post-slider]
Researcher
Affected Software
Autoptimize [autoptimize]
Researcher
Affected Software
Autoptimize [autoptimize]
Researcher
Code Embed <= 2.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields
6.4
Affected Software
Code Embed [simple-embed-code]
Researcher
Affected Software
Contact List – Online Staff Directory & Address Book [contact-list]
Researcher
CP Multi View Events Calendar <= 1.4.34 – Authenticated (Subscriber+) Stored Cross-Site Scripting
6.4
Affected Software
CP Multi View Events Calendar [cp-multi-view-calendar]
Researcher
Affected Software
Draft List [simple-draft-list]
Researchers
Affected Software
Easy Image Gallery [easy-image-gallery]
Affected Software
Ecover Builder For Dummies [ecover-builder-for-dummies]
Researcher
Affected Software
Ed’s Font Awesome [eds-font-awesome]
Researcher
Affected Software
Ed’s Social Share [eds-social-share]
Researcher
Affected Software
fyyd podcast shortcodes [fyyd-podcast-shortcodes]
Researcher
Affected Software
Get Use APIs – JSON Content Importer [json-content-importer]
Researcher
Affected Software
Go Night Pro | WordPress Dark Mode Plugin [go-night-pro]
Researcher
Image Alt Text Manager <= 1.8.2 – Authenticated (Author+) Stored Cross-Site Scripting via Post Title
6.4
Affected Software
Info Cards <= 2.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes
6.4
Affected Software
Info Cards – Add Text and Media in Card Layouts [info-cards]
Researcher
Affected Software
Integration with Hubspot Forms [integration-with-hubspot-forms]
Researcher
Affected Software
iVysilani Shortcode [ivysilani-shortcode]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
MinhNhut Link Gateway [minhnhut-link-gateway]
Researcher
Affected Software
Multi Post Carousel by Category [multi-post-carousel]
Researcher
Affected Software
Outgrow [outgrow]
Researcher
Affected Software
Paypal Shortcodes [paypal-shortcodes]
Researcher
Affected Software
Post Flagger [post-flagger]
Researcher
Affected Software
PQ Addons – Creative Elementor Widgets [peacefulqode-elementzplus-widgets]
Schema Shortcode <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
6.4
Affected Software
Schema Shortcode [schema-shortcode]
Researcher
Affected Software
Scoreboard for HTML5 Games Lite [scoreboard-for-html5-game-lite]
Researcher
Affected Software
Sheets2Table [sheets2table]
Researcher
Affected Software
Sherk Custom Post Type Displays [sherk-custom-post-type-displays]
Researcher
Show Posts list <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
6.4
Affected Software
Show Posts list – Easy designs, filters and more [show-posts-shortcodes]
Researcher
Affected Software
Simple Football Scoreboard [simple-football-score-board]
Researcher
Affected Software
Sina Extension for Elementor [sina-extension-for-elementor]
Researcher
Affected Software
Text Toggle [text-toggle]
Researcher
Affected Software
Tour & Activity Operator Plugin for TourCMS [tour-operator-plugin]
Researcher
Affected Software
Twitter Feeds [twitter-feeds]
Researcher
Affected Software
WordPress PayPal Donation [wordpress-paypal-donation]
Researcher
Affected Software
WP Custom Admin Interface [wp-custom-admin-interface]
Researcher
Affected Software
WP Games Embed [wp-games-embed]
Researcher
Affected Software
WP Go Maps (formerly WP Google Maps) [wp-google-maps]
Researcher
Affected Software
WP NG Weather [wp-ng-weather]
Researcher
Affected Software
WP Random Button [wp-random-button]
Researcher
Affected Software
WPFAQBlock– FAQ & Accordion Plugin For Gutenberg [wpfaqblock]
Researcher
Affected Software
Yoast SEO – Advanced SEO with real-time guidance and built-in AI [wordpress-seo]
Researcher
Affected Software
[CR]Paid Link Manager [crpaid-link-manager]
Researcher
Affected Software
Alfie – Feed Plugin [alfie-the-productfeedtool-wp-plugin]
Researcher
Affected Software
Avada (Fusion) Builder [fusion-builder]
Researcher
Affected Software
Comment Genius [comment-genius]
Researcher
Affected Software
Event Booking Manager for WooCommerce [mage-eventpress]
Researcher
Affected Software
Flexmls® IDX Plugin [flexmls-idx]
Researcher
Affected Software
Gutenberg Blocks – Unlimited blocks For Gutenberg [unlimited-blocks]
Researcher
Affected Software
iTracker360 [itracker360]
Researcher
Affected Software
Researcher
Affected Software
Kentha – Music WordPress Theme [kentha]
Researcher
Affected Software
Listeo-Core – Directory Plugin by Purethemes [listeo-core]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Molla – eCommerce HTML5 Template [molla]
Researcher
Affected Software
Motta Addons [motta-addons]
Researcher
Affected Software
mydecor [mydecor]
Researcher
Affected Software
Researcher
Affected Software
nooni [nooni]
Researcher
Online Scheduling and Appointment Booking System – Bookly <= 26.7 – Reflected Cross-Site Scripting
6.1
Affected Software
Online Scheduling and Appointment Booking System – Bookly [bookly-responsive-appointment-booking-tool]
Researcher
Affected Software
Organici Library [noo-organici-library]
Researcher
Affected Software
Phox – Hosting WordPress & WHMCS Theme [phox-host]
Researcher
Post Snippits <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update
6.1
Affected Software
Post Snippits [post-snippits]
Researcher
Affected Software
rexCrawler [rexcrawler]
Researcher
Affected Software
Researcher
Affected Software
Support for CitiLights – Real Estate WordPress Theme [noo-citilights]
Researcher
Affected Software
Taboola Pixel [taboola-pixel]
Researcher
Affected Software
tagDiv Opt-In Builder [td-subscription]
Researcher
Affected Software
UpSolution Core [us-core]
Researcher
Affected Software
WP-WebAuthn [wp-webauthn]
Researcher
Affected Software
Writeprint Stylometry [writeprint-stylometry]
Researcher
Affected Software
XStore Core [et-core-plugin]
Researcher
Affected Software
Contact Form, Survey, Quiz & Popup Form Builder – ARForms [arforms-form-builder]
Researcher
Affected Software
Multi Functional Flexi Lightbox [multi-functional-flexi-lightbox]
Researcher
Affected Software
Yoast Duplicate Post [duplicate-post]
Researcher
Affected Software
Admin Safety Guard — Login Security & 2FA [admin-safety-guard]
Researcher
Affected Software
Appmax [appmax]
Affected Software
Automated FedEx live/manual rates with shipping labels – HPOS supported [a2z-fedex-shipping]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools [woocommerce-jetpack]
Researcher
Affected Software
Build App Online [build-app-online]
Affected Software
Canto [canto]
Researcher
Affected Software
Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors [publishpress-authors]
Researcher
Affected Software
Contextual Related Posts [contextual-related-posts]
Researcher
Affected Software
Education Zone [education-zone]
Researcher
Affected Software
EventPrime – Events Calendar, Bookings and Tickets [eventprime-event-calendar-management]
Researcher
Affected Software
GZSEO [gzseo]
Researcher
Instant Popup Builder <= 1.1.7 – Unauthenticated Arbitrary Shortcode Execution via ‘token’ Parameter
5.3
Affected Software
Instant Popup Builder – Powerful Popup Maker for Opt-ins, Email Newsletters & Lead Generation [instant-popup-builder]
Researcher
Affected Software
Jobica Core [jobica-core]
Researcher
Affected Software
Researcher
Affected Software
Membership Plugin – Restrict Content [restrict-content]
Researcher
Affected Software
Researcher
Affected Software
Modern Events Calendar [modern-events-calendar]
Researcher
Affected Software
My Tickets – Accessible Event Ticketing [my-tickets]
Researcher
Affected Software
Researcher
Affected Software
Print Invoice & Delivery Notes for WooCommerce [woocommerce-delivery-notes]
Researcher
Affected Software
Product Rearrange for WooCommerce [products-rearrange-woocommerce]
Researcher
Affected Software
Punnel – Landing Page Builder [punnel-landing-page-builder]
Researcher
Affected Software
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login [custom-registration-form-builder-with-submission-manager]
Researcher
Affected Software
RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress [computer-repair-shop]
Affected Software
REST API TO MiniProgram [rest-api-to-miniprogram]
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Royal Addons for Elementor – Addons and Templates Kit for Elementor [royal-elementor-addons]
Researcher
Affected Software
Smarter Analytics [smarter-analytics]
Researcher
Affected Software
Subscriptions for WooCommerce [subscriptions-for-woocommerce]
Researcher
Affected Software
ViaBill – WooCommerce [viabill-woocommerce]
Researcher
Affected Software
Researcher
Affected Software
WP-Chatbot for Messenger [wp-chatbot]
Researcher
Affected Software
Researcher
Affected Software
CM Custom Reports – Flexible reporting to track what matters most [cm-custom-reports]
Researcher
Affected Software
Comment SPAM Wiper [comment-spam-wiper]
Researcher
Keep Backup Daily <= 2.1.2 – Authenticated (Admin+) Stored Cross-Site Scripting via Backup Title
4.4
Affected Software
Keep Backup Daily [keep-backup-daily]
Researcher
Affected Software
Mandatory Field [mandatory-fields]
Researcher
Affected Software
Review Map by RevuKangaroo [review-map-by-revukangaroo]
Researcher
Affected Software
Reward Video Ad for WordPress [applixir]
Researcher
Affected Software
Ricerca – advanced search [ricerca-smart-search]
Researcher
Affected Software
Weaver Show Posts [show-posts]
Researcher
Affected Software
Wikilookup [wikilookup]
Researcher
Affected Software
Activity Log for WordPress [winterlock]
Researcher
Affected Software
Add Custom Fields to Media [add-custom-fields-to-media]
Researcher
Affected Software
Add Google Social Profiles to Knowledge Graph Box [add-google-social-profiles-to-knowledge-graph-box]
Researcher
Affected Software
Ave Core [ave-core]
Researcher
Affected Software
Comments Import & Export [comments-import-export-woocommerce]
Researcher
Affected Software
Company Posts for LinkedIn [company-posts-for-linkedin]
Researcher
Affected Software
Researcher
Affected Software
Download Manager [download-manager]
Researcher
Affected Software
Group Chat & Video Chat by AtomChat [atomchat]
Researcher
Affected Software
Researcher
Affected Software
Kargo Takip [kargo-takip-turkiye]
Researcher
Affected Software
Lobot Slider Administrator [lobot-slider-administrator]
Researcher
Affected Software
Plugin Name: login_register [login-register]
Researcher
Affected Software
Membership Plugin – Restrict Content [restrict-content]
Researcher
Affected Software
Neos Connector for Fakturama [neos-connector-for-fakturama]
Researcher
Affected Software
New User Approve [new-user-approve]
Researcher
Affected Software
Premmerce Redirect Manager [premmerce-redirect-manager]
Researcher
Affected Software
Product Slider, Product Grid, Product Masonry [woocommerce-products-slider]
Researcher
Affected Software
Redirect countdown [redirect-countdown]
Researcher
Affected Software
Speedup Optimization [speedup-optimization]
Researcher
Affected Software
SR WP Minify HTML [sr-wp-minify-html]
Researcher
Affected Software
StoreCustomizer – A plugin to Customize all WooCommerce Pages [woocustomizer]
Researcher
Affected Software
The League – Sports News & Magazine WordPress Theme [the-league]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Ultimate Post Kit Addons for Elementor [ultimate-post-kit]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
WP Posts Re-order [wp-posts-re-order]
Researcher
Affected Software
WPVulnerability [wpvulnerability]
Researcher
Affected Software
Xhanch – My Advanced Settings [xhanch-my-advanced-settings]
Researcher
Affected Software
Post Affiliate Pro [postaffiliatepro]
Researcher
Affected Software
LearnPress – Sepay Payment [learnpress-sepay-payment]
Researcher
Keep Backup Daily <= 2.1.1 – Authenticated (Admin+) Limited Path Traversal via ‘kbd_path’ Parameter
2.7
Affected Software
Keep Backup Daily [keep-backup-daily]
Researcher
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (March 16, 2026 to March 22, 2026) appeared first on Wordfence.
